Domains used by the sample : rkskumzb.com 46.0.141.233 gesofgamd.com 46.173.218.203 Path from webserver : /ykbi9t1w8/index.php Sample : hxxps://formwest.co/nst.exe Hosting infos : https://whois.domaintools.com/46.0.141.233
majcc2.punkdns.vip(Imminent Monitor Hosted in Russian Federation Moscow Anmaxx Internett-tjenester)
Domain : majcc2.punkdns.vip Host and Port : 185.145.44.11:1414 Sample : hxxp://ssd4.pdns.cz/1500/s500.exe Hosting Infos : https://whois.domaintools.com/185.145.44.11
Gen:Variant.Symm(Hosted In China ASN: 9808 (Guangdong Mobile Communication Co.Ltd.)
Domain : qq120668082.f3322.net Host and Port : 120.210.207.142:5551 Sample : hxxp://117.41.185.216:9999/mimi.exe Hosting Infos : https://whois.domaintools.com/120.210.207.142
farawayer.ru(Pony Hosted In Russian Federation Lenina Dom Dlya Saita Llc)
Sample here : hxxp://farawayer.ru/chibum/fire/blessing/micro.exe Panel : http://farawayer.ru/chibum/fire/blessing/gate.php All the rest here : http://farawayer.ru/chibum/fire/blessing/ Hosting Infos : http://whois.domaintools.com/91.227.68.183
Ransom_HPCERBER.SMONT4(Hosted in France ASN: 16276 (OVH SAS)
Contacts servers via udp : “178.33.158.0:6893” “178.33.158.1:6893” “178.33.158.2:6893” “178.33.158.3:6893” “178.33.158.4:6893” “178.33.158.5:6893” “178.33.158.6:6893” “178.33.158.7:6893” “178.33.158.8:6893” “178.33.158.9:6893” “178.33.158.10:6893” “178.33.158.11:6893” “178.33.158.12:6893” “178.33.158.13:6893” “178.33.158.14:6893” “178.33.158.15:6893” “178.33.158.16:6893” “178.33.158.17:6893” “178.33.158.18:6893” “178.33.158.19:6893” execute command : “taskkill /f /im “c1.exe” > NUL & ping -n 1 127.0.0.1 > NUL & del “C:c1.exe” > NUL && exit” Sample here : hxxp://119.205.220.184/c.exe