Domain : webgameplayer.tibaco.net 79.125.21.198 TCP Connections : hxxp://webgameplayer.tibaco.net/103/jeu/vggpg.js Sample : hxxp://webgameplayer.tibaco.net/103/jeu/pony_creator.exe Hosting Infos : http://whois.domaintools.com/79.125.21.198
paydbills.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)
Resolved : [ paydbills.ru ] To [ 163.53.247.144 ] Behaviours 1 Attempts to brute force passwords 2 Contains FTP stealing routine 3 Deletes itself 4 Manipulates Internet Explorer settings 5 Runs existing executable 6 Searches for digital certificates 7 Steals data 8 Steals local browser data 9 Suspicious delay URL’S : hxxp://paydbills.ru/RF/test/gate.php hxxp://www.facebook.com/ Sample hereRead more...
idan.work(BetaBot Hosted In United States Wilmington Hostus )
Thanks to Xylitol for confirming this is Betabot. Domain : idan.work 162.245.216.60 Behaviours : 1 Contains Windows Firewall manipulation routine 2 Creates autorun registry key 3 Creates hook to unknown module 4 Deletes itself 5 Injects code into other processes 6 Makes DNS lookup of recently registered domain 7 Manipulates Internet Explorer settings 8 RunsRead more...
icanhazip.com(Malware Using Tor Hosted In United States Matawan Choopa Llc)
Domain : icanhazip.com 45.32.200.23 Resolved : [ icanhazip.com ] To [45.32.200.23 ] Resolved : [ icanhazip.com ] To [ 104.238.162.182 ] Other ip’s used : 104.238.162.182 76.73.17.194 193.23.244.244 86.59.21.38 46.101.151.222 Opened Listening Ports: 9050 tcp 1028 tcp Executable is spoofed to .mp4. Get it here : hxxp://www.datafilehost.com/d/5d690b34 Hosting Infos : http://whois.domaintools.com/45.32.200.23
seevu.net Waldek Trojan Hosted In (Netherlands Dronten Disk Group Ltd.)
Behaviours 1 Attempts connections to suspicious countries 2 Automatically unpack its own code 3 Creates hook to unknown module 4 Injects code into other processes 5 Makes DNS lookup of recently registered domain 6 Runs existing executable Dns Lookup seevu.net 185.36.102.105 siloovoox.net 188.165.28.225 Sample here : hxxp://www.datafilehost.com/d/384b8efc Hosting Infos : http://whois.domaintools.com/185.36.102.105
cojun15cart.com(HTTP Malware Hosted In United States Ashburn Amazon.com Inc.)
cojun15cart.com 23.22.255.164 Description : Contains anti-debugging code It makes use of some deprecated flags in the Characteristics field of FileHeader PE section has SizeOfRawData set to zero Behaviours : Automatically unpack its own code Deletes itself Deletes itself after reboot Drops .EXE file Manipulates Internet Explorer settings Runs existing executable Suspicious delay TCP Connections TypeRead more...
linux.xinhuamei.net(Malware Hosted in China Shenyang Chinanet Liaoning Province Network)
linux.xinhuamei.net DNS_TYPE_A 123.184.41.30 Malware installs as service,injects to iexplorer and does selfdelete : “C:WINDOWSsystem32cmd.exe” /c del C:a.exe > nul Sample here : hxxp://www.xup.in/dl,17109295/a.7z/ Hosting Infos : http://whois.domaintools.com/123.184.41.30
www.casinohackers.com(Password Stealer Hosted In United States Austin Pdr Ltd.)
This one is binded with Browser Antidetect “FFTools” (FF Based) cracked by NoNh. Domain IP www.casinohackers.com 162.251.80.13 HTTP Requests : hxxp://www.casinohackers.com/soft50_news/index.php?p1=uuuuuuuuuuuuuuuuuuu&p2=uuuuuuuuuuuu&p3=uuu%20uuuuuuuuuuuuuuuuuuuu_ver=52150_s=1787626508 Sample here : hxxp://www.xup.in/dl,54125486/Antidetect5_cracked_NoNh@TrojanForge.co.7z/ Hosting Infos : http://whois.domaintools.com/162.251.80.13
bot.hd0point.cf(HTTP Botnet Hosted In United States Ashburn Amazon Technologies Inc)
DNS Queries : bot.hd0point.cf Resolved : [bot.hd0point.cf] To [52.71.250.248] HTTP Queries : bot.hd0point.cf:80 POST /gate.php HTTP/1.1 Sample : hxxp://hd0point.cf/vIr/botnet/install.exe Hosting Infos : http://whois.domaintools.com/52.71.250.248
imaginecomputing.info(Pony Hosted in United States Scottsdale Godaddy.com Llc)
Domain : imaginecomputing.info 107.180.50.180 Sample : hxxp://imaginecomputing.info/pony/run.exe Other : hxxp://imaginecomputing.info/pony/gate.php Hosting Infos : http://whois.domaintools.com/107.180.50.180