For more infos about this have a look here. Gate : hxxp://35.240.36.208/gate/ HTTP requests : hxxp://35.240.36.208/gate/sqlite3.dll 35.240.36.208/gate/log.php Sample : hxxp://strreverse.duckdns.org/host.exe Hosting Infos : hxxps://whois.domaintools.com/35.240.36.208| Inside Your Botnet
Dangerous worm spreading through mails probably our old friend snk. Defense EvasionObscures a file’s origin : Tries to delete zone identifier of file “C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pe.exe”. Tries to delete zone identifier of file “C:\Windows\230531292821781\svchost.exe”. Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\1762129910.exe”. Tries to delete zone identifier of file “C:\Users\5P5NRG~1\AppData\Local\Temp\2759815991.exe”. Tries to ...| Inside Your Botnet
Connects to random domains like : kbbxnq.am.files.1drv.com Downloads encrypted file from : hxxps://onedrive.live.com/download?cid=95FCF6A0982EDBAA&resid=95FCF6A0982EDBAA%21384&authkey=ADToz6om2_g4nq4 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex...| Inside Your Botnet
Direct connection to : 185.126.201.167 Steals Data from : Vivaldi, Maple Studio, SecureFX, Pocomail, Chromium, KiTTY, NCH Fling, Orbitum, AbleFTP, IncrediMail, Internet Explorer / Edge, CocCoc, Bitvise SSH Client, Microsoft Outlook, NCH Classic FTP, BlazeFTP, WinChips, Epic Privacy Browser, Pidgin, PuTTY, Automize, FAR Manager, Yandex Browser, Comodo Dragon, Chrome Canary, JaSFTP, Google Chrome, Total Commander,Read more...| Inside Your Botnet
Encrypted configuration : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/conf.php Panel Login : hxxp://myehterwallet.top/UJZfOVD59Rue1AtQ/login.php Behavior : Steals data from browsers chrome,firefox,internet explorer/Edge , steals data from applications like WinSCP,Pidgin , steals data from Microsoft Outlook via registry. Sample : hxxp://45.141.86.139/update/updatewallet.exe Hosting Info : hxxp://whois.domaintools.com/47.254.174.146| Inside Your Botnet
Domain name : batlxt.org IP : 95.163.214.100 URL : http://batlxt.org/y8x/pin.php Steals Credentials From Local FTP Client Softwares : C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db C:\Program Files (x86)\FTPGetter\Profile\servers.xml C:\Users\user\AppData\Roaming\FTPGetter\servers.xml C:\Users\user\AppData\Roaming\Estsoft\AL...| Inside Your Botnet
Domain : fentq.org Ip : 89.208.196.209 HxxP: http://fentq.org/x/index.php Steals info from filezilla : C:\Users\user\AppData\Roaming\filezilla\recentservers.xml Steals info from browsers : C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www1.euro.dell[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@i.dell[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@dell[1].txt Sample : Hosting Infos :hxxp://107.189.10.150/E/5097110.exe hxxp://whois.doma...| Inside Your Botnet
Our ruski hecker snk is still hunting for money. Downloader : http://92.63.197.48/m/tm.exe hxxp://92.63.197.48/m/mb.exe Here some samples from snk bots,malwares also uncpaked bY Xylitol Trik Bot 2.5 sample. hxxp://filestorage.biz/download.php?file=3084255e737c1968b06d97242fe297ac Password for the archive : secretzone.io| Inside Your Botnet
Samples : hxxp://146.0.72.139/no_malwareneedscoffee.jpg Url’s : hxxp://filestorage.biz/download.php?file=e541302686cca000584050d41e254261 hxxp://memesmix.net/media/created/dd0doq.jpg www.billerimpex.com hxxp://gandcrabmfe6mnef.onion/68763f12385ff103| Inside Your Botnet
Sample :| Inside Your Botnet