API tools faq
paste
Advertisement
DhiaLite

Malware shares infrastructure w/ Cryptolocker - Nov 20, 2013

DhiaLite
Nov 20th, 2013
367
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.63 KB | None | 0 0
raw download clone embed print report
  1. Wed, Nov 20 2013
  2. #DhiaLite - New Malware campaign on 88.198.198.83 shares infrastructure with Citadel and Cryptolocker.
  3. Details further down.
  4.  
  5. New set of malware subdomains started resolving to 88.198.198.83 yesterday
  6. All under dns8w.com 2LD which was registered on 18-nov-2013
  7.  
  8. Subdomains and IP are dropping Worm:Win32/Vobfus.HK
  9.  
  10. https://www.virustotal.com/en/ip-address/88.198.198.83/information/
  11.  
  12. Subdomains are in the form [0-9]{5} under dns8w.com
  13.  
  14. #Sample subdomains on 88.198.198.83
  15.  
  16. 98520.dns8w.com
  17. 97364.dns8w.com
  18. 95568.dns8w.com
  19. 95121.dns8w.com
  20. 95069.dns8w.com
  21. 95047.dns8w.com
  22. 94704.dns8w.com
  23. 91599.dns8w.com
  24. 89961.dns8w.com
  25. 89165.dns8w.com
  26.  
  27. Furthermore, the domains listed below are also hosted on 88.198.198.83. They appeared between 2013-08-19 and 2013-11-06 and are currently live.
  28.  
  29. ns1.boxonline1.com
  30. ns4.mysearchhere.net
  31. ns3.mysearchhere.net
  32. ns2.mysearchhere.net
  33. ns1.timedate2.org
  34. ns1.backdate2.com
  35. ns1.dateback1.su
  36. ns1.dateback1.com
  37. ns1.chopsuwey.net
  38. ns1.backupdate1.net
  39. ns1.boxonline2.org
  40. ns1.timedate1.org
  41. ns1.dateback5.com
  42. ns1.backdate1.net
  43. ns1.datetoday1.org
  44. ns1.dateback5.net
  45. ns1.musicmixc.com
  46. ns1.dateback2.org
  47. ns1.dateback3.com
  48. ns1.chopbell.biz
  49. ns1.cpuchecks1.com
  50. ns1.dateback2.net
  51. ns1.mysearchhere.net
  52. ns1.dateback3.org
  53. ns1.chopstickers.net
  54. ns1.backdate2.net
  55. ns1.dateback4.com
  56. ns1.dateback1.org
  57. ns1.dateback5.org
  58. ns1.dateback3.net
  59. ns1.datetoday1.net
  60. ns1.dateback1.net
  61. ns1.backupdate4.net
  62. ns1.dateback2.com
  63.  
  64. All these domains use ns1.sochi2013.su & ns2.sochi2013.su as nameservers which resolve to:
  65. ns1.sochi2013.su 81.177.170.217
  66. ns2.sochi2013.su 81.177.170.218
  67.  
  68. 81.177.170.217 and 81.177.170.218 are dropping TrojanDownloader:Win32/Cutwail
  69. https://www.virustotal.com/en/ip-address/81.177.170.217/information/
  70. https://www.virustotal.com/en/ip-address/81.177.170.218/information/
  71.  
  72. 81.177.170.217 and 81.177.170.218 are currently live.
  73.  
  74. Example malware file dropped from 81.177.170.217 is http://81.177.170.218/jopa.exe
  75.  
  76. VT and Malwr reports below
  77. https://www.virustotal.com/en/file/76f931200b8e726ba8c4a3e5f88c958e972ee3dca47379ba5c7dd93a0b782ff3/analysis/1384925687/
  78.  
  79. https://malwr.com/analysis/ZWQ2M2FlMmViMDhhNDA4NmE2YWQzNWQxNmMwOWFhMmE/
  80.  
  81. In addition, on the same /24 of 81.177.170.217 several IPs have been serving other malware campaigns.
  82.  
  83. Most notable IP is 81.177.170.166 which has been serving as Citadel CnC and Cryptolocker dropper & CnC.
  84.  
  85. 81.177.170.166 is currently live.
  86.  
  87. http://www.spamhaus.org/sbl/listings/openhosting.ru
  88. https://www.virustotal.com/en/ip-address/81.177.170.166/information/
  89. https://malwr.com/analysis/NWExNmQ0ZGQ3ZWRlNDc4MDkyYjEyM2I4NTdiYjlhMDg/
  90.  
  91. END
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!