New Browlock domains - Jan 8, 2014

1. Wed, Jan 8 2014
2. #DhiaLite - New browser-based ransomware domains on 37.220.11.148. The fake "Mandiant" banner and threating President Obama look trick ;)
3.  
4. They started resolving to 37.220.11.148 yesterday.
5.  
6. #Sample url of the Browloack page
7.  
8. http://zdvzdrtra.fuetechs.co.uk/police/zRnxM_/oNRAfrnI_/vp0dJ5eJuUvc6mIf7QySgmD_/baP5ahKHHxgLAlGMe8uwp7bHOQJH3NeDJtewCS/CoxtWllmw%7E%7E/MWU0YjViYWQ5NGNiNzZhNjMxZDczOWZlOTMzOT
9.  
10. Same path will work for all domains below.
11.  
12. /police/zRnxM_/oNRAfrnI_/vp0dJ5eJuUvc6mIf7QySgmD_/baP5ahKHHxgLAlGMe8uwp7bHOQJH3NeDJtewCS/CoxtWllmw%7E%7E/MWU0YjViYWQ5NGNiNzZhNjMxZDczOWZlOTMzOT
13.  
14. https://www.virustotal.com/en/ip-address/37.220.11.148/information/
15.  
16. #Sample domains on 37.220.11.148
17.  
18. sdfezsf.haircloning.tv
19. sdfsef.haircloning.name
20. sfsefsc.haircloningdoctor.com
21. dfvzdg.haircloning.name
22. sdfzsef.haircloning4u.com
23. cfefgrea.glomedpa.com
24. cfzsew.haircloning4u.com
25. #end