SHARE
TWEET

adoḅe.com was hosting malware

ankit_anubhav Sep 5th, 2017 (edited) 1,172 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. xn--adoe-x34a.com which is seen as http://adoḅe.com/ in many browsers looks to copy name of Adobe via IDN homograph attack.
  2. This site was hosting malware on http://get.xn--adoe-x34a.com/es/flashplayer/flashplayer26_pp_xa_install.exe
  3. This will be seen as http://get.adoḅe.com/es/flashplayer/flashplayer26_pp_xa_install.exe in browsers, confusing the victim.
  4.  
  5. The malware file downloaded had the hash 829431dbe1c1f816ead5f79d8fa37f35
  6. https://www.virustotal.com/#/file/e6a9689454c13a02a4f343be7ef913f566f70813bd745683a9e4274809cdeba8/detection
  7.  
  8. The site is still up.
  9.  
  10. EDIT 06.09.2017 One more hash related to this is as follows :
  11. 84efb11a84e0f47fac25d383a2efae268533787bbf661cd19d212eb2b1fc342b
  12.  
  13. EDIT 06.09.2017 Analysis of the payload downloaded thanks to https://twitter.com/malwr_kill
  14. Payload is **betabot**
  15.  
  16. C&C -> hxxp://149.202.159.240/panels_encoded/logout.php?
  17. Also has bitcoin mining module
  18.  
  19. pool.itzod.ru
  20. bitcoinpool.com
  21. triplemining.com
  22. mining.eligius.st
  23. mint.bitminer.com
  24. pool_address
  25.  
  26. Credits/any questions ===> twitter.com/ankit_anubhav
RAW Paste Data
Top