daily pastebin goal
56%
SHARE
TWEET

adoḅe.com was hosting malware

ankit_anubhav Sep 5th, 2017 (edited) 1,591 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. xn--adoe-x34a.com which is seen as http://adoḅe.com/ in many browsers looks to copy name of Adobe via IDN homograph attack.
  2. This site was hosting malware on http://get.xn--adoe-x34a.com/es/flashplayer/flashplayer26_pp_xa_install.exe
  3. This will be seen as http://get.adoḅe.com/es/flashplayer/flashplayer26_pp_xa_install.exe in browsers, confusing the victim.
  4.  
  5. The malware file downloaded had the hash 829431dbe1c1f816ead5f79d8fa37f35
  6. https://www.virustotal.com/#/file/e6a9689454c13a02a4f343be7ef913f566f70813bd745683a9e4274809cdeba8/detection
  7.  
  8. The site is still up.
  9.  
  10. EDIT 06.09.2017 One more hash related to this is as follows :
  11. 84efb11a84e0f47fac25d383a2efae268533787bbf661cd19d212eb2b1fc342b
  12.  
  13. EDIT 06.09.2017 Analysis of the payload downloaded thanks to https://twitter.com/malwr_kill
  14. Payload is **betabot**
  15.  
  16. C&C -> hxxp://149.202.159.240/panels_encoded/logout.php?
  17. Also has bitcoin mining module
  18.  
  19. pool.itzod.ru
  20. bitcoinpool.com
  21. triplemining.com
  22. mining.eligius.st
  23. mint.bitminer.com
  24. pool_address
  25.  
  26. Credits/any questions ===> twitter.com/ankit_anubhav
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top