adoḅe.com was hosting malware
ankit_anubhav Sep 5th, 2017 (edited) 1,172 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- xn--adoe-x34a.com which is seen as http://adoḅe.com/ in many browsers looks to copy name of Adobe via IDN homograph attack.
- This site was hosting malware on http://get.xn--adoe-x34a.com/es/flashplayer/flashplayer26_pp_xa_install.exe
- This will be seen as http://get.adoḅe.com/es/flashplayer/flashplayer26_pp_xa_install.exe in browsers, confusing the victim.
- The malware file downloaded had the hash 829431dbe1c1f816ead5f79d8fa37f35
- The site is still up.
- EDIT 06.09.2017 One more hash related to this is as follows :
- EDIT 06.09.2017 Analysis of the payload downloaded thanks to https://twitter.com/malwr_kill
- Payload is **betabot**
- C&C -> hxxp://126.96.36.199/panels_encoded/logout.php?
- Also has bitcoin mining module
- Credits/any questions ===> twitter.com/ankit_anubhav
RAW Paste Data