Page 112 of 132 FirstFirst ... 1262102108109110111112113114115116122 ... LastLast
Results 1,111 to 1,120 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1111
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Confirmation', 'Certificate', 'e-fax' SPAM

    FYI...

    Fake 'Confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    14 Dec 2016 - "An email -spoofing- Kirklees Council with the subject of 'Booking Confirmation' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
    From: jewell nethercote <jewell.nethercote@ luciafranca .com>
    Date: Wed 14/12/2016 08:06
    Subject: Booking Confirmation
    Attachment: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
    Booking Confirmation
    This email and any attachments are confidential. If you have received it in error – notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.


    14 December 2016: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
    Current Virus total detections 13/56*. MALWR** shows a download of an encrypted file from
    http ://eastoncorporatefinance .com/nbv364 which is converted by the script to sonmoga2.rudf (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1481706521/

    ** https://malwr.com/analysis/ZmQyMjMzY...JlNTBjYTEzYjY/
    Hosts
    217.160.231.206
    176.121.14.95


    *** https://www.virustotal.com/en/file/a...is/1481706902/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.160.231.206
    176.121.14.95
    185.117.72.105
    52.34.245.108
    52.85.184.150
    35.160.111.237

    ___

    Fake 'Certificate' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/parce...ky-ransomware/
    14 Dec 2016 - "... an email with the subject of 'Parcel Certificate' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of par_cert_5444211.zip which delivers Locky ransomware... One of the emails looks like:
    From: Effie Bush <Bush.Effie@ adkime .com>
    Date: Wed 14/12/2016 09:41
    Subject: Parcel Certificate
    Attachment: par_cert_5444211.zip
    Dear hyperbolasmappera,
    Please check the parcel certificate I am sending you in the attachment.
    Order number is 477-F. Quite urgent, so please review it.
    Best Regards,
    Effie Bush


    14 December 2016: par_cert_5444211.zip: Extracts to: ~_9UZONB_~.wsf - Current Virus total detections 3/54*
    Payload Security** shows a download of an encrypted file from http ://ziskant .com/kqnioulnfj which is converted by the script to hIzFvc4Ek.zk (VirusTotal 4/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1481708404/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    62.210.89.38
    185.129.148.56
    86.110.117.155
    213.32.113.203
    35.160.111.237


    *** https://www.virustotal.com/en/file/4...is/1481709795/
    ___

    Fake 'e-fax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    14 Dec 2016 - "An email with the subject of 'eFax message from +611300786102 – 4 page(s), Caller-ID: +611300786102' (random numbers) pretending to come from eFax <inbound@ efax .delivery> with a malicious word doc attachment delivers Trickbot banking Trojan...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...g?w=1308&ssl=1

    14 December 2016: InboundMessage.doc - Current Virus total detections 10/53*
    Payload Security** shows a download from ‘http ://cendereci .com/dasphdasodasopjdaspjdasdasa.png’ which is -not- a png (image file) but -renamed- .exe (VirusTotal 41/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1481698402/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    85.159.66.172
    23.21.228.240
    36.37.176.6
    202.5.50.55


    *** https://www.virustotal.com/en/file/a...78f8/analysis/

    Last edited by AplusWebMaster; 2016-12-14 at 16:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1112
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Amount Payable', 'Order Receipt' SPAM, Yahoo hack

    FYI...

    Fake 'Amount Payable' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...-leads-to.html
    15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: Lynn Drake
    Date: 15 December 2016 at 09:55
    Subject: Amount Payable
    Dear [redacted],
    The amount payable has come to $38.29. All details are in the attachment.
    Please open the file when possible.
    Best Regards,
    Lynn Drake


    The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
    (Long list of domain-names at the dynamoo URL above.)
    According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis[4] shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
    86.110.117.155 /checkupdate (Rustelekom, Russia)
    185.129.148.56 /checkupdate (MWTV, Latvia)
    185.17.120.166 /checkupdate (Rustelekom, Russia)
    MWTV is a known-bad-host, so I recommend blocking the entire /24.
    Recommended blocklist:
    86.110.117.155
    185.129.148.0/24
    185.17.120.166
    "
    * https://virustotal.com/en/file/bd028...is/1481796164/

    ** https://malwr.com/analysis/MzY2YzNhZ...gxNzFiYTMxYjk/
    Hosts
    92.48.111.60

    *** https://virustotal.com/en/file/d46ba...is/1481796614/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    92.48.111.60
    185.129.148.56
    86.110.117.155
    52.42.26.69
    52.85.184.67
    52.35.54.251

    ___

    Fake 'Order Receipt' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/more-...ky-ransomware/
    15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
    From: Joshua Mooney <Mooney.Joshua@ ricket .net>
    Date: Thu 15/12/2016 10:54
    Subject: Order Receipt
    Attachment: scan9022222.zip
    Dear enrico,
    Thank you for making your order in our store!
    The payment receipt and crucial payment information are in the attached document.
    King Regards,
    Joshua Mooney
    Sales Manager


    15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
    MALWR** shows a download of an encrypted file from http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1481799202/

    ** https://malwr.com/analysis/NjUxOTUxM...Y1YTYwZWZlNTA/
    Hosts
    64.71.33.107

    *** https://www.virustotal.com/en/file/5...is/1481804458/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    64.71.33.107
    185.17.120.166
    185.129.148.56
    178.209.51.223
    52.42.26.69
    52.85.184.195
    35.160.111.237
    91.198.174.192
    91.198.174.208

    ___

    One -billion- users affected - Yahoo hack
    - https://www.helpnetsecurity.com/2016...on-yahoo-hack/
    Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one -billion- user accounts has been stolen..."
    * https://help.yahoo.com/kb/account/SL...pressions=true
    Dec 14, 2016

    Last edited by AplusWebMaster; 2016-12-15 at 16:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1113
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'document', 'Subscription', 'Processing Problem' SPAM, Malvertising

    FYI...

    Fake 'document' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...e-again-today/
    16 Dec 2016 - "Another -blank/empty- email with the subject of 'Attached document' pretending to come from copier@ your-own-email-address with a malicious word doc attachment delivers Locky ransomware... The email looks like:
    From: copier@ your-own-email-address
    Date: Fri 16/12/2016 09:57
    Subject: Attached document
    Attachment: 3867_002.docm


    Body content: Completely empty/Blank

    16 December 2016: 3867_002.docm - Current Virus total detections 12/56*
    Payload Security** shows a download of an encrypted file from http ://fiddlefire .net/hjg766′ which is converted by the script to loppsa2.aww ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1481882199/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    69.161.143.24
    37.235.50.29
    176.121.14.95
    86.110.117.155
    83.220.172.182
    52.88.7.60
    91.198.174.192
    91.198.174.208

    ___

    Fake 'Subscription' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/subsc...ky-ransomware/
    16 Dec 2016 - "... an email with the subject of 'Subscription Details' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of user0989063.zip which delivers Locky ransomware... One of the emails looks like:
    From: Cyril Levy <Levy.Cyril@ dragonflystudiosalon .com>
    Date: Fri 16/12/2016 10:49
    Subject: Subscription Details
    Attachment: user0989063.zip
    Dear mammoth, thank for you for subscribing to our service!
    All payment and ID details are in the attachment.


    16 December 2016: user0989063.zip: Extracts to: ~_P1EJYA_~.js - Current Virus total detections 4/55*
    Payload Security** shows a download of an encrypted file from http ://rondurkin .com/c6w5pscmc which is converted by the script to jex1N6oXpYUpIQ.zk (VirusTotal 5/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1481885511/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.211.96.24
    91.201.41.145
    31.41.47.50
    46.8.29.155
    52.34.245.108
    54.240.162.137


    *** https://www.virustotal.com/en/file/3...is/1481886225/
    ___

    Fake 'Processing Problem' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...g-problem.html
    15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: Juliet Langley
    Date: 15 December 2016 at 23:17
    Subject: Payment Processing Problem
    Dear [redacted],
    We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
    The receipt is in the attachment. Please study it and contact us.
    King Regards,
    Juliet Langley


    The name of the sender will vary as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js... the scripts download a component...
    (Long list of domain-names at the dynamoo URL above.)
    The malware then phones home to the following locations:
    185.129.148.56 /checkupdate (MWTV, Latvia)
    178.209.51.223 /checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
    37.235.50.119 /checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)
    Recommended blocklist:
    185.129.148.0/24
    178.209.51.223
    37.235.50.119
    "

    - https://myonlinesecurity.co.uk/payme...elivers-locky/
    15 Dec 2016 - "... an email with the subject of 'Payment Processing Problem' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of MPay7197337.zip which delivers Locky ransomware... One of the emails looks like:
    From: Kristie Soto <Soto.Kristie@ kadgraphics .com>
    Date: Thu 15/12/2016 22:33
    Subject: Payment Processing Problem
    Attachment: MPay7197337.zip
    Dear adkins,
    We have to inform you that a problem occured when processing your last payment (code: 7197337-M, $454.$86).
    The receipt is in the attachment. Please study it and contact us.
    King Regards,
    Kristie Soto


    15 December 2016: MPay7197337.zip: Extracts to: ~_7XXTOQ_~.js - Current Virus total detections 3/55*
    Payload Security** shows a download of an encrypted file from http ://ustadhanif .com/q0w93lkrvp
    which is converted by the script to HNUsEBnh.zk (VirusTotal 6/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1481842328/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    208.75.151.108
    37.235.50.119
    52.85.184.150


    *** https://www.virustotal.com/en/file/7...is/1481843139/
    ___

    Malvertising compromises routers instead of computers
    - https://www.helpnetsecurity.com/2016...mises-routers/
    Dec 16, 2016 - "The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers. According to Proofpoint* researchers, the attacker’s current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money:
    > https://www.helpnetsecurity.com/imag...ger-attack.jpg
    ... Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns. According to Kafeine**, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices. Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners."
    * https://www.proofpoint.com/us/threat...ndroid-devices
    "... Since the end of October, we have seen an improved version of the “DNSChanger EK” ** used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising..."
    ** http://malware.dontneedcoffee.com/20...d-to-csrf.html

    Last edited by AplusWebMaster; 2016-12-16 at 17:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1114
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payslip', 'LogMeIn' SPAM

    FYI...

    Fake 'Payslip' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/paysl...elivers-locky/
    19 Dec 2016 - "An email with the subject of 'Payslip for the month Dec 2016' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
    From: JASMINE DICKEY <jasmine.dickey@ ejmbcommercial .com>
    Date: Mon 19/12/2016 09:50
    Subject: Payslip for the month Dec 2016.
    Attachment: Payslip_Dec_2016_5490254.doc
    Dear customer,
    We are sending your payslip for the month Dec 2016 as an attachment with this mail.
    Note: This is an auto-generated mail. Please do not reply.


    19 December 2016: Payslip_Dec_2016_5490254.doc - Current Virus total detections 11/53*
    Payload Security** shows a download of an encrypted file from http ://routerpanyoso.50webs .com/8hrnv3 which is converted by the script to shtrina2.ero (VirusTotal 12/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1482144602/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.210.101.94
    193.201.225.124
    46.148.26.82
    188.127.237.76
    176.121.14.95
    52.39.24.163
    52.85.184.92
    91.198.174.192
    13.82.139.29
    91.198.174.192
    91.198.174.208


    *** https://www.virustotal.com/en/file/a...is/1482144877/

    - http://blog.dynamoo.com/2016/12/malw...-dec-2016.html
    19 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: PATRICA GROVES
    Date: 19 December 2016 at 10:12
    Subject: Payslip for the month Dec 2016.
    Dear customer,
    We are sending your payslip for the month Dec 2016 as an attachment with this mail.
    Note: This is an auto-generated mail. Please do not reply.


    The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55*. This Hybrid Analysis** clearly shows Locky ransomware in action when the document is opened. According to my usual reliable source, the various versions of this download a component...
    (Long list of domain-names shown at the dynamoo URL above.)
    ... The malware then phones home to one of the following locations:
    176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
    193.201.225.124 /checkupdate (PE Tetyana Mysyk, Ukraine)
    188.127.237.76 /checkupdate (SmartApe, Russia)
    46.148.26.82 /checkupdate (Infium, Latvia / Ukraine)
    A DLL is dropped with a detection rate of 12/52*.
    Recommended blocklist:
    176.121.14.95
    193.201.225.124
    188.127.237.76
    46.148.26.82
    "
    * https://virustotal.com/en/file/17e89...is/1482147232/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    193.201.225.124
    188.127.237.76
    46.148.26.82
    176.121.14.95
    52.85.184.12


    *** https://virustotal.com/en/file/a2e90...16d3/analysis/
    ___

    Fake 'LogMeIn' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/logme...ivers-malware/
    19 Dec 2016 - "The email looks like:
    From: LogMeIn.com Auto-Mailer <noreply@ ssl-logmein .com>
    Date: Mon 19/12/2016 17:10
    Subject: LogMeIn Account Notification – Ip blocked
    Attachment: -Link-in-email-body- downloads notification_recipients_name.doc
    Your IP has been blocked from using the LogMeIn website after too many failed log-in attempts.
    Account holder: keith@[redacted]
    Event: IP blocked
    At: Mon, 19 Dec 2016 19:09:37 +0200
    To clear the IP address lockout, please follow the instructions...


    Screenshot: https://i0.wp.com/myonlinesecurity.c...le-editing.png

    19 December 2016: notification_keith.doc - Current Virus total detections 3/54*
    Payload Security **. The link-in-the-email is to http ://www .celf .jp/wp-content/themes/i-max/api/get.php?id=recipients email address encoded in base 64... The domain ssl-logmein .com was registered -today- 19 December 2016 via a Chinese registrar to a Bulgarian entity (IP address listed as 1.1.1.1). The emails are actually coming via a botnet of infected/compromised computers and servers... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1482167739/
    Trojan:W97...

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.21.228.240
    80.78.251.134
    212.24.98.247


    ssl-logmein .com: 1.1.1.1: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/98...a4a5/analysis/

    Last edited by AplusWebMaster; 2016-12-20 at 00:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1115
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'printing', 'Scan' SPAM

    FYI...

    Fake 'printing' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    20 Dec 2016 - "An email spoofing Moonbake Inc with the subject of 'for printing' coming from random sender with a malicious Excel XLS spreadsheet attachment delivers Locky... One of the email looks like:
    From: HILLARY TATEHAM <hillary.tateham@ stonelawassociates .Com>
    Date: Tue 20/12/2016 09:47
    Subject: for printing
    Attachment: Certificate_2373.xls
    Hi,
    For printing.
    Thank you so much.
    HILLARY TATEHAM Cristobal HRD/Admin Officer
    Moonbake Inc. 14 Langka St., Golden Acres Talon 1
    Las Piñas City, Philippines ...


    20 December 2016: Certificate_2373.xls - Current Virus total detections 5/56*
    Payload Security** shows a download of an encrypted file from http ://yorkshire-pm .com/hjv56 which is converted by the script to momerk2.vip (VirusTotal 9/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do. Manual analysis shows these download locations:
    yorkshire-pm .com/hjv56
    isriir .com/hjv56
    noosnegah .com/hjv56 ...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1482227222/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.11.101.46
    91.223.180.3
    188.127.239.48
    193.201.225.124
    54.239.168.79


    *** https://www.virustotal.com/en/file/3...is/1482228007/
    ___

    Fake 'Scan' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...elivers-locky/
    20 Dec 2016 - "... an email spoofing Lumax Industries Ltd. with the subject of 'Scan' pretending to come from random companies, names and email addresses with a random named zip attachment which delivers Locky ransomware...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...ng?w=896&ssl=1

    20 December 2016: 07cff4edf9a.zip: Extracts to: r9a2aa5cdfcbabe8bbbfc598cd334abb.wsf
    Current Virus total detections 9/55*. Payload Security** shows a download of an encrypted file from
    http ://www.judo-hattingen .de /hjv56?lktttKC=koHaQOx which is converted by the script to pYmpJfsNiM1.dll which unfortunately the free web version of Payload security does not make available for download... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1482248792/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.250.102.57
    176.121.14.95
    193.201.225.124
    52.32.150.180
    52.85.184.12


    Last edited by AplusWebMaster; 2016-12-20 at 19:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1116
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Secure Comm', 'Photo' SPAM

    FYI...

    Fake 'Secure Comm' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...ivers-malware/
    21 Dec 2016 - "An email spoofing CommBank with the subject of 'Secure Communication' coming from < secure.message@ commbanksecureemail .com > with a malicious word doc attachment delivers Trickbot banking Trojan...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C805&ssl=1

    21 December 2016: Message.doc - Current Virus total detections 14/54*
    Payload Security** shows a downloadfrom http ://onsitepcinc .com/images/344bzhmyVYyWz7NqRpfuunqXxjkseLhdmy.png which is -not- a png (image file) but a renamed .exe that is renamed by the script to wynrajo.exe (VirusTotal 22/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1482306465/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    65.108.116.221
    78.47.139.102
    36.37.176.6
    201.236.219.180
    144.76.249.26


    *** https://www.virustotal.com/en/file/5...is/1482314962/
    ___

    Fake 'Photo' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/photo...elivers-locky/
    21 Dec 2016 - "... another -blank- empty email with the subject of 'Photo' from {random Girl’s name} pretending to come from names and email addresses with a semi-random named zip attachment in the format of IMG-date-WA1234.zip which delivers Locky ransomware... One of the emails looks like:
    From: Glenna <Glennaherron3424@ syprotek .com>
    Date: Wed 21/12/2016 09:32
    Subject: Photo from Glenna
    Attachment: IMG-20161221-WA4646.zip


    Body content: totally blank/Empty

    21 December 2016: IMG-20161221-WA4646.zip: Extracts to: A87D1FCF.wsf - Current Virus total detections 8/55*
    Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1482312946/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.232.120.79
    176.121.14.95
    52.42.26.69
    54.240.162.130
    52.35.54.251


    Last edited by AplusWebMaster; 2016-12-21 at 15:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1117
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'scanned copy', 'Bestbuy' SPAM

    FYI...

    Fake 'scanned copy' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/scann...ky-ransomware/
    22 Dec 2016 - "... another -blank/empty- email with the subject of 'scanned copy' pretending to come from random names and email addresses with a semi-random named zip attachment in the format of HP0000000937.zip delivers Locky ransomware... One of the emails looks like:
    From: jeanne whitehorne <jeanne.whitehorne@ owdv .net>
    Date: Thu 22/12/2016 03:55
    Subject: scanned copy
    Attachment: HP0000000937.zip


    Body content: totally blank/empty

    22 December 2016: HP0000000937.zip: Extracts to: JFF38A.vbs - Current Virus total detections 8/55*
    Payload Security** shows a download of an encrypted file from http ://www .dvdpostal .net/result ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1482379501/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.0.77.6
    176.121.14.95
    52.88.7.60
    54.240.162.173
    35.160.111.237

    ___

    Fake 'Bestbuy' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/your-...liver-malware/
    22 Dec 2016 - "... an email with the subject of 'Your Bestbuy item is due for delivery on 22th December' pretending to come from random names at yahoo .com with a random named zip attachment which tries to deliver some sort of malware. This zip file extracts to another zip file before it extracts to the .js file... One of the emails looks like:
    From: josecastillo2344@ yahoo .com
    Date: Thu 22/12/2016 08:56
    Subject: Your Bestbuy item is due for delivery on 22th December
    Attachment: ECIOPZiodlxc.zip
    On the morning 22th of December you’ll be delivered a window and you’ll have the possibility to track your request on its way to your address.
    Please make sure someone is available to sign for your delivery.
    Pack delivery info and your contact data is in the file attached to this letter.
    If you will be out, it’s not a problem: you have a range of ‘in-flight’ options like changing your delivery time collecting from the nearest DPD Pickup Shop, asking us to deliver to one of your frients or arranging to have your item delivered to a safe place at your work address.


    22 December 2016: ECIOPZiodlxc.zip: Extracts to: ECIOPZiodlxc.js - Current Virus total detections 3/54*
    Payload Security** shows a download of an encrypted file from http ://optimastop .eu/castle/map which is currently giving me a 403 forbidden. It does show it wants to use BITS transfer and it is possible that a standard http get is blocked... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1482399844/
    Troj.Downloader.Js...

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    Last edited by AplusWebMaster; 2016-12-22 at 12:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1118
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Tech support phone SCAM, Fake 'eFax' SPAM

    FYI...

    Tech support phone SCAM
    - http://blog.dynamoo.com/2016/12/0208...cam-using.html
    23 Dec 2016 - "If these people ring you DO -NOT- GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do. It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They -claim- that hackers are accessing my router. I wasted 37 minutes of their time, these are some of the steps to watch out for..
    1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
    2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
    3. Then in order they try to get you to connect to the following services to take remote control of your PC: www .anydesk .com, www .teamviewer .com and www .supremofree .com. All of these are legitimate services, but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
    4. When those didn't work they tried directing me to a proxy at hide .me/proxy and www .hide .me/proxy (the same thing I know) which is probably another candidate for blocking.
    Of course, once they have access to your PC they will try to convince you that you need to -pay- them some money for technical support. Be warned, that they can render-your-PC-unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters."
    ___

    Fake 'eFax' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/spoof...known-malware/
    22 Dec 2016 - "... another email spoofing eFax with the subject of 'You have recevied a message' pretending to come from faxscanner scanner@ your-own-email-address with a semi-random named zip attachment in the format of Message efax system-1701.zip which delivers an unknown malware. Indications are that this could be Trickbot or could be Dridex banking Trojan... One of the emails looks like:
    From: Fax Scanner <scanner @ your-email-address>
    Date: Thu 22/12/2016 20:51
    Subject: You have recevied a message
    Attachment: Message efax system-1701.zip
    You have received a message on efax.
    Please download and open document attached.
    Scanner eFax system.


    22 December 2016: Message efax system-1701.zip: Extracts to: Message efax system-2817.js
    Current Virus total detections 4/53*. Payload Security** shows a download of ntntoto1].png (but doesn’t give the download url) which is renamed by the script to QE7JlpDt.exe (VirusTotal 29/56***). The js file is heavily obfuscated and almost impossible to human read and decrypt. Update: MALWR[4] gave me ‘http ://glendaleoffice .com/js/ntntoto.png’ as the download location... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1482441908/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    78.47.139.102
    36.37.176.6
    201.236.219.180


    *** https://www.virustotal.com/en/file/b...9c29/analysis/

    4] https://malwr.com/analysis/MGQ1ZTFiZ...gwMDIxODEwMmU/
    Hosts
    69.67.54.86
    78.47.139.102
    54.243.154.49
    45.76.25.15
    167.114.174.158
    188.40.53.51
    36.37.176.6
    192.189.25.143


    glendaleoffice .com: 69.67.54.86: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/4e...d12e/analysis/

    Last edited by AplusWebMaster; 2016-12-23 at 15:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1119
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'USPS', 'FedEx' SPAM

    FYI...

    Fake 'USPS' SPAM - delivers Locky, Kovter, other malware
    - https://myonlinesecurity.co.uk/spoof...other-malware/
    27 Dec 2016 - "... malware gang spoofing FedEx, USPS and every other courier, delivery or postal service, sending thousands of 'Courier was not able to deliver your parcel' and hundreds of variants or similar subjects like 'USPS issue #06914074: unable to delivery parcel'... Some subjects seen, all have random numbers, include:
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS

    ... malware downloaders spoofing USPS pretending to be a message saying cannot deliver the parcel. These deliver Locky ransomware and Kovter Trojans amongst others...

    27 December 2016: Delivery-Details-06914074.zip: Extracts to: Delivery-Details-06914074.doc.wsf
    Current Virus total detections 7/55*. Payload Security** shows a download from
    http ://boardedhallgreen .com/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
    which gives counter.js (VirusTotal 1/55***) that in turn downloads from
    http ://baltasmenulis .lt/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01 (and 02 – 05).
    The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js on your computer, that is run directly from temp internet files ). It downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site giving counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the original counter.js) pretend to be png (image files). They are actually all renamed .exe files or in the case of number 3, a -renamed- php script. Both of the innocent files are misused to run the malware. This is a very noisy malware set that contacts 4 domains and -179- hosts. View the network section on the Payload Security report[4] for more details... One of the emails looks like:
    From: USPS Priority Delivery <steven.kent@ confedampa .org>
    Date: Tue 27/12/2016 06:57
    Subject: USPS issue #06914074: unable to delivery parcel
    Attachment: Delivery-Details-06914074.zip
    Dear Customer,
    Your item has arrived at December 25, but our courier was not able to deliver the parcel.
    You can download the shipment label attached!
    Thank you for your assistance in this matter,
    Steven Kent,
    USPS Chief Delivery Manager.


    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1482822876/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/7...is/1482824922/

    4] https://www.hybrid-analysis.com/samp...etwork-traffic
    Contacted Hosts (179)
    ___

    Fake 'FedEx' SPAM - delivers Locky and other malware
    - https://myonlinesecurity.co.uk/more-...ther-malwares/
    25 Dec 2016

    > https://www.hybrid-analysis.com/samp...etwork-traffic
    Contacted Hosts (170)

    Last edited by AplusWebMaster; 2016-12-27 at 16:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1120
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FedEx/USPS' SPAM

    FYI...

    Fake 'FedEx/USPS' SPAM - Kovter/Locky sites
    - https://myonlinesecurity.co.uk/spoof...d-locky-sites/
    28 Dec 2016 - "Following on from these [FEDEX(1)] [USPS(2)] posts describing the Spoofed FedEx and USPS (and other delivery services from time to time). I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are -reused-daily- until taken down by their hosts. -All- the sites used in this malware spreading campaign are -hacked/compromised- sites.
    1] https://myonlinesecurity.co.uk/more-...ther-malwares/

    2] https://myonlinesecurity.co.uk/spoof...other-malware/

    The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file (counter.js by searching on your computer, that is run directly from temp internet files). Counter.js then downloads a different -variant- of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the -original- counter.js) pretend to be png (image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the -second- counter.js you need to change the &r=01 at the end of the url to &m=01 (or 02-05). This -second- counter.js contains -additional- sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
    I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file (and the original counter.js) and mistyped/miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and -blocked- by an antivirus or web filter service.

    25 December 2016: (Payload Security report [3]) Contacted Hosts (170)
    3spension .com: 116.127.123.32: https://www.virustotal.com/en/ip-add...2/information/
    minebleue .com: 213.186.33.87: https://www.virustotal.com/en/ip-add...7/information/
    chaitanyaimpex .org: 43.255.154.44: https://www.virustotal.com/en/ip-add...4/information/
    grancaffe .net: 94.23.64.40: https://www.virustotal.com/en/ip-add...0/information/
    break-first .com: 87.98.144.123: https://www.virustotal.com/en/ip-add...3/information/
    www .meizumalaysia .com: 103.51.41.205: https://www.virustotal.com/en/ip-add...5/information/
    dreamoutloudcenter .org: 184.168.234.1: https://www.virustotal.com/en/ip-add...1/information/
    megrelis-avocat .com: 213.186.33.82: https://www.virustotal.com/en/ip-add...2/information/

    /counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ
    /counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

    27 December 2016: (Payload Security report[4]) Contacted Hosts (179)
    lacasadeicuochi .it: 185.2.4.12: https://www.virustotal.com/en/ip-add...2/information/
    boardedhallgreen .com: 184.168.230.1: https://www.virustotal.com/en/ip-add...1/information/
    www .memoodgetactive.det.nsw .edu.au: 153.107.134.124: https://www.virustotal.com/en/ip-add...4/information/
    rebecook .fr: 213.186.33.104: https://www.virustotal.com/en/ip-add...4/information/
    peachaid .com: 107.180.26.91: https://www.virustotal.com/en/ip-add...1/information/
    kidsgalaxy .fr: 213.186.33.18: https://www.virustotal.com/en/ip-add...8/information/
    baltasmenulis .lt: 185.5.53.28: https://www.virustotal.com/en/ip-add...8/information/
    artss .org: 166.62.27.56: https://www.virustotal.com/en/ip-add...6/information/

    /counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
    /counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

    28 December 2016: (Payload Security report[5]) Contacted Hosts (174)
    thanepoliceschool .com: 166.62.27.146: https://www.virustotal.com/en/ip-add...6/information/
    chimie.iset-liege .be: 213.186.33.17: https://www.virustotal.com/en/ip-add...7/information/
    partnersforcleanstreams .org: 192.186.205.128: https://www.virustotal.com/en/ip-add...8/information/

    /counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE
    /counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01 "

    3] https://www.hybrid-analysis.com/samp...ironmentId=100

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
    cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-add...2/information/
    dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/
    shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-add...0/information/
    italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-add...2/information/
    salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-add...0/information/
    zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/

    /counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

    /counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

    > 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

    /counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

    /counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    7] https://www.hybrid-analysis.com/samp...ironmentId=100

    Last edited by AplusWebMaster; 2016-12-29 at 13:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •