Closed g0d33p3rsec closed 3 months ago
While cataloging IP addresses related to Mirai and Mozi earlier today I came across this IP address which is being used to distribute a variety of malware.
XMRIG
http://45.207.168.120:7744/has.exe https://www.virustotal.com/gui/url/78e094df38bc34cb1151118b9ee4c8156aeda4cdbbb1b81818ec72183af83da6 http://45.207.168.120:7744/sky.exe https://www.virustotal.com/gui/url/6c886634b3a59ca39e9b7f1c1ff6971378107e291c4d587c20994e0e5afa0165 http://45.207.168.120:7744/dd.exe https://www.virustotal.com/gui/file/b8d92a1b30253b1525bbf7e1e38429291cb68085f0886c35cbee22baa66d024b http://45.207.168.120:7744/c3p.exe https://www.virustotal.com/gui/file/01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
trojan.defendercontrol/cpsmi
http://45.207.168.120:7744/22222.zip https://www.virustotal.com/gui/file/401790095e2544ea86840db790d63ae541bce50f0bc8baa7822e31ecbbb5a3b7
trojan.farfli/cpsmi
http://45.207.168.120:7744/mm.exe https://www.virustotal.com/gui/file/77886cc8a951bb0bb843e54324012ec508f0ba79b5ad7512d0b34e3076c2cd10
trojan.farfli/hcah
http://45.207.168.120:7744/libcurllvse.exe https://www.virustotal.com/gui/file/c2908fecd46ed515e5be300a9aa45272c390d8d0c2975ce563d6327ec1cbf613
trojan.farfli/zusy
http://45.207.168.120:7744/k7.exe https://www.virustotal.com/gui/file/d5b97d4be78dd6e6795c7e5376faeeaa58ac0b40629ea67291f223d42f19553a http://45.207.168.120/%E5%AE%89%E8%A3%85%E5%8C%85.exe https://www.virustotal.com/gui/file/9c24da4de476f5ee90589912d0128ca9d63edbe28648d8502cb1f3d9227dfcf4
trojan.jswj/redosdru
http://45.207.168.120:7744/conhostdhfw.exe https://www.virustotal.com/gui/file/c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 http://45.207.168.120:7744/45.28.exe https://www.virustotal.com/gui/file/59437ea65733812086a5734abfa35b524b2159d6bb6f333a79f5ff108d365a7d
http://45.207.168.120:7744/DHL.exe https://www.virustotal.com/gui/file/04e5c9467245df7b1beb4a2646d038e2320147f035fc18629adfb32b4da76ef1
trojan.sbgc
http://45.207.168.120:7744/8.77.dll https://www.virustotal.com/gui/file/cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30
trojan.bcsfd/injectorx
http://45.207.168.120:7744/77@u2.exe https://www.virustotal.com/gui/file/07ff27bfc879ad9f4d90f17c755c89d2fc3a84994c2304ee3cd79eb84674b9c0
trojan.zenpak/r03bc0xfa24
http://45.207.168.120:7744/ceshi.exe https://www.virustotal.com/gui/file/304344761eb9b34d8d3bb22fe8272f68db5f9f9ba6fdcd3619906c13d8a315ee
32.120.168.207.45|malicious
No response
45.207.168.120 http://45.207.168.120:7744/ http://45.207.168.120:7744/has.exe http://45.207.168.120:7744/sky.exe http://45.207.168.120:7744/dd.exe http://45.207.168.120:7744/c3p.exe http://45.207.168.120:7744/22222.zip http://45.207.168.120:7744/mm.exe http://45.207.168.120:7744/libcurllvse.exe http://45.207.168.120:7744/k7.exe http://45.207.168.120:7744/conhostdhfw.exe http://45.207.168.120:7744/DHL.exe http://45.207.168.120:7744/8.77.dll http://45.207.168.120:7744/77@u2.exe http://45.207.168.120:7744/ceshi.exe
N/A
Comments
While cataloging IP addresses related to Mirai and Mozi earlier today I came across this IP address which is being used to distribute a variety of malware.
XMRIG
trojan.defendercontrol/cpsmi
trojan.farfli/cpsmi
trojan.farfli/hcah
trojan.farfli/zusy
trojan.jswj/redosdru
trojan.sbgc
trojan.bcsfd/injectorx
trojan.zenpak/r03bc0xfa24
Wildcard domain records
Sub-Domain records
No response
Hosts (RFC:953) specific records, not used by DNS RPZ firewalls
No response
SeafeSearch records
No response
Screenshots
Screenshot
Links to external sources
logs from uBlock Origin
N/A