Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on May 07, 2018, 12:52:46 PM

Title: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
Post by: polonus on May 07, 2018, 12:52:46 PM

Is this a ransomeware launcher or a script miner? https://urlquery.net/report/2dc64593-68a1-469f-8dad-3e839c58a69d
Re: https://www.malwares.com/report/host?host=183.ns2275ab.com
Re: https://www.threatcrowd.org/ip.php?ip=212.61.180.100
Alerted via a malware connectivity check!

polonus

Title: Re: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
Post by: Pondus on May 07, 2018, 01:23:40 PM

https://www.virustotal.com/#/url/ef2f5b5c9eacc12b3079f8f297f51716091a7b8021c29f93294ce09f1fcd5962/detection

read community comments
https://www.virustotal.com/#/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/community

Title: Re: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
Post by: polonus on May 07, 2018, 10:47:44 PM

Hi Pondus,

Thanks you for again dotting the i's and crossing the t's on that VT scan results.

What would we do without your relevant knowledge on VT scans, dear Pondus?

So the final verdict has not been handed out on it then.

And it now hangs in the balance, between a FP or a malicious 0-day detection.

Just wait and see what it will be in the end.

Anyway we have reported it here in the "virus & worms", and that alone is a good thing.

polonus

Title: Re: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
Post by: polonus on May 13, 2018, 06:21:48 PM

Another one: https://urlquery.net/report/ad327386-308a-4b89-aa4a-7bfe2ae0eb34
For IP see: https://ransomwaretracker.abuse.ch/ip/212.61.180.100/
Malware, phishing etc. -> https://cymon.io/212.61.180.100
and https://www.malwares.com/report/ip?ip=212.61.180.100

polonus

Title: Re: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz
Post by: polonus on January 18, 2019, 04:04:56 PM

UPDATE

Malware still being launched from that particular IP:
Re malware and blacklisted: https://urlquery.net/report/04e07806-0297-446f-99e5-017ef7bf3e8e
5 instances to detect: https://www.virustotal.com/#/url/4b1ca1255ed85a34742be0a00261abf23160a7e6dddc6be3f7f0fc053232c380/detection
More nasties from there: https://www.virustotal.com/#/domain/dl2.iq5download.com

Also consider on IP: https://ransomwaretracker.abuse.ch/ip/212.61.180.100/
and https://otx.alienvault.com/indicator/ip/212.61.180.100
and https://cymon.io/212.61.180.100  and   https://www.malwares.com/report/ip?ip=212.61.180.100
and https://www.threatminer.org/host.php?q=212.61.180.100
and https://www.joesandbox.com/analysis/54038/0/html

polonus