Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on February 08, 2020, 03:50:09 PM

Title: Already flagged for us?
Post by: polonus on February 08, 2020, 03:50:09 PM
Re: https://urlhaus.abuse.ch/url/311632/
Also https://www.virustotal.com/gui/url/5c0be0e2e57f6dea8dd01b4d55b80e0088f6e94a5e4827890fb2df76bbdd45d5/details
(4 engines detect); https://www.virustotal.com/gui/ip-address/199.188.206.78/detection  (1 detects);

Detections on IP with Namecheap abuse: https://www.virustotal.com/gui/ip-address/199.188.206.78/relations

Site has been blacklisted: https://sitecheck.sucuri.net/results/maxicollection.us/done.exe (critical security risk found)

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 09, 2020, 05:32:21 PM
Then this abuse from this IP? -> https://urlhaus.abuse.ch/url/312103/
Consider vulners: https://www.shodan.io/host/34.240.96.52
Consider: https://sitereport.netcraft.com/?url=ec2-34-240-96-52.eu-west-1.compute.amazonaws.com
More malware on that IP: https://urlhaus.abuse.ch/host/34.240.96.52/
Two engines that detect two hours ago:
Now 7 to detect: https://www.virustotal.com/gui/url/ccc5638922975d6894938f4e8f3f9f7d0795528b283577d305719aded7b9b0e8/detection
application/octet-stream

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 09, 2020, 06:18:57 PM
This one - active or inactive?

Re: https://www.abuseipdb.com/check/164.132.92.139
also https://safeweb.norton.com/report/show?url=164.132.92.139
and http://www.urlvir.com/search-host/164.132.92.139/
8 engines detect: https://www.virustotal.com/gui/url/10518fec43a7840e08eaca332b4d57533253eecb3b14aa85d6b52248cbb3d2c2/detection
Active as we find 29 detections for to-day:
https://www.virustotal.com/gui/ip-address/164.132.92.139/relations
ELF not yet detected by avast solutions Avast & Avast-Mobile
Read as background info https://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html
dated info from Pierluigi Paganini, but still actual in this context.

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 09, 2020, 08:00:50 PM
This  redirect scannable or not? -> https://urlscan.io/result/33f4b3be-7c0f-447a-9b7d-a9dab9d5c3a2/
Re: https://sitecheck.sucuri.net/results/myfavoritproducts.com
Re: https://webcookies.org/cookies/myfavoritproducts.com/28957879?993195
Re: https://observatory.mozilla.org/analyze/myfavoritproducts.com

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 11, 2020, 12:45:28 AM
CloudFlare abuse:

Scan for one of the two IP addresses of this malware spreading domain:
https://www.immuniweb.com/websec/?id=seNnmIwy

See detection: https://urlhaus.abuse.ch/url/312752/   

11 engines detect: https://www.virustotal.com/gui/url/8b675a12f8abfa7b34bd8a3fefa17e8211fce7ce82b891b72ab8fdbc0482007e/detection   

Various detections on IP: https://www.virustotal.com/gui/ip-address/104.27.133.24/relations

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 11, 2020, 05:58:37 PM
This encrypted RAT named RemcosRAT?

Re: https://urlhaus.abuse.ch/url/313090/

4 to detect 15 minutes ago: https://www.virustotal.com/gui/url/a773fe4df1abef3d9ccbf116dc3592d1062292f97fb4a0aa93e5318b188250e8/detection

IP detections (IP-relations) -> https://www.virustotal.com/gui/ip-address/77.81.121.23/relations

polonus


Title: Re: Already flagged for us?
Post by: polonus on February 13, 2020, 05:22:31 PM
Only one to detect this address: https://www.virustotal.com/gui/url/16b54dada7849723b29282a497821b358a62d9d4c424d725659a270148540ab0/detection
lampion malware abuse on amazonaws dot com: https://urlhaus.abuse.ch/url/313860/
More on this payload: https://urlhaus.abuse.ch/browse.php?search=3881c4bacf37f5a37b21f6dca7f12d7c8eb91e094dc17f1a9306d015006d48be
Netcraft threat rating 7 red out of 10: https://sitereport.netcraft.com/?url=https://vrau-x.s3.us-east-2.amazonaws.com
Temp. redirect: https://www.shodan.io/host/52.219.84.168
Read on lampion malcode: https://securityaffairs.co/wordpress/95731/malware/lampion-malware-targets-portugal.html
Quote
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.
Quoted info source = Security Affair's Pierluigi Paganini.

polonus

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 16, 2020, 11:12:54 PM
This bitcoin miner already flagged?
See: -> IP - 209.141.53.115 -> https://urlhaus.abuse.ch/url/315087/
Consider weaknesses/vulners here: https://www.shodan.io/host/209.141.53.115
but  avast detects as Win32:Trojan-gen, so we are being protected: https://www.virustotal.com/gui/file/da0e03db41ed9c91208c9d5be533d041d9165e5fb51f36a7588a4d6e3c8b1c41/detection

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 25, 2020, 07:11:35 PM
Where we found it: URL Haus
Dateadded (UTC)   Malware URL   Status   Tags   Reporter
2020-02-25 17:51:18   -http://marthagrp.com/2019w2_PDF.zip   Online      @JayTHL
2020-02-25 17:51:14   -http://marthagrp.com/Client-built_76FF.exe   Online      @JayTHL
2020-02-25 17:51:12   -http://marthagrp.com/Client-built_encrypted_A25...   Online      @JayTHL
2020-02-25 17:51:08   -http://marthagrp.com/Tax-document.zip   Online      @JayTHL
2020-02-25 17:51:05   -http://marthagrp.com/Tax-Documents_PDF.zip   Online      @JayTHL
On domain: https://urlhaus.abuse.ch/host/marthagrp.com/  On IP and vulners: https://www.shodan.io/host/192.99.245.102
Blacklisted: https://sitecheck.sucuri.net/results/marthagrp.com
Malcode on IP related: https://www.virustotal.com/gui/ip-address/192.99.245.102/relations

polonus
Title: Re: Already flagged for us?
Post by: polonus on February 26, 2020, 11:21:48 PM
An IP to block -> https://urlhaus.abuse.ch/url/319187/
See: https://www.shodan.io/host/91.217.2.120
Scanning abuse: https://viz.greynoise.io/ip/91.217.2.120
See: https://www.abuseipdb.com/check/91.217.2.120?page=3
Listed: http://www.nothink.org/honeypots/honeypot_telnet_blacklist_2019.txt

polonus (volunteer 3rd party cold recon website security analyst & website error-hunter)
Title: Re: Already flagged for us?
Post by: polonus on March 04, 2020, 03:47:38 PM
Where we have seen it being reported: https://urlhaus.abuse.ch/url/321484/
8 engines now detect: https://www.virustotal.com/gui/url/c201af0ce1cae7ae6215cd0e209c87bf20bf1f8c5e012cddf262ee3fc126d16b/detection
x-msdos-program being flagged - /directx.dll
More directions seen at IP-relations for that particular domain: https://www.virustotal.com/gui/ip-address/64.227.10.227/relations

polonus
Title: Re: Already flagged for us?
Post by: polonus on March 10, 2020, 12:11:51 AM
Blocked as a PHISH by MBAM Browser Guard extension: -shell-storm.org
Website blocked due to phishing
Website blocked: -shell-storm.org

Malwarebytes Browser Guard blocked this website because it may contain malware activity.
We strongly recommend you do not continue.

Also consider the detections at VT with 6 detected URLs: https://www.virustotal.com/gui/ip-address/178.79.135.109/relations

pol