Hi Michael 9alan1998),
Whatever you mention there, it is a known fact, that this Ip source is spreading pharma-spam and performing brute force attacks.
No two ways about it, whatever new domains are being created for that specific reason,
residing on:
-159.148.186.238 (-159.148.186.128/25)
AS 200709 (SIA Bighost.lv)
LV
Through another search query result the malware spreading from that particular IP is still alive and kicking,
may it that malware spreading stays under 24 hrs or less time for one particular domain:
15.67769
htxps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
created 15 days ago / modified 15 days ago
Malware site - Hybrid-Analysis
contacted_host: 159.148.186.238 contacted_host.keyword: 159.148.186.238
11.441689
hxtp://dgd-pharma.com/chinchilla.html
created 14 days ago / modified 14 days ago
Malware site - Hybrid-Analysis
contacted_host: 159.148.186.238 contacted_host.keyword: 159.148.186.238
1
-159.148.186.238
created 15 days ago / modified 14 days ago
Mail Spammer - Barracuda Malware site - Hybrid-Analysis
1
-yourherbsvalue.eu
created 14 days ago / modified 14 days ago
Malware site - Hybrid-Analysis
and for one of these domains a further analysis report ->
Sample information
0
Antivirus detections
0
IDS alerts
3
Processes
0
Http events
2
Contacted hosts
4
DNS Requests
Malware site
malicious
8
Score
Hashes
Filename:
hxtps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
md5:
2b5bd8ab2b4923084d6c33c257c3a459
sha1:
ff7d12f5a166bfe7e86fc3d161eb9f8c132d313d
sha256:
4993c660586612ac5175f9ebade58b8dec3b0edd95328fd731fd4a6978200c65
Dates
Indexed:
Sun Nov 03 2019 17:45:04 GMT+0100 (15 days ago)
Last modified:
Sun Nov 03 2019 17:45:04 GMT+0100 (15 days ago)
Network contacts
DNS Requests
-isrg.trustid.ocsp.identrust.com
-ocsp.int-x3.letsencrypt.org
-peto.magicherbssale.com
-rechtsanwalt-chyla.de
Contacted Hosts
-80.150.6.143
-159.148.186.238
Process list
uid
00097840-00002720
commandline
"%WINDIR%\System32\ieframe.dll",OpenURL C:\4993c660586612ac5175f9ebade58b8dec3b0edd95328fd731fd4a6978200c65.url
name
rundll32.exe
normalizedpath
%WINDIR%\System32\rundll32.exe
sha256
3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670
uid
00097998-00004004
commandline
hxtps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
name
iexplore.exe
normalizedpath
%PROGRAMFILES%\Internet Explorer\iexplore.exe
sha256
8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba
uid
00098026-00003892
commandline
SCODEF:4004 CREDAT:275457 /prefetch:2
name
iexplore.exe
normalizedpath
%PROGRAMFILES%\Internet Explorer\iexplore.exe
sha256
8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba
Info source provided by maltiverse's repository for malware researchers.
General conclusion i.m.h.o. everything coming from this particular IP should be blocked a.s.a.p.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)