Author Topic: Already flagged for us?  (Read 3262 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
« Last Edit: February 09, 2020, 05:56:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #2 on: February 09, 2020, 06:18:57 PM »
This one - active or inactive?

Re: https://www.abuseipdb.com/check/164.132.92.139
also https://safeweb.norton.com/report/show?url=164.132.92.139
and http://www.urlvir.com/search-host/164.132.92.139/
8 engines detect: https://www.virustotal.com/gui/url/10518fec43a7840e08eaca332b4d57533253eecb3b14aa85d6b52248cbb3d2c2/detection
Active as we find 29 detections for to-day:
https://www.virustotal.com/gui/ip-address/164.132.92.139/relations
ELF not yet detected by avast solutions Avast & Avast-Mobile
Read as background info https://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html
dated info from Pierluigi Paganini, but still actual in this context.

polonus
« Last Edit: February 09, 2020, 06:26:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #4 on: February 11, 2020, 12:45:28 AM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #5 on: February 11, 2020, 05:58:37 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #6 on: February 13, 2020, 05:22:31 PM »
Only one to detect this address: https://www.virustotal.com/gui/url/16b54dada7849723b29282a497821b358a62d9d4c424d725659a270148540ab0/detection
lampion malware abuse on amazonaws dot com: https://urlhaus.abuse.ch/url/313860/
More on this payload: https://urlhaus.abuse.ch/browse.php?search=3881c4bacf37f5a37b21f6dca7f12d7c8eb91e094dc17f1a9306d015006d48be
Netcraft threat rating 7 red out of 10: https://sitereport.netcraft.com/?url=https://vrau-x.s3.us-east-2.amazonaws.com
Temp. redirect: https://www.shodan.io/host/52.219.84.168
Read on lampion malcode: https://securityaffairs.co/wordpress/95731/malware/lampion-malware-targets-portugal.html
Quote
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.
Quoted info source = Security Affair's Pierluigi Paganini.

polonus

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #7 on: February 16, 2020, 11:12:54 PM »
This bitcoin miner already flagged?
See: -> IP - 209.141.53.115 -> https://urlhaus.abuse.ch/url/315087/
Consider weaknesses/vulners here: https://www.shodan.io/host/209.141.53.115
but  avast detects as Win32:Trojan-gen, so we are being protected: https://www.virustotal.com/gui/file/da0e03db41ed9c91208c9d5be533d041d9165e5fb51f36a7588a4d6e3c8b1c41/detection

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #8 on: February 25, 2020, 07:11:35 PM »
Where we found it: URL Haus
Dateadded (UTC)   Malware URL   Status   Tags   Reporter
2020-02-25 17:51:18   -http://marthagrp.com/2019w2_PDF.zip   Online      @JayTHL
2020-02-25 17:51:14   -http://marthagrp.com/Client-built_76FF.exe   Online      @JayTHL
2020-02-25 17:51:12   -http://marthagrp.com/Client-built_encrypted_A25...   Online      @JayTHL
2020-02-25 17:51:08   -http://marthagrp.com/Tax-document.zip   Online      @JayTHL
2020-02-25 17:51:05   -http://marthagrp.com/Tax-Documents_PDF.zip   Online      @JayTHL
On domain: https://urlhaus.abuse.ch/host/marthagrp.com/  On IP and vulners: https://www.shodan.io/host/192.99.245.102
Blacklisted: https://sitecheck.sucuri.net/results/marthagrp.com
Malcode on IP related: https://www.virustotal.com/gui/ip-address/192.99.245.102/relations

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #9 on: February 26, 2020, 11:21:48 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #10 on: March 04, 2020, 03:47:38 PM »
Where we have seen it being reported: https://urlhaus.abuse.ch/url/321484/
8 engines now detect: https://www.virustotal.com/gui/url/c201af0ce1cae7ae6215cd0e209c87bf20bf1f8c5e012cddf262ee3fc126d16b/detection
x-msdos-program being flagged - /directx.dll
More directions seen at IP-relations for that particular domain: https://www.virustotal.com/gui/ip-address/64.227.10.227/relations

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Already flagged for us?
« Reply #11 on: March 10, 2020, 12:11:51 AM »
Blocked as a PHISH by MBAM Browser Guard extension: -shell-storm.org
Website blocked due to phishing
Website blocked: -shell-storm.org

Malwarebytes Browser Guard blocked this website because it may contain malware activity.
We strongly recommend you do not continue.

Also consider the detections at VT with 6 detected URLs: https://www.virustotal.com/gui/ip-address/178.79.135.109/relations

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!