You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These suspicious domains had been noticed for a long time from PDNS system, but until weeks ago, we found a new method to map these domains to the target MD5. Domains sampled on Aug 07, 2016:
53ptxfec6a4mwbrl.org
ou16nagv4pashauc.ru
cav36gi2q7sw1quk.cn
vnbbj9a2udxpfq2c.cn
fqtk3dzc23momnpg.org
4w30kxhvkfel0oup.net
9n78kfujyzmip0qv.info
w2ot29dbfzg6keue.ru
d9tan26jpjpz9snt.cn
guf7vdg5eutsacyj.ru
l1sfcoafyl7x1gkr.biz
jq1i45ll407n59fi.info
p5oaqfyxb94yig2t.org
9q02paxvmei1v6sp.ru
jayzvrpixxlc58bc.info
eseu24pzdd5f72vv.biz
dcydfwpx6g5to34s.cn
ydd3i2lh6afrfmw1.ru
Malware sample[ 55c447191d9566c7442e25c4caf0d2fe] DNS queries, very similar to those domains in the list above.
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
tjklzgosi2xivjs4.biz
zinna4ltt9yx9bih.com
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
dahs7d52v40cyxgi.info
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
gnjvn08gxgd2u6dh.info
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
So, really looking forward to reverse engineer this binary and feed back the implementation of DGA, then we can filter out these malicious domains in PDNS system.
The text was updated successfully, but these errors were encountered:
suqitian
changed the title
From PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz]
Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz]
Aug 9, 2016
Run this sample in my virtualbox, it drop a file named 4VJzegtSr.exe into path C:\Windows\system\JkLtFzICS.
Double click 4VJzegtSr.exe, wait for a minutes, hundreds of domains will be seen in wireshark.
55c447191d9566c7442e25c4caf0d2fe
53ptxfec6a4mwbrl.org
ou16nagv4pashauc.ru
cav36gi2q7sw1quk.cn
vnbbj9a2udxpfq2c.cn
fqtk3dzc23momnpg.org
4w30kxhvkfel0oup.net
9n78kfujyzmip0qv.info
w2ot29dbfzg6keue.ru
d9tan26jpjpz9snt.cn
guf7vdg5eutsacyj.ru
l1sfcoafyl7x1gkr.biz
jq1i45ll407n59fi.info
p5oaqfyxb94yig2t.org
9q02paxvmei1v6sp.ru
jayzvrpixxlc58bc.info
eseu24pzdd5f72vv.biz
dcydfwpx6g5to34s.cn
ydd3i2lh6afrfmw1.ru
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
tjklzgosi2xivjs4.biz
zinna4ltt9yx9bih.com
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
dahs7d52v40cyxgi.info
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
gnjvn08gxgd2u6dh.info
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
The text was updated successfully, but these errors were encountered: