The host at this IP address (217.69.139.110) is either operated by cybercriminals or hosting compromised websites that are being used to distribute malware: http://sputnikmailru.cdnmail.ru/mailruhomesearch.exe?rfr=811550 AS number: AS47764 AS name: MAILRU-AS Mail.Ru Hostname: msk1.cdnmail.ru
AgentTesla botnet controller @95.163.212.79
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. AgentTesla botnet controller located at 95.163.212.79 on port 80 (using HTTP POST): hXXp://nortonlilly.info/emma/inc/a92079a4564cf9.php $ dig +short nortonlilly.info 95.163.212.79 $ nslookup 95.163.212.79 79.mcs.mail.ru
Malware distribution @94.100.180.110
The host at this IP address (94.100.180.110) is either operated by cybercriminals or hosting compromised websites that are being used to distribute malware: http://sputnikmailru.cdnmail.ru/mailruhomesearch.exe?rfr=811550 AS number: AS47764 AS name: MAILRU-AS Mail.Ru Hostname: msk2.cdnmail.ru
Loki and AgentTesla botnet controllers @89.208.196.209
===== Updated 2020-02-08 to include SBL477579. ===== The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Loki botnet controller located at 89.208.196.209 on port 80 (using HTTP POST): hXXp://expertisem.net/agutaz/direct/pushin/fre.php $ dig +short expertisem.net 89.208.196.209 $ nslookup… Читать далее Loki and AgentTesla botnet controllers @89.208.196.209
Loki botnet controller @95.163.208.143
The host at this IP address is running a malware botnet controller which is being used to control infected computers (bots) around the globe using a trojan horse. Loki botnet controller located at 95.163.208.143 on port 80 (using HTTP POST): hXXp://shehig.com/ig3/fre.php $ dig +short shehig.com 95.163.208.143 $ nslookup 95.163.208.143 143.mcs.mail.ru
spam emitter @87.239.106.46
Received: from domrf-win-ad.domrf.ru (87.239.106.46 [87.239.106.46]) by [] with SMTP id []; Wed, 5 May 2021 01:3x:xx -0700 (PDT) Received: from [51.89.157.6] ([51.89.157.6]) by domrf-win-ad.domrf.ru with Microsoft SMTPSVC(10.0.17763.1); Wed, 5 May 2021 08:1x:xx +0000 Subject: Re: Investment Opportunity From: «Hello Friend» <user@rcit.by> Date: Wed, 05 May 2021 01:1x:xx -0700 Reply-To: 039876467@tomsk.ru Dear Friend, I have an… Читать далее spam emitter @87.239.106.46
Emotet malware distribution @5.101.180.182 [compromise website]
The host at this IP address is hosting a website that have been compromised by threat actors to distribute Emotet (aka Heodo) malware. The following URL is hosting a webshell that is being accessed by the threat actors programmatically to place malware on the website: URL: http://restoran-energy.ru/wp-content/uploads/2020/12/JST10x.php Host: restoran-energy.ru IP address: 5.101.180.182 Hostname: s7277bff9.fastvps-server.com
Emotet malware distribution @185.4.74.148 [compromise website]
The host at this IP address is hosting a website that have been compromised by threat actors to distribute Emotet (aka Heodo) malware. The following URL is hosting a webshell that is being accessed by the threat actors programmatically to place malware on the website: URL: http://shop.shriyantra.ru/wp-content/plugins/js_composer/config/JST10x.php Host: shop.shriyantra.ru IP address: 185.4.74.148 Hostname: sb9044a94.fastvps-server.com
Emotet malware distribution @5.101.180.182 [compromise website]
The host at this IP address is hosting a website that have been compromised by threat actors to distribute Emotet (aka Heodo) malware. The following URL is hosting a webshell that is being accessed by the threat actors programmatically to place malware on the website: URL: http://victory-spb.ru/wp-content/plugins/google-sitemap-generator/img/JST10x.php Host: victory-spb.ru IP address: 5.101.180.182 Hostname: s7277bff9.fastvps-server.com
Malware distribution @5.45.124.211
The host at this IP address is currently being used to distribute malware. Malware distribution located here: hXXp://readinglistforaugust9.club/raccon.exe $ dig +short readinglistforaugust9.club 5.45.124.211 $ nslookup 5.45.124.211 sa8461b72.fastvps-server.com Referencing malware binaries (MD5 hash): 01525ed7bcb76477e0a2c97c0abe41a7 — AV detection: 26 / 67 (38.81) 07b53c78a2e3f9133fbce0d1ee7c6376 — AV detection: 21 / 65 (32.31) 81fe60bb08d5b11117d89e774c631fa1 — AV detection: 23 / 69… Читать далее Malware distribution @5.45.124.211