abuse.ch :verified: · @abuse_ch
1232 followers · 54 posts · Server ioc.exchange
#NetSupport RAT dropped by #GCleaner Pay-Per-Install (PPI) campaign π₯
Payload URLs:
π https://urlhaus.abuse.ch/url/2693412/
π https://urlhaus.abuse.ch/url/2693420/
Botnet C2 domains:
π https://threatfox.abuse.ch/ioc/1143951/
π https://threatfox.abuse.ch/ioc/1143952/
Botnet C2 server hosted Vultr πΊπΈ:
π€ https://threatfox.abuse.ch/ioc/1143953/
James_inthe_box · @james_inthe_box
173 followers · 48 posts · Server infosec.exchange
Lots' to look at...this #gcleaner drops all manner of junk...including a recent (Dec 13) #cryptbot
https://app.any.run/tasks/a2c31fa0-84f5-4b3f-a982-c96b5d94f2ef/#
https://app.any.run/tasks/54a6b1cf-db6b-4003-9f82-f3d81907b19b
c2: luaobe32[.]top
abuse.ch · @abuse_ch
62 followers · 2 posts · Server ioc.exchange
Dear #GCleaner - just because you use "itsnotmalware" in your URL path it doesn't mean that you are actually not malware π
Sample:
π https://bazaar.abuse.ch/sample/bdb90c7af0a4383b5d6fbd83c4f9ccdd6c2a80bf396cb1da85fe21ed9c6f0093/
GCleaner botnet C2:
π https://threatfox.abuse.ch/ioc/1021151/