• Home
  • |
  • Blog
  • |
  • How MosaicLoader Malware Evade Security Detection?
MosaicLoader Malware

Researchers uncovered another malware that used paid ads to deliver the malware to the victim. The new malware used a unique technique to hide among Windows Defender exclusions to stay undetected. The malware adds two files or processes, prun.exe, and appsetup.exe to the local list of Windows Defender exceptions to evade detection. It is named ‘MosaicLoader’ for two reasons: Its internal structure aims to confuse the reverse-engineering process and its unique strategy to evade detection. In this article, we will tell some details about the malware along with how MosaicLoader malware evade security detection.

Summary Of MosaicLoader Malware:

“MosaicLoader malware is basically a downloader that can deliver any payload to the infected system. It is seemingly delivered through paid ads in search results designed to lure users looking for cracked software to infect their devices. Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from simple cookie stealers to cryptocurrency miners or more complex ones, such as the Glupteba Backdoor.”

Victims Of MosaicLoader Malware:

The MosaicLoader malware campaign doesn’t appear to be targeted on a specific country, reign, organization, community, or group. It just ran paid ads across the globe. The users who search for cracked versions of software on the search engines are most likely hit by the MosaicLoader malware. We can say that the malware trapped mostly personal computers.

How MosaicLoader Malware Evade Security Detection?

Here are some of the techniques used to evade security detection:

  1. Authors used similar icons and version numbers to mimic the legitimate software.
  2. Threat actors used revoked digital signatures in the malware to look legitimate.
  3. The malware hides among Windows Defender local exclusions to stay undetected.
  4. The code is heavily obfuscated, and this technique makes code hard to follow while reverse-engineering.

How Do Users Get Infected With MosaicLoader Malware?

The execution flow of the MosaicLoader malware is quite linear.

  1. The first strategy of MosaicLoader malware is to create downloaders which similar to legitimate application’s icon and Version Info.
  2. Threat actors have been distributing the downloaders over the internet in the name of cracked software. Authors have leveraged the use of web ads to boost downloads to catch more victims.
  3. The infection chain starts when a user downloads the archives that pretend to contain cracked software installers. In fact, users download droppers that download payloads with several other malware strains.
  4. The dropper downloads update-assets.zip from the C2 server (checkblanco[.]xyz) into the %TEMP% folderThe zip file has two files: appsetup.exe, and prun.exe which are required for the second stage.
  5. Then, the dropper extracts these two files to C:\Program Files (x86)\PublicGaming\ and launches several instances of Powershell to exclude those files from the Windows Defender.
  6. The dropper then downloads the payload from the C2 servers. The researchers noticed that attackers used the same IP in the campaign but with different domain names.
  7. Attackers use this payload further to download other dangerous malware like malware sprayers. These are the malware used to deploy from cookie stealers to cryptocurrency miners and even more advanced threats like Glupteba.
HashFile NameObservations
bb716a5d50965860f206a33e36d9da1fapp.exeGlupteba, a highly evasive backdoor
1375e48217af7c4163b9a2217fc24c6easkinstall39.exeFacebook cookie stealer, accesses login cookies from browsers to steal them
6c1c7791e34c671a8e825d0be36cb327cpu-only,exeXMRig, cryptocurrency miner
6d7603e4fd4d633cae7eaee0f1029a17customer2.exeFacebook cookie stealer
07f79b595254bd60ccec7561e858de35ebook.exeIcecream ebook reader installer, bundled with other PUA
5f779714f8fd23f8fb05d77d443654c7file3.exeGlupteba
ae4cdb7ae62dc3767a89f001fdc007e3file4.exePowershell Dropper, runs a powershell script that obtains persistence on the system and runs downloaded payloads
aed57d50123897b0012c35ef5dec4184jooyu.exeCookieStealer, searches for any loginrelated cookies in browser data
9ea1aec6d8637acf9f85cc082a42a3b5KiffApp2.exePresenoker adware
8acd95006ac6d1eabf37683d7ce31052liguifang.exeAsyncRAT, communicates with gamegame[.]info, has keylogging capabilities
b749832e5d6ebfc73a61cde48a1b890bsetup.exeFacebook cookie stealer
0e5031e35b67b14892cb05b35fd734aaSetup2.exean installer that bundles together some of the files from this table (liguifang, file4, customer2)
90e50b8feebbf1c998de62de795aa4b1SX.x.exeGlupteba
99484984e25a738b6a09a59b50abe93cv2.exeXMRig, cryptocurrency miner

Appsetup.exe:

Appsetup.exe adds a new registry value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Prun that will point to the other component of the second stage, C:\Program Files (x86)\PublicGaming\prun.exe. Appsetup.exe creates a service called pubgame-updater, which runs periodically to make sure the registry key exists. The service will create the registry key if it gets cleaned up.

prun.exe:

prun.exe is used to guard the payload. prun.exe is used to obfuscate the date and break it into smaller chunks. This technique makes code hard to follow while reverse-engineering. prun.exe uses few anti-debugging techniques. It kept the CPU busy during the time of execution. Another anti-debugging trick that might discourage some reverse-engineers is spamming lots of exceptions that trap the execution to the debugger.

Recommendations To Prevent MosaicLoader Malware Infections:

  1. Don’t download any cracked software or cracker executables from any source.
  2. Always check the source domain of every download to make sure that the files are legitimate.
  3. Keep your antimalware and other security solutions up to date.

Mosaicloader Miter Att&CK Matrices

ExecutionPersistenceDefense CollectionEvasionCommand and ExfiltrationControlImpact
User Execution: Malicious FileBoot or Logon Autostart Execution: Registry Run Keys / Startup FolderMasquerading: Invalid Code              Audio  CaptureSignatureApplication             Exfiltration  Layer Protocol: Over  C2 Web Protocols      ChannelDefacement
Modify System Process: Windows ServiceProcess Injection: Process HollowingClipboard  DataResource  Hijacking
 Deobfuscate/  Decode Files or  InformationData  from Local  System 
  Input Capture: Keylogging 
  Man  in the Browser 
  Screen  Capture 
  Video  Capture 

Mosaicloader Indicators of Compromise:

Hashes:

Downloaders
d724066d7c19b29b2bdb7468a9027f1b
953ebbee1cc0fe28595ef92277ee1824
d9ecaa2b2ac1902805ca96b7f6803028
62828deec03544193a8b7af50b587c64
51ef12de306029e18ad25802b0acfbb2
dd2d93e538f05295700a371976b057c9
f3481078c22a26ecd6ab9f653e6be075
09ca3264faa0092b6704bf77e72fa5df
91f545054d5188d0a61e9aa39f38f02d
d7a8d70022085464f05888ef6575d8ec
bda968ba8dc4a7351f1af40549e87713
fe5d1d2a2a9a4b61d237546d5896599e
90070741e9c025f841f47f0c3adee3d2
cd6e4a9e65bd9e1e3aae77400161ead0
74f40695d6e8b7554652a2ccab0e24e4
c2595f372f0c55e3add27b1987ab7273
bb31f608469d58ccd816033dc5740942
f08910c2927c583531dd1da85d3644b4
eb23ded8126b43ea056ff579aa69ea52
307cf83afc07a789f7b8976bb9fbb607
482f23f6deaaa4917c2102d22a3cf367
731a8703f88bfa1c429c721b90383357
fb3be97affe515876a7e636c22ffa36f
d4b5cbd0982a44206dbfe98a31eded10
982bfe7514223c1d65be764422d1cf19
a238e40e91da8ff1c1c4a9f3a59c52a2
ac8dc817e5d387eac8894e6956e64f99
3786ebdb146a3355652cb90206f3f442
cd8dcbbf2270ec08b28dc2b823a5a786
a0686d8651b078faa60f75295f75e191
5c7623b207bf5756a641d05016f57350
fdc3c72f4249d05c7847009e4c0962bf
ec1a7ad5bc45ff82ac8552b9b4de2d0d

Appsetup.exe
311c75d397af909bce6d9a16ecf5c9c1
72bd252201771166ec7522d0534025dd
3ba57f17d5fee19a15f53af88ab0618b
b7b3f0dc58a78e8ddde9f333055300dd
dd7e36c1c180d7ff9784c91406da9870
0d37fd785dd8c7a73fe51a5e929595e0
2f54301cc4692a737bb89d18b2021ae3
59d21e15f6bcd56a2ecc2ffb59074a44

Prun.exe
3a7cdc4c47ce4b3a5eaa7ecc868bf0b8
a282da0cf8b4a35a1fec2a5751682acf
eb437902ca11790f80408c93b9a9f527
acee4b6c36cbd612ea8c1ac8654e4ce8
78859832e79c6d7aedad2de7612b375c
7ff49f11c6ba05bdb5d1d5435a94cf8b
9dbde9e241e5916801d1f40f08559b5c
b8917c4a68a16044b242d6349a0b9966
ec55c594ad719296c3778165d15a6e03
cf10cca7751df8dd1cd8afda5b92efcb

All SHA256 hashes that communicate with the C2:

404b52bc985b8c81fb35e4ccd9263c0dce6b2e4b854fff460960a31eb7b704a
707c20f7aaa36991e80b2cbcb6596a7822bc53cac51c1639c991532e2adbbb9
2c76eeb42e2d88f2b95ee800eea3b009a2838f933867a885651d562138a0079
b3d5985d238ea05b76ff24b955e265f6690468672c2319d5282f7b849ad9bd1
701e33035e6ee7da6b13d6b0813e32e3dd5c20707f1e4d704d141ece0eb4e26
cb94a70fb4329f4f8cb854a886ebcf52a465351c5256bba16f2d74d829c3bd3
16d2c1d1b22d66be21b3467b7a4cc18d5212d4b3f8f037178d60f84f1e8faea
6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
338dd62d371b4c3be644277ce8173fc5f937b1bfe1f3d18a1ba155d178a2553
dadbf66d4d7282dca222e3202bdb7cb72f0bed90641b05c4b76b29b10c1b787
dd231dee730a33d8b59d1440764efd47ffe70fe07a19b0446ee3589b8216eca
b311cda021f0c2904b4508d4cdcf6ef2eff41493f3263775093f562b909d3d9
5d09af6a166e0b919a5a925762a6a249b5b58c229fda35ca9556dff1d29963d
b7c114aa6597d9b328cb129bcefa1eaff3c5082f9fc0c96e9a26940ad26abac
a1a9c95c20903113055cc679560c18ceb1f6b81dd306a1d3c66095ad1381570
69191362c407df28b23e56b6a68758cb112f9bb7582e064e7f7e5a41367c710
a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
252a4e802a8a8bfd28a322b85617f353f1869e01ae00b6debecdd3029751607
972964451f6ab578536be3837fb3cf8f00d4d9d9567e1dfbdeecd27a755cce7
3d567935836d852b792425e393b3677525e3bc3027302603da32fc4e4ca1dbd
bf804fd72bcd5d09582d6a0fe14ece55ff9bec983b45ecc52642d710ec4f3ff
c5229ca94f4703977b678807d3b67fd393766c300374552f649e794218a40a5
833448e4013e76308aee80d26d8875bf55c392c776051f52625ad08291d6503
7bf876bdc63dd748b386d788b9755396257accfb4cf74c27e90b37d0eeb4cb2
4ac7bc5f4217af37877cca112e85d4202349988ff7321203b40ecb4989fea07
1d1addb382678e81ab59cb80613f2c2ee746b2615233674cc8c323a9a0eff4c
8ce66dd13fbe5078390f4911a48503ff168469602226d3f856e5cd0249c6683
0bd27cb63a00e9a7fe2bcb6369df475420b848249a0b20c295859127a119f8f
0661abf447af1f8086c0e41e885388ecc64f82c2e2a9f408e86a66fbf26e0a5
94364e9fa1787e80626b43755c08e45e6c24205b12b6ec1ce1c7e63480e7f54
7c26ec6f7e2c89837779d7a35c8859f813a349c190a4907b683c6aeb18493d9
27ce0735001a957d1eab30cf988cbe746e4c8eee0d7ff20185c178f53bab974
7590dc9c1219ebf78171cbce665dea0ff283e1cd4feeab89f3521a954aee212
d0f3ebce4a5489d43047b0c9484583b3c8fe429f947fc7f75be9fd58b810c45
42e7ae63c67c9a580eae09e408303a8e505fe650d70fe3bcb715ef4052baf15
98d94c43276fe025775b1d78068d64a3b4feab16eab56b6123fdba35f8963cb
0a61e4146fbe8ad64f6a0c4463b8f1ffa7e49d82ffdc8d8891d23241d9e4d43
a87ec09b2a31d96772d76ef6e738f24e8b586eeb7694c960906aa1a65a7a78b
0d219b913f97292e7163ed6e447ea410e348110121ff2d18ba8f2869225d749
aa52ee7f7183009188dedb4d1a8913a297d78a0735d70756813ce93bfcbbb90
9c181fb3d35adcc40f704795ed168e19fb3f638f13a50852f14f44cc7c9b2f1
10c07e899af31db970ee58f02a28b420fccedf70df5ec4b1b5765513502b65b
4dc51b62fe85e455c0b2a8f503aaf7ff523eeb984749077f3d40f5ff67902ce
1ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732
b3e57fdf14cfa4d7688faecfa29c77974b8c92c97fffd786e82b0d582325315
5daf6d8ab4029338bc8f0142d6b02dad80187b1c058514119f71af90001285c
b792ebd8f30d9743cb25b62394bd0d66df88fb74d3696740ffc8135cc55ca40
4da9f770ea323fd7d13c121fa6ae51ade9da84cc4625d329fd817b951941bb6
7b69082ea35b3734f1c45c007e81c0463baf1d602a63994d3cbc404a2cc4433
e37d8f2e5030f88ce180eff0b1a6c4a547cc0ede43c4c9bb132088bd9ada66c
6479acf3ab5761de9288dbe7945ae97e183cdb13d194d7e4ce6071c9c2d5c2e
3ba451a5f5aa89a9be01118a1c4132c8c75504674f77534337f526050a1b45e
1cbbde1c4c99b62c39b578f1e8754eea04f61a00ba72154790532e05009a450
232b1d8d49e00e0f91ffe052ce2814f8952ad90cafa64e1ae4fe5e61c7ddc0e
494bacf6dba73268bc68c1078306b5e2665bee110f93e9235a6672e0ef434e1
6831a7388c8ac4fdfde1039b0ab4d140c6a80352f93c60860acbabe58c80f9c
8ab18e1823736a0d91a3c8ff4a132edf225af68b93dbfd55ecf37bef35363e0
91a163e7923cbc283f86dd8594c66308f87ed95573c721cab5315f1987be46e
9f46c4840fafb0537fa3d60c12a148680af0f33b9a2325d5d380c0d48b0cef9
6463e762f49026770e853566b3ab1ff61848348eaef24ae32ed1b52807c25f4
efbdd844936c8c8f14ad40dbf111f9d2778c92b3aa79cca72db51e0bc6c7586
001e2ef9e587b6b1c6ca27012851a905cbd31384d650c7464671fe2ec10de6e
d5383b95b803141a3530b49e0f72578f1f5e8f4aadb93f4b57cb5bfa9ee3d78
0fbcf64392b9d5c06cc5c92c955d4ad0c97cf9b0589f87c8f495732f103e4f7
8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
5e3c87f3735b953714f95abb060b1d8141b919d131e3a6282a6bde7996ebe2f
4d61e02cab554d688d79a8629e960d3cbb4b35d2335154c88b21562d2a62365
3a32f0565b7b30b96dd87c3794e0219634e4476a133338e38aed5b6f772deb61
3146a9e34d131acbee6272216856c584b68b4dde94d8aa02374e74e34fe51ab2
106c3cf938688e1d4e24480182d79ae969687e46d2b44d519f5b43dd90f9eecd
f63af32398bd2459d37b13f640070ba8d3e01c927a7006cc921ac8a2b3a3b991
8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a
400aec74af32c3918295afb7defb6cf72023a61e3a349000eb6d39c272c1984c
a74572bdb53ba8fcfe83c40fadc4fe07965005571de3235b9f6e875dede4ab1e
458bf89d1f46dbee82ef427e6819521e8dc9027a4ecca00ec5a1e228a1c3869e
3dad2eaa5e720c0619619b0aca918c8dfaba30eff0deb3152d9fe22c9d6e11e2
035a942fc9aa783b04568cb189ca063006804b471e726b5d6699141bf73f476e
c1fd4f48cdce77cc1cd94470d763807f6e081554a846747c35ea91b3c04f00b7
16ff4fd9d545af211bc1d390e0be376f730f07b18494f1b609fb3b22cf11af4a
ad9f76e05e89f77038fb9ba2f823be8f72e62da924c033546bd1fd1affa4c9a7
c4410d5508b4e1ab0b244be6b9ef1a391b4046e2c392db1c3fd44ce933a4c096
ca3faacb01fe163e79ae73bccdb51e92e61c86277672a82881567776918eacd4
f91f3da7885a9b9c683a70d78548190a58e9c0f5864b157b6fa7337af6e3834f
b61c39fe191a2fd3ab3be807714a8841dc2686d22836db5c3627578b9811cb33
3a60a14fb71181cbc7ca6f9df6c4bf66005c74f90cdac0513890063bfc695fe2
b198f64d27843cc64b6fed28328a9a782631c9f882c81e349182d4c5820741f9
0a9ac88f11beb9429cbe5d08ce6f8e3ec986decae42b3f7aea474a161c9e8e6f
4f4440e1773905364c871c3837f84a39f81fc29a8c578e0ed2c4aa22db65a217
708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3
eff92a77b472bdd7221f00150a1cb352762da5c929d6f375b9c6898ca1b1a0a9
d404b52bc985b8c81fb35e4ccd9263c0dce6b2e4b854fff460960a31eb7b704a
c707c20f7aaa36991e80b2cbcb6596a7822bc53cac51c1639c991532e2adbbb9
d2c76eeb42e2d88f2b95ee800eea3b009a2838f933867a885651d562138a0079
7b3d5985d238ea05b76ff24b955e265f6690468672c2319d5282f7b849ad9bd1
9701e33035e6ee7da6b13d6b0813e32e3dd5c20707f1e4d704d141ece0eb4e26
8cb94a70fb4329f4f8cb854a886ebcf52a465351c5256bba16f2d74d829c3bd3
216d2c1d1b22d66be21b3467b7a4cc18d5212d4b3f8f037178d60f84f1e8faea
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
5338dd62d371b4c3be644277ce8173fc5f937b1bfe1f3d18a1ba155d178a2553
7dadbf66d4d7282dca222e3202bdb7cb72f0bed90641b05c4b76b29b10c1b787
4dd231dee730a33d8b59d1440764efd47ffe70fe07a19b0446ee3589b8216eca
7b311cda021f0c2904b4508d4cdcf6ef2eff41493f3263775093f562b909d3d9
45d09af6a166e0b919a5a925762a6a249b5b58c229fda35ca9556dff1d29963d
9b7c114aa6597d9b328cb129bcefa1eaff3c5082f9fc0c96e9a26940ad26abac
fa1a9c95c20903113055cc679560c18ceb1f6b81dd306a1d3c66095ad1381570
269191362c407df28b23e56b6a68758cb112f9bb7582e064e7f7e5a41367c710
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
4252a4e802a8a8bfd28a322b85617f353f1869e01ae00b6debecdd3029751607
3972964451f6ab578536be3837fb3cf8f00d4d9d9567e1dfbdeecd27a755cce7
33d567935836d852b792425e393b3677525e3bc3027302603da32fc4e4ca1dbd
bbf804fd72bcd5d09582d6a0fe14ece55ff9bec983b45ecc52642d710ec4f3ff
ac5229ca94f4703977b678807d3b67fd393766c300374552f649e794218a40a5
0833448e4013e76308aee80d26d8875bf55c392c776051f52625ad08291d6503
a7bf876bdc63dd748b386d788b9755396257accfb4cf74c27e90b37d0eeb4cb2
04ac7bc5f4217af37877cca112e85d4202349988ff7321203b40ecb4989fea07
41d1addb382678e81ab59cb80613f2c2ee746b2615233674cc8c323a9a0eff4c
78ce66dd13fbe5078390f4911a48503ff168469602226d3f856e5cd0249c6683
40bd27cb63a00e9a7fe2bcb6369df475420b848249a0b20c295859127a119f8f
c0661abf447af1f8086c0e41e885388ecc64f82c2e2a9f408e86a66fbf26e0a5
894364e9fa1787e80626b43755c08e45e6c24205b12b6ec1ce1c7e63480e7f54
e7c26ec6f7e2c89837779d7a35c8859f813a349c190a4907b683c6aeb18493d9
427ce0735001a957d1eab30cf988cbe746e4c8eee0d7ff20185c178f53bab974
d7590dc9c1219ebf78171cbce665dea0ff283e1cd4feeab89f3521a954aee212
ad0f3ebce4a5489d43047b0c9484583b3c8fe429f947fc7f75be9fd58b810c45
542e7ae63c67c9a580eae09e408303a8e505fe650d70fe3bcb715ef4052baf15
f98d94c43276fe025775b1d78068d64a3b4feab16eab56b6123fdba35f8963cb
40a61e4146fbe8ad64f6a0c4463b8f1ffa7e49d82ffdc8d8891d23241d9e4d43
fa87ec09b2a31d96772d76ef6e738f24e8b586eeb7694c960906aa1a65a7a78b
70d219b913f97292e7163ed6e447ea410e348110121ff2d18ba8f2869225d749
3aa52ee7f7183009188dedb4d1a8913a297d78a0735d70756813ce93bfcbbb90
29c181fb3d35adcc40f704795ed168e19fb3f638f13a50852f14f44cc7c9b2f1
510c07e899af31db970ee58f02a28b420fccedf70df5ec4b1b5765513502b65b
e4dc51b62fe85e455c0b2a8f503aaf7ff523eeb984749077f3d40f5ff67902ce
01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732
5b3e57fdf14cfa4d7688faecfa29c77974b8c92c97fffd786e82b0d582325315
d5daf6d8ab4029338bc8f0142d6b02dad80187b1c058514119f71af90001285c
db792ebd8f30d9743cb25b62394bd0d66df88fb74d3696740ffc8135cc55ca40
24da9f770ea323fd7d13c121fa6ae51ade9da84cc4625d329fd817b951941bb6
27b69082ea35b3734f1c45c007e81c0463baf1d602a63994d3cbc404a2cc4433
8e37d8f2e5030f88ce180eff0b1a6c4a547cc0ede43c4c9bb132088bd9ada66c
16479acf3ab5761de9288dbe7945ae97e183cdb13d194d7e4ce6071c9c2d5c2e
53ba451a5f5aa89a9be01118a1c4132c8c75504674f77534337f526050a1b45e
f1cbbde1c4c99b62c39b578f1e8754eea04f61a00ba72154790532e05009a450
b232b1d8d49e00e0f91ffe052ce2814f8952ad90cafa64e1ae4fe5e61c7ddc0e
6494bacf6dba73268bc68c1078306b5e2665bee110f93e9235a6672e0ef434e1
96831a7388c8ac4fdfde1039b0ab4d140c6a80352f93c60860acbabe58c80f9c
98ab18e1823736a0d91a3c8ff4a132edf225af68b93dbfd55ecf37bef35363e0
891a163e7923cbc283f86dd8594c66308f87ed95573c721cab5315f1987be46e
19f46c4840fafb0537fa3d60c12a148680af0f33b9a2325d5d380c0d48b0cef9
26463e762f49026770e853566b3ab1ff61848348eaef24ae32ed1b52807c25f4
3efbdd844936c8c8f14ad40dbf111f9d2778c92b3aa79cca72db51e0bc6c7586
6001e2ef9e587b6b1c6ca27012851a905cbd31384d650c7464671fe2ec10de6e
ad5383b95b803141a3530b49e0f72578f1f5e8f4aadb93f4b57cb5bfa9ee3d78
10fbcf64392b9d5c06cc5c92c955d4ad0c97cf9b0589f87c8f495732f103e4f7
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
d5e3c87f3735b953714f95abb060b1d8141b919d131e3a6282a6bde7996ebe2f
24d61e02cab554d688d79a8629e960d3cbb4b35d2335154c88b21562d2a62365
3a32f0565b7b30b96dd87c3794e0219634e4476a133338e38aed5b6f772deb61
3146a9e34d131acbee6272216856c584b68b4dde94d8aa02374e74e34fe51ab2
106c3cf938688e1d4e24480182d79ae969687e46d2b44d519f5b43dd90f9eecd
f63af32398bd2459d37b13f640070ba8d3e01c927a7006cc921ac8a2b3a3b991
8d50c214c28a02f115f41150f829eee4be5a8ab43d9c3f59c8159d485c96475a
400aec74af32c3918295afb7defb6cf72023a61e3a349000eb6d39c272c1984c
a74572bdb53ba8fcfe83c40fadc4fe07965005571de3235b9f6e875dede4ab1e
458bf89d1f46dbee82ef427e6819521e8dc9027a4ecca00ec5a1e228a1c3869e
3dad2eaa5e720c0619619b0aca918c8dfaba30eff0deb3152d9fe22c9d6e11e2
035a942fc9aa783b04568cb189ca063006804b471e726b5d6699141bf73f476e
c1fd4f48cdce77cc1cd94470d763807f6e081554a846747c35ea91b3c04f00b7
16ff4fd9d545af211bc1d390e0be376f730f07b18494f1b609fb3b22cf11af4a
ad9f76e05e89f77038fb9ba2f823be8f72e62da924c033546bd1fd1affa4c9a7
c4410d5508b4e1ab0b244be6b9ef1a391b4046e2c392db1c3fd44ce933a4c096
ca3faacb01fe163e79ae73bccdb51e92e61c86277672a82881567776918eacd4
f91f3da7885a9b9c683a70d78548190a58e9c0f5864b157b6fa7337af6e3834f
b61c39fe191a2fd3ab3be807714a8841dc2686d22836db5c3627578b9811cb33
3a60a14fb71181cbc7ca6f9df6c4bf66005c74f90cdac0513890063bfc695fe2
b198f64d27843cc64b6fed28328a9a782631c9f882c81e349182d4c5820741f9
0a9ac88f11beb9429cbe5d08ce6f8e3ec986decae42b3f7aea474a161c9e8e6f
4f4440e1773905364c871c3837f84a39f81fc29a8c578e0ed2c4aa22db65a217
708542577a656b24962e07bfb4b958a57a7e916475bd99beaed79f91c71504f3
eff92a77b472bdd7221f00150a1cb352762da5c929d6f375b9c6898ca1b1a0a9

URLs:

t1[.]cloudshielding[.]xyz
c1[.]checkblanco[.]xyz
s1[.]chunkserving[.]com
m1[.]uptime66[.]com
5a014483-ff8f-467e-a260-28565368d9be[.]certbooster[.]com
0129e158-aa17-4900-99a6-30f4a49bd0a4[.]nordlt[.]com
integral[.]hacking101[.]net

IP Address:

195.181.169.92

Thanks for reading this post. Please be aware about the maleares like MosaicLoader Malware which pretend to be a free cracked software. Please share this and create awareness against malware campaigns.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.