Saw connections out to proxdevtool dot com.
Re: https://otx.alienvault.com/indicator/domain/proxdevcool.com
& https://any.run/report/7ed8f1aa848dc1ec0c355ba7269c9f799b8d56da4cc0983670f5c45d62e2b34b/7224d412-b1ab-4848-8cd8-8738e31f7dc9
& https://hybrid-analysis.com/sample/243e4816414487543312cd01abfca23f546918d01eb53f082c22e61f5da36f6d?environmentId=100
consider: https://www.robtex.com/dns-lookup/proxdevcool.com
& https://www.virustotal.com/gui/url/691de8d415fe718a79a5747288b9de0325f293a5246e7667f228a454789bcb09/detection
& https://www.joesandbox.com/analysis/143737/0/executive

polonus

How come I get these “green” results here? → https://urlscan.io/result/4d94b842-9ab4-4183-9f8b-9019ce03f458
See: https://www.shodan.io/host/23.111.228.4
Website servers dot com is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping.

All trackers
At least 10 third parties know you are on this webpage.

-www.servers.com
-shaaaaaaaaaaaaa.com
-s3.amazonaws.com
-proxdevcool.com
-portal.servers.com
-Google
-www.googletagmanager.com
-static-resource.com
-cdn-javascript.net
-code.jivosite.com -code.jivosite.com

Tracker could be tracking safely if this site was secure.

polonus

Another one and where we have found it: https://urlhaus.abuse.ch/host/modcloudserver.eu/
Re: https://app.any.run/tasks/d7263bfb-3b62-4d5a-81e6-e60dbeb7f9b6/
Re: https://cybercrime-tracker.net/index.php?search=modcloudserver.eu/anyisouth/panel/admin.php
Re: https://www.azorult-tracker.net/s/asn/AS50673
& https://www.virustotal.com/gui/ip-address/104.237.252.50/detection
& https://www.virustotal.com/gui/ip-address/104.237.252.50/relations

pol

a check should always start with … is it up or down https://downforeveryoneorjustme.com/proxdevcool.com

Hi Pondus,

If that only were that easy.

Main http()s site is down and/or blocked, but occasionally bad malware uri’s come from that domain IP.
Malware does not last long as an average, a couple of hours and it may be gone,
persisting malcode is seen seldomly or it might be coming spread by/from a bulletproof hoster.

This one is up now or was some hour ago: https://www.virustotal.com/gui/url/845c7983126bf74ac652b1645dc54801cf528dc1547eb290ab5fdccbf9fa132d/detection

15 engines detect, alas not avast did.

IP kicking up malware, also for mentioned domain:
https://www.virustotal.com/gui/ip-address/88.218.16.218/relations
considering the vulnerabilities at the hoster in Dronten: https://www.shodan.io/host/88.218.16.218
see flaws there and know bootstrap is a can of worms that is exploitable big time

Malware is being taken down as soon as it is being reported and flagged,
does not mean to say that IP is not kicking up new malware like GuLoader and Loki.

polonus