RogueAV being served from [random].usr.sh

Old RogueAV tricks here. Requires user to download and run executable.

Examples:

bpikzecjc.usr.sh/index.php?c=RaDNOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvKheVQzm+YhzfWz1MPnw1S6zBdyf4dfgfzzfUlUAGn5anWyoM=
fvdzxnqdv.usr.sh/index.php?c=RaHNOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtrOheVQzm+YhzfWz1MPnw1S6zBdyf5NLR6nyPMnXQSm7azWyoM=
lcxfwik.usr.sh/index.php?c=RaWNOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvDheVQzm+YhzfWz1MPnw1S6zBdyf5KfpKgzeUvC1fxt6rRyoM=
zhejbalkdxr.usr.sh/index.php?c=RaXNOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtrOheVQzm+YhzfWz1MPnw1S6zBdyf4fKZegyK8lUAbxs6uDyoM=

HTTP Request Method = GET
HTTP URI contains “index.php?”
Regex HTTP URI for “\/index\.php\?[a-z]=[a-zA-Z0-9+\]{80,}

See more examples on UrlQuery.net

Comments are closed.