I’ve been collecting and scanning all of the files that I see on Digital’s IRC,
and I’ve found that most of them are RATs that people have sent to Digital for i4i. They’re not worth a blog post so they tend to build up.
Since Vaporizer (The other guy on the IRC, who is really into bitcoins see here for some of his mining info) is starting a botshop, I’m clearing out all of the RATs I’ve collected so far in anticipation of many more to come.
Here is the filename, the no-ip address (some including the connection port), the ip address it resolved to, the isp it resolves to and what type of RAT it is.
969d8e_bot.exe bshadesnew.no-ip.info http://whois.domaintools.com/75.66.18.241 United States Memphis Comcast Cable Communications Holdings Inc Blackshades
1327837790.sazzzzzzz.exe mercimoh.dyndns.org:1534 http://whois.domaintools.com/41.143.23.38 Morocco Ip Adsl Maroctelecom Ipkiller
807769910.NEW (1).exe kozheer12.no-ip.org http://whois.domaintools.com/31.52.214.27 United Kingdom Bt Public Internet Service Blackshades
Bonus ip leak: <Kozziy> .dl http://CENSORED/807769910.NEW.exe
* Kozziy (kozheer@0wn3d-FA45B74D.range31-52.btcentralplus.com) has left #insomnia
446621847.update.exe flodark.no-ip.org:1604 http://whois.domaintools.com/87.91.79.27 France Paris Bouygues Telecom S.a. Darkcomet
PerfectSwagON.exe 96.225.134.222:82 http://whois.domaintools.com/96.225.134.222 United States Norfolk Verizon Online Llc Blackshades
1948299771.ratt.exe teamvapor.no-ip.org:1607 http://whois.domaintools.com/98.88.219.69 United States Covington Asm Adsl Cbb Darkcomet
1877727608.ipkiller.exe bluntshf.no-ip.org:1605 http://whois.domaintools.com/216.189.179.88 United States Miami Beach Atlantic Broadband Ipkiller
ab59e4_bot.exe thexrhostbooter82.no-ip.info http://whois.domaintools.com/75.66.18.241 United States Memphis Comcast Cable Communications Holdings Inc Hostbooter
561536284.b41d08b612bc4d6b4db5a81c83295320.exe cleanhost.no-ip.biz http://whois.domaintools.com/74.105.111.87 United States Newark Verizon Online Llc Hostbooter
Itunes Gift Card Gen.exe vitmini.no-ip.org http://whois.domaintools.com/97.96.48.6 United States Parrish Road Runner Holdco Llc
Didn't even buy installs. Vapor just tried to give his shitty youtube some views with the bots. See it yourself here: https://www.youtube.com/watch?v=ih1zNxqm2D4
newepic.exe ownage.no-ip.info:1604 http://whois.domaintools.com/94.169.41.151 United Kingdom Woking Virgin Media Limited Darkcomet
BsVapor.exe veprex.no-ip.org:35000 http://whois.domaintools.com/72.20.13.123 United States Bradley Staminus Communications Blackshades bot label:Vapor
java.exe bollebof.no-ip.org:1604 http://whois.domaintools.com/85.191.115.22 Netherlands Lelystad Cybercomm Bv Darkcomet
test (2).exe dsafdsasd.servepics.com http://whois.domaintools.com/72.20.13.124 United States Bradley Staminus Communications Darkcomet
Facebook Hack.exe medoseleman.zapto.org:1604 http://whois.domaintools.com/41.236.214.120 Egypt Te Data Darkcomet
Diablo.exe javadriveby.no-ip.org:81 http://whois.domaintools.com/83.87.11.209 Netherlands Den Haag Ziggo B.v. Blackshades bot label: Torrent
other.exe balnet.no-ip.org:3334 http://whois.domaintools.com/93.139.105.57 Croatia Zagreb Hrvatski Telekom D.d. Blackshades bot label: balnet
The RATs
Sample link 1
Sample link 2
Admin - June 15, 2012 at 3:10 am
Very nice. 66.190.21.165 is another residential RAT host; used for Blackshades at the least. Bonus points if anyone can guess whose home IP it is.
Anonymous - June 15, 2012 at 2:16 pm
Can you get sample and make report of http://exploit.in/forum/index.php?showtopic=59759 ?
Pig - June 15, 2012 at 4:54 pm
provide more infos about this thread
language is russian and i dont have user:pass to login there
Anonymous - June 19, 2012 at 4:03 am
Whoever posted this is retarded "Vapor just tried to give his shitty youtube some views with the bot" Vapor doesn't even have a youtube channel.