jdsiwiqweiqwyreqwi.com(Phishing malware hosted in Bosnia And Herzegovina Banja Luka Blicnet D.o.o.)

Domains used by the malware:


HTTP Requests:


POST /dffgbDFGvf465/YYf.php HTTP/1.0
Host: jdsiwiqweiqwyreqwi.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 272
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)


Hosting infos:
http://whois.domaintools.com/ botnet hosted in Netherlands Amsterdam Ecatel Ltd)

Botnet found by sPy.

Only server and port no channels here because no exe file to see for more.
Feel free to check for channels ur self.

Connecting to (6667)

Invisible Users 12: 12 3554
Operators: 2 operator(s) online
Channels: 12 channels formed
Clients: I have 3555 clients and 0 servers
Local users: 3555 29989 Current local users 3555, max 29989
Global users: 3555 15450 Current global users 3555, max 15450

Hosting infos:

Linux Botnet Hosted In blackunix.us

This is the bot used to scan for vulnerabilities:

Now talking in #botnets
Topic On : [ #botnets ] [ hajar irc.predone.cz dan irc.drogs.pl ]
Topic By : [ uyap ]
Modes On : [ #botnets ] [ +smntrMuk fcuked ]

The Bot is hosted here hxxp://visionafricamagazine.com/scripts/x.log

onetimes27s.com(Reverse Dns Bot hosted in Russian Federation Saint Petersburg Majordomo Llc)

This package was posted in one hacking board as http bot.
After checking the file here results:

Domains used :

hoseen454r.com inactive
onetimes27s.com active

Resolved : [ onetimes27s.com ] To [ ]

hxxp://  password protected

Sample here

Hosting infos:

gki2mpdt3rsokbmv.onion (Irc botnet hosted on a Tor hidden service)

Server:  gki2mpdt3rsokbmv.onion
Port:  6667
Channel:  #channel

[wac] (wac@9bedb2.host): ac
[wac] #channel
[wac] lair.hell.net :Cerberus Server
[wac] idle 00:00:18, signon: Tue May 13 18:24:47
[wac] End of WHOIS list.

The owner must have used very old bot code to create this, as it fails to work properly on windows 7 and higher.

Related md5s (Download sample from Malwr.com)
Ircbot: c94783e10995197f9177e6c72ae53e6a