vnclimitedrun.in(http malware hosted in United States Los Angeles Black Lotus Communications)

Resolved : [vnclimitedrun.in] To [199.59.166.86]

remote server: vnclimitedrun.in TCP port 443

get sample here

what this sample does:
Creates and executes scripts
Creates files in windows system directory
Deletes self
Injects code into other processes
Registers dynamic link libraries

hosting infos:
http://whois.domaintools.com/199.59.166.86

Categories: Uncategorized

Previous postchatme.redirectme.net(irc botnet hosted in Romania Voxility S.r.l.)

Next postanastasia.servequake.com(Insomnia 2.5.0 bot hosted in Spain Ovh Systems)

2 Comments

Zazu - July 1, 2012 at 4:16 pm

Here's an exposed botnet, Pig.

DNS: anastasia.servequake.com

DNS Provider: http://www.no-ip.com/

DNS resolved: 37.59.129.195

Port: 50111

Server Password: l33thack

Channel #choi

Bot Master's Nickname: andrew

Hosted By: http://www.vpsdeploy.com/

Location: Spain

Sample: https://dl.dropbox.com/u/9386997/andrew1.exe

Sample Status: The sample seems to be encrypted and is fully undetected as of this post

IRCd: UnrealIRCd M0dded by uNkn0wn Crew

Nick Style: n{RU|W7-64a}ueyhnql

Bot Type: Insomnia 2.5.0

Amount of bots: Approximately ~200

Key Bot Functions: Chrome password stealer, Firefox password stealer, FTP password stealer, Several DDoS types, Twitter spread and USB spread

Needed To Run: .NET Framework 2.0 or higher

Image of the bot channel (bots' point of view): http://i.imgur.com/XOOaw.jpg

Found and reported by Zazu

Pig - July 1, 2012 at 6:39 pm

thank you Zazu for this report i opened new thread with your post here http://www.exposedbotnets.com/2012/07/anastasiaservequakecominsomnia-250-bot.html
have fun and feel free to report botnets everytime

2 Comments

Zazu - July 1, 2012 at 4:16 pm

Pig - July 1, 2012 at 6:39 pm

Comments are closed