220.181.87.80( Trik v2.5 bot By snk Hosted in China Beijing Chinanet Beijing Province Network)

Thnx to Xylitol for sending me the first sample and helping to find more abt this botnet.
The net is probably more then 100k bots and u cant connect via mIRC, i dont know if u can with HexChat.
But here we are this time snk protected this bot with Steganos Live Encryption Engine.
snk was always a ddosing lamer but now he’s into ransomware he’s trying hard to join crim and other lamers in jail.

C:UserssDesktopHomeCodeTrik v2.5ReleaseTrik.pdb  snk coding area lol.

Server : 220.181.87.80:5050

IRC Traffic :

>> NICK `|USA|XP|32|A|tefwonv
>> USER x “” “x” 😡
>> PING 422 MOTD
<< 002 002
<< 003 003
<< 004 004
<< 005 005
<< 005 005
<< 005 005
>> JOIN #trik (null)
<< 332 `|USA|XP|32|A|tefwonv #trik :.j #t
<< 333 `|USA|XP|32|A|tefwonv #trik x 1462660625
>> PONG 422
>> JOIN #t (null)
<< 332 `|USA|XP|32|A|tefwonv #t :.d x |108|99|111|113|29|41|56|66|116|111|65|77|84|104|113|111|100|120|118|115|102|82|77|118|44|99|110|97|48|113|122|121|64|106|106|34|115|32|67|89|120|
<< 333 `|USA|XP|32|A|tefwonv #t x 1462806539
>> PING :x.x
>> PONG :x.x

Domains connected to this botnet :

“host5050.ru”
“host5051.ru”
“ouefuguefhuwuhs.ru”
“uwgfusubwbusswf.ru”
“oeuuguhwugfuuws.ru”

Samples :

sbox://www.combatnano.com.tw/img/s.exe
sbox://www.combatnano.com.tw/img/ss.exe
sbox://www.combatnano.com.tw/img/sss.exe
sbox://www.combatnano.com.tw/img/t8.exe
hxxp://davenportelectric.com/images/c.exe Cerber Ranswomware

UPDATE :
News from our friend snk.

Now 15 talking in #haus#
Topic On : [ #haus# ] [ .d x |108|99|111|113|29|41|56|31|39|55|18|16|10|54|58|44|47|39|43|63|102|21|20|59|103|120|100| .d u |108|99|111|113|29|41|56|31|39|55|18|16|10|54|58|44|47|39|43|63|102|21|20|59|103|120|100| ]
Topic By : [ x ]

:`|USA|dzyetyjl!x@ns3068794.ip-193-70-47.eu JOIN :#ranrun:x.x 332 `|USA|dzyetyjl #ranrun :.d x |108|99|111|113|29|41|56|31|39|55|18|16|10|54|58|44|47|39|43|63|96|65|74|59|103|120|100|:x.x 333 `|USA|dzyetyjl #ranrun x 1520309113V

Trik sample :
hxxp://92.63.197.38/tran.exe

Ransomware sample :
hxxp://92.63.197.38/ran.exe

Other samples :

hxxp://220.181.87.80/k.exe
hxxp://220.181.87.80/b80.exe
hxxp://92.63.197.38/t50.exe
hxxp://92.63.197.38/tran.exe
hxxp://92.63.197.38/M.EXE
hxxp://92.63.197.38/get.exe
hxxp://92.63.197.38/t2.exe

Hosting Infos :
http://whois.domaintools.com/220.181.87.80

Categories: Uncategorized

3 Comments

Anonymous - June 20, 2016 at 6:52 am

Sup

Ian French - July 3, 2017 at 5:21 am

does the real bv1 know you're posting as him. why would you even want to do that

Ian French - July 3, 2017 at 5:23 am

have fun in jail

Comments are closed