Month: April 2012

queerbag.com(Andromeda Bot hosted in France Paris Ovh Systems)

Samples are provided from this anonymous guy in this post http://www.exposedbotnets.com/2012/04/img196-imageshackushttp-malware-hosted.html Resolved : [queerbag.com] To [188.165.212.101] Control panel here http://queerbag.com/jow1z/ u ned user:pass to login 2 exe samples are in this directory http://queerbag.com/bot/ ourbot.exe conects to port 8000 tcp UPDATE: There is another domain name user from this file Resolved : [ugnazi.com] To [176.31.237.84] here

aaa1adasadasda444.net(Andromeda http Bot hosted in Czech Republic Prague Casablanca Int)

This is one of samples uploaded by our anonymous friend in this post http://www.exposedbotnets.com/2012/04/img196-imageshackushttp-malware-hosted.html Resolved : [aaa1adasadasda444.net] To [217.11.251.173] The control panel is here aaa1adasadasda444.net/admin/image.php credits goes to anonymous guy for proving samples hosting infos: http://whois.domaintools.com/217.11.251.173

eu.triplemining.com(Bitcoin Miner malware hosted in Belgium Ict Ventures Bvba/sprl)

This is the second belgian hoster found hosting malwares that’s not good lol Again another great contribution from our anonymous friend wich i called malware because it uses infected machines to do what he does the bitcoin miner is downloaded from here gwassnet.co.cc/NoTouch.exe it connects to svchost2.exe -o http://eu.triplemining.com:8344 -u trap258_gwas -p himom 111 0

img196-imageshack.us(Andromeda http malware hosted in voxility.net)

This is another contribution from our anonymous friend The sample here http://dl.dropbox.com/u/73806662/testandro.exe connects to img196-imageshack.us/pannel/image.php to have acces to this panel u need user:passwd here imageshack.us/pannel/ feel free to brute it 🙂 from virustotal scan the file testandro.exe apears to be FUD there is another file downloaded dl.dropbox.com/u/76205929/rk.cmd.dll wich from the name looks like rootkit

jers1.info(ngrBot hosted in Peru Datos)

Resolved : [jers1.info] To [208.83.233.195] C&C Server: 208.83.233.195:1889 Server Password: Username: wbunlkj Nickname: n{DE|XPa}wbunlkj Channel: #cpx (Password: nuifkr) Channeltopic: :~pu http://hotfile.com/dl/154232487/a95dd91/27abril.exe 4ad089d45ca43ecc9d99e93215e03f6f ~s -o ~s Downloaded url’s http://199.7.177.220/dl/154232490/3b415ce/jhgfrrr.exe (hotfile.com) hosting infos: http://whois.domaintools.com/208.83.233.195

3.aa.am(ngrBot hosted in Netherlands Amsterdam Ecatel Ltd)

Resolved : [3.aa.am] To [80.82.66.234] Remote Host Port Number 3.aa.am 9835 Local users: Current Local Users: 710 Max: 1954 Global users: Current Global Users: 710 Max: 1954 NICK {US|XPa|x86}cxtrpuo USER {US|XPa|x86}cxtrpuo 0 0 :{US|XPa|x86}cxtrpuo JOIN #new JOIN #bull Now talking in #new Modes On: [ #new ] [ +sntl 75 ] Joins: {DE|W7a|x86}hssdpli [~DEW7ax8@nig-6B825AA6.superkabel.de] hosting

94.23.98.55(linux bots hosted in Spain Madrid Ovh Systems)

The bot used by heckers: <? /* * * #crew@corp. since 2003 * edited by: devil__ <admin@xdevil.org> * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to> <from> <subject> <msg> //send an email * .dns

128.204.202.111(ngrBot hosted in Netherlands Amsterdam Snel Internet Services B.v)

Remote Host Port Number 128.204.202.111 6667 PASS nopw NICK n{US|XPa}ubnrkxy USER ubnrkxy 0 0 :ubnrkxy PONG :92C7705D JOIN #ngr# ngrBot {NL|W7p}psvawzp) !v Quits: {NL|W7p}psvawzp [net-217320@E4422491.8D3F578B.324BA75E.IP] (User has been permanently banned from Codeleak (gtfo.)) lol snifers allready in The hecker runing this net (boing7898@rox-F8ED71C3.ip61.fastwebnet.it): Boing * ~#ngr# #codeleak * irc.codeleak.com :Codeleak’s IRC * is away (Playing

122mb samples for analysing purposes

This package contains 122mb samples inside u have diferent irc bot samples(insomnia uncrypted),baking trojans,worms etc Only for analysing purposes Download Download Download