Month: February 2013 hosted by Czech Republic Zlin

Resolved : [] To [] Resolved : [] To [] Resolved : [] To [] not active now Server: Server Password: Username: jhdkutg Nickname: n{DE|XPa}jhdkutg Channel: #bon2 (Password: speedd) Channeltopic: :~pu hxxp:// f931d3eb10db2822e2f5d0b989e2a5b4 ~s -o ~s Download URLs hxxp:// ( hxxp:// ( hxxp:// ( hxxp:// ( hxxp:// ( hosting infos: (Andromeda http botnet hosted by

Resolved to Server: Gate file:  /http/image.php Additional domains: (Missing gate file, hosted at (Pointed at (Missing gate file, hosted at All of these are mystical’s domains, used for various nefarious purposes in the past. A quick google shows that he’s been loading onto this (Andromeda http botnet hosted by

Resolved to Server: Gate file:   /admin/hippo/image.php Bitcoin mining info: A previously posted andromeda botnet had a similar folder path to the gate file.  Hosting infos: (Smoke loader http botnet proxied by cloudflare)

Resolved to, (Cloudflare ips) Server:, Alternate domain: (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: (ngrbot irc botnet hosted by

Resolved to Server: (Alternate domains Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appears (Pony loader and Zeus banking malware hosted by

Resolved to Pony Server: Gate file:  /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server: Gate file:  /forum/33/gate.php Config file: (Ginemo winlocker hosted by

Resolved to I saw Malekal tweet that someone was using an exploit kit on to distribute andromeda. I had already posted the andromeda, and had suspected that it was the cracked version. I just entered the gate info into the builder, ran the build and watched it download this. Server: Gate (Citadel banking malware hosted by

Gate file: Config droppers  (appear to be compromised sites) On WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning. Sample is located here

92mb samples for analysis

This package have alot of irc bots samples banking trojans linux bots samples are provided only for analysis purposes dont run them on your machine use vmware Source Source