Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)

Thanks to Xylitol for panels and executables. Panels : hxxp://computergraphics.in/ hxxp://my-right.fr/ hxxp://bntnl.com/ Files : PO_37263_pdf.com > bntnl.com/Diamond/Panel/post.php?pl=&slots=1 HTTP/1.1 Xylitol posted a vid with the vulnerability of the Panel. Now the ruski behind this shit updated the panel. Hosting infos : http://whois.domaintools.com/80.77.123.90

KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)

Another version from this malware some domains changed. makemegood24.com 213.165.83.176 1453eea.makemegood24.com 74.208.153.9 aaakemegood24.com 146.148.34.125 ww11.aaakemegood24.com 166.78.106.200 abakemegood24.com 50.21.181.152 acakemegood24.com 74.208.164.166 adakemegood24.com 74.208.153.9 aeakemegood24.com 87.106.20.192 afakemegood24.com perfectchoice1.com 193.166.255.171 1459e2b.perfectchoice1.com 193.166.255.171 All hosts 74.208.164.166 87.106.253.18 54.210.47.225 166.78.106.200 87.106.20.192 213.165.83.176 87.106.250.34 193.166.255.171 URL’S http://1453eea.makemegood24.com/?1453eea=21315306&id=212331279066 GET /?1453eea=21315306&id=212331279066 HTTP/1.1 User-Agent: KUKU v4.08 beta =212331279066 Host: 1453eea.makemegood24.com Cache-Control: no-cache http://perfectchoice1.com/?1459c9a=21339290&id=212331279066 GET

gohome.cathosting.ninja(IRC botnet hosted in Netherlands Roosendaal Nforce Entertainment B.v.)

Thanks to the anonymous guy  who send me the executable. Domains used from the botnet to connect to the server : gohome.cathosting.ninja IRC connection : 188.209.49.76:6667 Files downloaded from the botnet : URL: hxxp://sunnyamk.com/biox.exe URL: hxxp://sunnyamk.com/11111111111111111111111111111111111111111.exe URL: hxxp://sunnyamk.com/qVQLzrpnA7D1X3KwCPse4y00hP6aHIXyiQiyyhlX.exe All Domains : Domain Address Country www.sunnyamk.com 188.209.49.76 Romania sunnyamk.com 188.209.49.76 Romania gohome.cathosting.ninja 188.209.49.76 Romania Samples here.

jdsiwiqweiqwyreqwi.com (Kasidet aka Neutrino bot)

Thnx to Xylitol for the name of the bot. Contacts domains details     “34324325kgkgfkgf.com”     “dsffdsk323721372131.com”     “fdshjfsh324332432.com”     “jdsiwiqweiqwyreqwi.com” Runs shell commands details     “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details     “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows”    

KUKU406beta(Malware stealing passwords hosted in Germany Dortmund 1&1 Internet Ag)

This is spreading through torrents and cracks and looks like passwd stealer. Domains and ip’s used : makemegood24.com         213.165.83.176 e710e2.makemegood24.com 87.106.20.192 aaakemegood24.com         146.148.34.125 ww11.aaakemegood24.com 166.78.106.200 abakemegood24.com         74.208.153.9 acakemegood24.com         87.106.20.192 adakemegood24.com         213.165.83.176 aeakemegood24.com         74.208.164.166 afakemegood24.com perfectchoice1.com