gigasbh.org(IRC Botnet Hosted In France Paris 1&1 Internet Ag)

Domains Domain                    IP f.eastmoon.pl 148.81.111.101 s.richlab.pl 148.81.111.101 gigasbh.org 82.165.129.253 IRC Traffic >> NICK {USA-XPx86a}cwecttyo >> USER cwectty 7949 7840 :cwectty >> MODE {USA-XPx86a}cwecttyo +iwG >> JOIN #sp yap >> PING 422 MOTD << 332 {USA-XPx86a}cwecttyo #sp : << 333 {USA-XPx86a}cwecttyo #sp x 1436609273 >> PONG 422

197.85.182.110(Trojan Emotet hosted in South Africa Cape Town Mweb Connect (proprietary) Limited)

Spawned process “cmd.exe” with commandline “/c C:/winclient.au3” (UID: 00009516-00001892) Autoit strings inside maybe this malware is also coded in autoit. Injected into “CCleaner.exe” at 2015-7-2.14:59:47.395 (UID: 00009516-00000996) Contacts very many different hosts “197.85.182.110:8080” “162.144.35.78:8080” “158.255.238.209:8080” “198.1.122.176:8080” “119.59.124.163:8080” “200.159.128.132:8080” “88.208.228.111:8080” “162.144.88.73:8080” “103.245.153.70:8080” “103.228.200.37:8080” POSTs files to a webserver “POST /b215de35/f5665861/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (compatible;

upd.upd4ter.com(malware hosted in Spain Madrid Propelin Consulting S.l.u.)

Contacts domains upd.upd4ter.com Contacts server 93.189.33.108:80 In general it steals passwords from browsers and get’s all the informations from the infected machines. GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version=1.1.9.15182&user_registry=0&user_id=&user_hdd=&user_hdd_volume=&user_mac=&user_mb=&user_bios=&user_os=6.1&user_os_arch=&user_cpu=&user_win_identifier=&process_parent=&user_browsers=&user_default_browser=&user_date=&user_vm=&user_antivirus=s)%20Available.&user_dotnet=&channel=&partner=&aff_id= HTTP/1.1 User-Agent: NSIS_ToolkitOffers (Mozilla) Host: upd.upd4ter.com Cache-Control: no-cache” Sample here Hosting infos http://whois.domaintools.com/93.189.33.108