Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on October 07, 2010, 09:59:49 pm

Title: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By
Post by: eoin.miller on October 07, 2010, 09:59:49 pm
Don't know what kind this is and its not in any list either currently.

Also, this netblock = evil:
85.234.190.0/24

http://cruelgay.ru/zmb/index.php - drive by
Title: Re: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By
Post by: MysteryFCM on October 07, 2010, 11:41:14 pm
http://wepawet.cs.ucsb.edu/view.php?hash=2125ac85a8ea07f4db1dd58960a785fa&type=js
Title: Re: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By
Post by: SysAdMini on October 08, 2010, 06:14:13 am
It's a Zombie kit.

http://www.malwaredomainlist.com/forums/index.php?topic=4241.msg18535#msg18535
Title: Re: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By
Post by: Amishrabbit on October 08, 2010, 05:01:55 pm
Payloads:

08fd53e0ece9f84f.jar   73cfe10de2d0fd6f6bb064a17a970b1b (http://www.virustotal.com/file-scan/report.html?id=b9be1fe179d092b12c3c2aade637452bea32b548107931b4489444a093ffd087-1286466299) (JAR downloader)
bb84cc1695aa5a51.pdf   22fc8c57a7287b3a7c87fb001c95df64 (http://www.virustotal.com/file-scan/report.html?id=7592201f2ff076b57888e032e66faeaee87d1b95a397aadd1b66acb0d72d5300-1286480282) (PDF downloader)

load.php.exe   3c462c74a90cd3496b89baf4dc647fc2 (http://www.virustotal.com/file-scan/report.html?id=fd5ddc4efd8a1de4a259f35576eeb9efced08345a4b1d8344ef44d3503f2002e-1286556240) (Oficla/Sasfis/Tacticlol) (origin: hxxp://cruelgay.ru/zmb/load.php?f=1&e=4 (http://www.robtex.com/dns/cruelgay.ru.html)) which drops
   goap.cmo   55b7bdfcd6af5ef36106ce21030aa3e0 (http://www.virustotal.com/file-scan/report.html?id=1871998a4e935b5e6bf16b998ad91109348507f4aab8e627f36b27cb7aa20199-1286556957)  (Oficla/Sasfis/Tacticlol)

15.tmp   7b9d1d6254044186478dd1cfa6f5cb74 (http://www.virustotal.com/file-scan/report.html?id=2befb909791285bf4be4634bac2d5aba2d97bcdf945effeb0e1e50742925cd35-1286557011)  (Hiloti) (origin: hxxp://imlady.ru/atx.exe) which drops
   msraufte.dll   7bba413842d21cd09377e5ac40998cd9 (http://www.virustotal.com/file-scan/report.html?id=723c2422e0521bb2cbe8bc609c59983387d0c36ba22ecf354ec5d3f8066aba8e-1286557069) (Hiloti/Virtumonde)

CnC:

hxxp://mylote.com/test/bb.php (http://www.robtex.com/dns/mylote.com.html)

Alternate CnC:

hxxp://asusmac.org/original/s.php (http://www.robtex.com/dns/asusmac.org.html)
Title: Re: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By
Post by: eoin.miller on October 08, 2010, 06:07:05 pm
It's a Zombie kit.

http://www.malwaredomainlist.com/forums/index.php?topic=4241.msg18535#msg18535

the /zmb/ in the URI now makes a lot of sense. Thanks all!