Author Topic: 85.234.190.22 - cruelgay.ru - Help Identifying Drive By  (Read 2885 times)

0 Members and 1 Guest are viewing this topic.

October 07, 2010, 09:59:49 pm
Read 2885 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Don't know what kind this is and its not in any list either currently.

Also, this netblock = evil:
85.234.190.0/24

http://cruelgay.ru/zmb/index.php - drive by

October 07, 2010, 11:41:14 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 08, 2010, 06:14:13 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 08, 2010, 05:01:55 pm
Reply #3

Amishrabbit

  • Jr. Member

  • Offline
  • **

  • 10
Payloads:

08fd53e0ece9f84f.jar   73cfe10de2d0fd6f6bb064a17a970b1b (JAR downloader)
bb84cc1695aa5a51.pdf   22fc8c57a7287b3a7c87fb001c95df64 (PDF downloader)

load.php.exe   3c462c74a90cd3496b89baf4dc647fc2 (Oficla/Sasfis/Tacticlol) (origin: hxxp://cruelgay.ru/zmb/load.php?f=1&e=4) which drops
   goap.cmo   55b7bdfcd6af5ef36106ce21030aa3e0  (Oficla/Sasfis/Tacticlol)

15.tmp   7b9d1d6254044186478dd1cfa6f5cb74  (Hiloti) (origin: hxxp://imlady.ru/atx.exe) which drops
   msraufte.dll   7bba413842d21cd09377e5ac40998cd9 (Hiloti/Virtumonde)

CnC:

hxxp://mylote.com/test/bb.php

Alternate CnC:

hxxp://asusmac.org/original/s.php
-=A

October 08, 2010, 06:07:05 pm
Reply #4

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179