Author Topic: New files for Zeus servers  (Read 203717 times)

0 Members and 1 Guest are viewing this topic.

December 02, 2010, 06:22:28 pm
Reply #240

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.213.174.46/KillEXE.exemd5sum ===> 6314604abaf419b7e9d991d119a96bc4
http://www.virustotal.com/file-scan/report.html?id=d9cd73951f329045505d99b2268e7f5c27befab9933a9357130294e7acdf2fc0-1291312532
VT 26/43 (60.5%)
Code: [Select]
hxxp://91.213.174.46/all-zahlung.exemd5sum ===> 5c2838b4e83855b56ae7320240678e47
http://www.virustotal.com/file-scan/report.html?id=426d4d927193905c0d54b3b1745b7306e2e0ff2cf236d158849634d8f7b57da8-1291312482
VT 19/43 (44.2%)

December 11, 2010, 12:26:55 pm
Reply #241

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New IP & md5sum:

IP Location: Russian Federation - VLine Telecom
IP 109.196.142.42
AS39150
Registrant/Email Registrant: Elena Gavrilova/rex@maillife.ru
Code: [Select]
hxxp://silvecoolg.com/ptz/por.tumd5sum ===> 15103d2a8efd9822e5ce5d4079bd701f
Code: [Select]
hxxp://silvecoolg.com/ptz/ptg.exemd5sum ===> 9ceaa23eea798c7e00a4f2bfc51cea02
http://www.virustotal.com/file-scan/report.html?id=16e527b805c47b6bc2e33a77ae3f00126d9909214d8cfbd877530f79d5878ac6-1292067098
VT 30/43 (69.8%)

December 12, 2010, 05:02:54 pm
Reply #242

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://shopgroov.net/ppnl3.bin
hxxp://shopgroov.net/panel3/ppnl3.bin
md5sum ===> 0ad35c76d0266ff114f1514f31f8b4a9
Code: [Select]
hxxp://shopgroov.net/panel3/ppnl3.exemd5sum ===> 547c0e1a9fd93b52f95ce6b4cb3e30dd
http://www.virustotal.com/file-scan/report.html?id=03a4369f802f8e348f22d2c691cf1044172637ff979844d1e0a20844578ae07c-1292162833
VT 38/43 (88.4%)
Code: [Select]
hxxp://shopgroov.net/panel3/gotobank.php

December 13, 2010, 03:43:34 am
Reply #243

lelenina

  • Sr. Member

  • Offline
  • ****

  • 239
Http traffic captured with Fiddler from an exploit.  I believe it is ZeuS.
Code: [Select]
http://2go4corp.com/xed/config.bin

December 13, 2010, 07:23:01 am
Reply #244

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Http traffic captured with Fiddler from an exploit.  I believe it is ZeuS.
Code: [Select]
http://2go4corp.com/xed/config.bin

:)

IP Location: United States - bluemile arin block2 -  BLUEMILE , INC
IP 76.10.214.62
AS11013
Registrant/Email Registrant: Victor I Brikatnin/mire@maillife.ru
Code: [Select]
hxxp://2go4corp.com/xed/recover.binmd5sum ===> 829e442ea2537c1901a18a87b41e59f1
Code: [Select]
hxxp://2go4corp.com/xed/yourbot.exemd5sum ===> 67496e11ddf8232a027ba494a3c03cd2
http://www.virustotal.com/file-scan/report.html?id=31c992ce998e86548ab9cb4800b705272fcba8c58f61fd6ce2fcc5cd7ce21fdf-1292224147
VT 1/43 (2.3%)
Code: [Select]
hxxp://2go4corp.com/xed/gate.php

December 13, 2010, 05:29:08 pm
Reply #245

lelenina

  • Sr. Member

  • Offline
  • ****

  • 239


:)

IP Location: United States - bluemile arin block2 -  BLUEMILE , INC
IP 76.10.214.62
AS11013
Registrant/Email Registrant: Victor I Brikatnin/mire@maillife.ru
Code: [Select]
hxxp://2go4corp.com/xed/recover.binmd5sum ===> 829e442ea2537c1901a18a87b41e59f1
Code: [Select]
hxxp://2go4corp.com/xed/yourbot.exemd5sum ===> 67496e11ddf8232a027ba494a3c03cd2
http://www.virustotal.com/file-scan/report.html?id=31c992ce998e86548ab9cb4800b705272fcba8c58f61fd6ce2fcc5cd7ce21fdf-1292224147
VT 1/43 (2.3%)
Code: [Select]
hxxp://2go4corp.com/xed/gate.php
How did you find where the binaries were located?

December 13, 2010, 05:49:31 pm
Reply #246

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508

December 14, 2010, 03:59:13 pm
Reply #247

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New md5sum:
Code: [Select]
hxxp://2go4corp.com/xed/yourbot.exemd5sum ===> 04c62bfb7514b1bc77e315ad51ee2b0c
http://www.virustotal.com/file-scan/report.html?id=a78ae65f4b529109b44b9e51acbe3cb4c51e9a51073ccfa24f8c935f95520f64-1292341955
VT 6/43 (14.0%)

December 14, 2010, 08:54:48 pm
Reply #248

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New md5Sum:

Code: [Select]
hxxp://bestwebrecords.ru/cfg/lks34bestwebrecords.jpgmd5sum ===> 1dc3759fe4b836276e30782a77fb70c8

Code: [Select]
hxxp://sysupdate.ru/XIu2LaboagOUmOU/C19tRo.exemd5sum ===> 66cc9841caa8a576a427b57bbd29937c
http://www.virustotal.com/file-scan/report.html?id=4c01bc6b881b64ca8d06d36a03887fa86aab4dcc4ded89240f206b6824b0d8a8-1292370609
VT 3/43 (7.0%)

December 15, 2010, 11:08:29 am
Reply #249

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://sharplink.ru/22oct_pac.cpm
hxxp://kindbaby.ru/22oct_pac.cpm
hxxp://realemotions.ru/22oct_pac.cpm
md5sum ===> 2024edeef06f9d8482a6936e24451db5
Code: [Select]
hxxp://sharplink.ru/22oct_pac.exe
hxxp://kindbaby.ru/22oct_pac.exe
hxxp://realemotions.ru/22oct_pac.exe
md5sum ===> eefbe4c73a25a44bcc0d5df146b13fce
http://www.virustotal.com/file-scan/report.html?id=b68072cc74f356106fc638ce0d912a1fe4f6573da26336e80aabea89cbebca2c-1292408472
VT 24/43 (55.8%)
Code: [Select]
hxxp://kindbaby.ru/14oct_usa.cpmmd5sum ===> b1f5bef7abc60b7acccbde882a6e1644
Code: [Select]
hxxp://sharplink.ru/14oct_usa.exe
hxxp://kindbaby.ru/14oct_usa.exe
hxxp://realemotions.ru/14oct_usa.exe
md5sum ===> 70734b55ab2fe874e44706be389dc77b
http://www.virustotal.com/file-scan/report.html?id=c3a0d72b6c2d1d885117685d0548d976a00e7a5b9efb6c30e0edd8cd16431960-1292410216
VT 30/43 (69.8%)
Code: [Select]
hxxp://sharplink.ru/22oct_dmi.cpm
hxxp://kindbaby.ru/22oct_dmi.cpm
hxxp://realemotions.ru/22oct_dmi.cpm
md5sum ===> 4942d08e86bf432b2b23cb1e4b7ccf92
Code: [Select]
hxxp://sharplink.ru/22oct_dmi.exe
hxxp://kindbaby.ru/22oct_dmi.exe
hxxp://realemotions.ru/22oct_dmi.exe
md5sum ===> add058a4f13c3b5f2a97ecc80933cfff
http://www.virustotal.com/file-scan/report.html?id=6266922df8b6574a0e6c4a8049e691fbc86673764c908f107eb479dacc485a4a-1292410658
VT 12/43 (27.9%)
Code: [Select]
hxxp://sharplink.ru/22oct_ic3.cpm
hxxp://kindbaby.ru/22oct_ic3.cpm
hxxp://realemotions.ru/22oct_ic3.cpm
md5sum ===> 1cf6fa0e85569d4c82f2432ca1ce985c
Code: [Select]
hxxp://sharplink.ru/22oct_ic3.exe
hxxp://kindbaby.ru/22oct_ic3.exe
hxxp://realemotions.ru/22oct_ic3.exe
md5sum ===> ee68283c0c8494c322c8f6d41aa4e8d6
http://www.virustotal.com/file-scan/report.html?id=ef70f2a7fc9c987e9d1420f12dcc83899e822cf68f86a4f6006e4553faa7c9d2-1292410999
VT 10/43 (23.3%)
Code: [Select]
hxxp://sharplink.ru/yahooman.php
hxxp://realemotions.ru/yahooman.php

December 15, 2010, 09:00:04 pm
Reply #250

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.213.174.44/KillEXE.exemd5sum ===> 20f961fbd1e8d56c357465a1c200664e
http://www.virustotal.com/file-scan/report.html?id=e46cbc9c4823e3693ce51413344325a8cfafc7f14697d3ebfdc3f06f6997fc9a-1292440877
VT 25/43 (58.1%)
related (already listed):
Code: [Select]
hxxp://interodialset.com/000x120.so

December 16, 2010, 06:02:58 pm
Reply #251

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
New md5Sum:

Code: [Select]
hxxp://sysupdate.ru/XIu2LaboagOUmOU/C19tRo.exemd5sum ===> b0bbe34f521ed7605ac5da22413d75af
http://www.virustotal.com/file-scan/report.html?id=2c35119ca3f4cd8fa55244b070a455afc3268fbbc3d61d0a77ed575647b5a172-1292520982
VT 7/43 (16.3%)

Code: [Select]
hxxp://2go4corp.com/xed/yourbot.exemd5sum ===> 6e9f9f28f9a23d33e290e8da290aee0c
http://www.virustotal.com/file-scan/report.html?id=c15d5880ac241d2fbbda792f6c973edee94e198602256ebaf93a0ec89163ac37-1292521443
VT 2/43 (4.7%)

December 16, 2010, 08:22:34 pm
Reply #252

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.213.174.6/ups/ALL-zahlung.exe
hxxp://91.213.174.10/ups/ALL-zahlung.exe
hxxp://91.213.174.44/ups/ALL-zahlung.exe
md5sum ===> 81ec63eec9b5c4ccecc674b73d2797f9
http://www.virustotal.com/file-scan/report.html?id=a0e6c30e42cd9a752800d4aff1ac1537188f0e965b052cd000b4aae4fdd9745c-1292530513
VT 21/43 (48.8%)
Code: [Select]
hxxp://91.213.174.6/ups/ALL.exe
hxxp://91.213.174.10/ups/ALL.exe
hxxp://91.213.174.44/ups/ALL.exe
md5sum ===> 5cc9a312cbfb6bb9b117b94009f96d76
http://www.virustotal.com/file-scan/report.html?id=378840167bc5675cce79371d8bbeffbf786e4367c50962a554dd06d41f6b21c1-1292530672
VT 1/43 (2.3%)

December 22, 2010, 08:30:14 am
Reply #253

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://lsdqlmoezehnivn.org/news/?s=155726
hxxp://ntstuovussurej.com/news/?s=155726
hxxp://193.178.172.77/news/?s=155726
md5sum ===> d24c93875745ec3d2053e287bfcef7ba
Code: [Select]
hxxp://lsdqlmoezehnivn.org/news/?s=136357
hxxp://ntstuovussurej.com/news/?s=136357
hxxp://193.178.172.77/news/?s=136357
md5sum ===> eca48ad954faef3a8bf2c5ef7d534f2e
Code: [Select]
hxxp://lsdqlmoezehnivn.org/news/?s=6225
hxxp://lsdqlmoezehnivn.org/news/?s=6225
hxxp://193.178.172.77/news/?s=6225
md5sum ===> fb3c19442971a5e1270dca64b7ececfc
http://www.virustotal.com/file-scan/report.html?id=b33bc3c851a88eb1f72a8d94903d8441b3136db593d5097e99a8762aa4a632a7-1293006181
VT 22/43 (51.2%)

December 22, 2010, 12:49:59 pm
Reply #254

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://fsdm.net/sx881/gta77.exemd5sum ===> 9bd6284ac3976b59796bfd8f06d87011
http://www.virustotal.com/file-scan/report.html?id=9c2efd6be7d822b9d3071a96651665b736d8d0b181c41316433b58215adde348-1293021690
VT 8/43 (18.6%)
Code: [Select]
hxxp://dpxp.net/zxt727.php