Author Topic: New Zeus server  (Read 374619 times)

0 Members and 1 Guest are viewing this topic.

February 07, 2010, 09:59:16 am
Reply #120

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://g4hostupdates.net.inIP 193.219.5.200
AS21031

IP Location: Vilniaus Apskritis - Vilnius - Elneta Ltd

Registrant: Abdul Raja
Email:hackmaster@safe-mail.net

Created On:21-Jan-2010

Code: [Select]
hxxp://g4hostupdates.net.in/bd/helloworld.bin

February 07, 2010, 04:20:11 pm
Reply #121

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://fortoooco.su
IP: 193.104.94.15
email: samm_87@email.com
AS50033
IP Location: Russian Federation - Group 3 Llc

config url:
Code: [Select]
hxxp://fortoooco.su/ribbn.tar
dropzone:
Code: [Select]
hxxp://fortoooco.su/index1.php

February 07, 2010, 04:41:37 pm
Reply #122

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://193.105.0.42
AS50390

config url:
Code: [Select]
hxxp://193.105.0.42/sargasso.bin
trojan
Code: [Select]
hxxp://193.105.0.42/mustangus.exemd5sum ===>  81ef87630642c6bd0ec0bee8d6a6a282
http://www.virustotal.com/analisis/13c2fa21cf9d0c204595ca8340aae93ca9e1ed362b95b06a795dc9f1b2818375-1265560148

dropzone
Code: [Select]
hxxp://193.105.0.42/optimus.php

February 07, 2010, 05:03:40 pm
Reply #123

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://www.exportweb.cn
IP: 195.245.194.22
Niklas Nyman
Email: niklaslong@gmail.com

AS43877

config url:
Code: [Select]
hxxp://www.exportweb.cn/images/show/config.bin

February 07, 2010, 05:37:01 pm
Reply #124

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://436235dan.mobiIP: 213.163.91.208

Registrant ID: FR-10eb2f8c13d2
Email:contact@privacyprotect.org

AS49544

config url:
Code: [Select]
hxxp://436235dan.mobi/ukk/cfg.bin
dropzone
Code: [Select]
hxxp://436235dan.mobi/ukk/page0.php

February 09, 2010, 11:36:30 am
Reply #125

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://193.104.27.109
AS12604

Kamushnoy Vladimir
info@citygameru.cn

config url:
Code: [Select]
hxxp://193.104.27.109/wtf/ins3.rartrojan:
Code: [Select]
hxxp://193.104.27.109/wtf/w3w.rarhttp://http://www.virustotal.com/analisis/102786cd087fabc4a0c645c748391d718c2dc7faf82f9b203a654f69d0a4963e-1265714274
VT 13/41 (31.71%)
md5sum ===> 40c96b50cc13fdd519f09b6c759704f6
dropzone:
Code: [Select]
hxxp://193.104.27.109/wtf/update.php

February 09, 2010, 01:34:47 pm
Reply #126

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://z130217.infobox.ru[srv039.infobox.ru]
IP: 77.221.130.39
AS30968


config url:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/config.bintrojan:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/bot.exehttp://www.virustotal.com/analisis/20adfcf0f664da7cc3d639648e339ba0ec5ab797a29d138f9500d5fc4d706d16-1265722293
VT 21/41 (51.22%)
md5sum ===> 4d75c8e9696d28e39dd04544de698f8e
dropzone:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/gate.php

February 09, 2010, 03:14:52 pm
Reply #127

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://dedicalsels.com[6.b.79ae.static.theplanet.com]
IP: 174.121.11.6
AS30968

trojan:
Code: [Select]
hxxp://dedicalsels.com/socks/bot.exehttp://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108
VT 17/41 (41.47%)
md5sum ===> efa454a5322bdb3372aa50682b386506
dropzone:
Code: [Select]
hxxp://dedicalsels.com/socks/stat.php

February 09, 2010, 03:28:24 pm
Reply #128

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
hxxp://dedicalsels.com[6.b.79ae.static.theplanet.com]
IP: 174.121.11.6
AS30968

trojan:
Code: [Select]
hxxp://dedicalsels.com/socks/bot.exehttp://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108
VT 17/41 (41.47%)
md5sum ===> efa454a5322bdb3372aa50682b386506
dropzone:
Code: [Select]
hxxp://dedicalsels.com/socks/stat.php

Not a Zeus bot, but a downloader that downloads Zeus from hxxp://carderam.com/instal/qw.exe.
Ruining the bad guy's day

February 09, 2010, 04:06:04 pm
Reply #129

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://193.104.27.109

config file:
Code: [Select]
http://193.104.27.109/wtf/w3.rar

February 09, 2010, 05:24:23 pm
Reply #130

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://115.100.250.88IP Location: China Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd. Langfang Branch
AS9811

config url:
Code: [Select]
hxxp://115.100.250.88/uk/price.xlsmd5sum ===> 8f3193f5e8f9af039bbb9181f5405765
trojan:
Code: [Select]
hxxp://115.100.250.88/uk/pkzip.exehttp://www.virustotal.com/analisis/51ce7dd014e5771add084b60bd731d644a28f2b5ad64bcaf28a380056e03c03d-1265736154
VT 10/41 (24.4%)
md5sum ===> fdb6cbf09b82eb4a9cf73f2f316bf742
dropzone:
Code: [Select]
hxxp://115.100.250.88/ie.php

February 10, 2010, 08:23:06 am
Reply #131

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://193.105.0.81
Code: [Select]
route: 193.105.0.0/24IP Location: Ukraine Pavlenko Tetyana Oleksandrivna

Pavlenko Tetyana Oleksandrivna
e-mail: t.pavlenko@smilanet.net
AS50390

config url:
Code: [Select]
hxxp://193.105.0.81/chikony.bin

February 10, 2010, 11:46:05 am
Reply #132

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
payload of Eleonore exploit kit
Code: [Select]
podgribami.org/el/load.php?spl=mdachttp://www.virustotal.com/analisis/4babbd8c1b17b3d226f7c6973a9c34c9fd1f9659b1b648b5eb41e1296300d52d-1265801421 1/40
Symantec   20091.2.0.41   2010.02.10   Suspicious.Insight
http://camas.comodo.com/cgi-bin/submit?file=4babbd8c1b17b3d226f7c6973a9c34c9fd1f9659b1b648b5eb41e1296300d52d

corresponding config file
Code: [Select]
wwwtrue.org/m/cfag.bin
drop zone
Code: [Select]
wwwtrue.org/m/getme.php
Ruining the bad guy's day

February 11, 2010, 10:28:30 am
Reply #133

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.201.196.37AS42229
IP Location: Ukraine Pp Mariam

Yuriy Yurievich Prokopenko
e-mail:  yuriy.prokopenko@mariam-ua.net

config url:
Code: [Select]
hxxp://91.201.196.37/yi9ahRah.eed5Jeedmd5sum ===> 35605b853611f1fcbcdf057871f4cc4f
trojan:
Code: [Select]
hxxp://91.201.196.37/oL8chaev.exehttp://www.virustotal.com/analisis/ab0bbf7a013ea9c7d503213e82018790117e411d053cb3c058c0b6670e7133d5-1265882379
VT 16/40 (40.00%)
md5sum ===> e300e0fa8ab1aa6c5c061c9dccf10e83
dropzone:
Code: [Select]
hxxp://91.201.196.37/iXeij7Ai.php

February 11, 2010, 03:49:12 pm
Reply #134

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://aboutrevers.comIP: 92.60.177.230
AS15772
IP Location: Ukraine - Llc Wnet

Creation date: 2010-01-29

Andrey Aleksandrovich Polev
e-mail: o00o.code@gmail.com

config url:
Code: [Select]
hxxp://aboutrevers.com/cgi_bin/7LTS0jGk/jX8KiQ_c/style.crtmd5sum ===> df968a403bf2d98526eba84908506c39


dropzone:
Code: [Select]
hxxp://aboutrevers.com/fXaQ8zSla/ogFaTt/psSEmVy_r.php
Code: [Select]
hxxp://polevand.info/fXaQ8zSla/ogFaTt/psSEmVy_r.php
Code: [Select]
hxxp://polevand.infoIP: 92.60.177.232
AS15772
Created On:20-Jan-2010

Andrey Aleksandrovich Polev
Email:o00o.code@gmail.com
AS15772
IP Location: Ukraine - Llc Wnet