New Zeus server

[jackberri]

IP 84.19.188.22
[ns.km21048-05.keymachine.de]
AS31103

Code: [Select]

hxxp://slx777.com/pic72/yandex.jpgmd5sum ===> e22d6399d13c9fc593647bda64bf2567

IP 115.100.250.108
AS9811

Code: [Select]

hxxp://vidkonsultant.com/zadmin/cofag56.binmd5sum ===> e6ae0a4876b069a3f7c39073ad0d1bdb

Code: [Select]

hxxp://vidkonsultant.com/zadmin/botetz.exemd5sum ===> c1140e33709dbae55de375748cf4fb09
http://www.virustotal.com/analisis/d23a7424ab46b32860ee3baabc1461b446554316d480418181a993b655b20601-1268206506
VT 2/42 (4.77%)

Code: [Select]

hxxp:/vidkonsultant.com/zadmin/gates5.php
IP 94.228.209.146
AS47869

Code: [Select]

hxxp://ectoplan.net/httpd/loc.somd5sum ===> beb5358d78efec8607501e998f58248a

Code: [Select]

hxxp://ectoplan.net/etc/403.php
new file:

Code: [Select]

hxxp://yrots.ru/5/exeusn3.exemd5sum ===> 0a020e8883c8d06bf6d07e9acda00ad2
http://www.virustotal.com/analisis/f28e6e8717bc4a37aa1707cfc9a13015a5a724a2ca4c0c4fbf814c68383e30eb-1268206370
VT 6/42 (14.29%)

[jackberri]

IP 91.212.132.76
AS49091

Code: [Select]

hxxp://freewhois.ru/laskw7as/lsiwkau2grng.jpgmd5sum ===> 63011a5da0a80b1fe06b9e4490285cd3

related zeusbotnet malware (ectoplan.net)
[undefined.datagroup.ua]
AS21219

Code: [Select]

hxxp://93.183.203.67/2line/KillEXE.exemd5sum ===> 30d56bf40b7d674cd0b2e8234a72099d

Code: [Select]

http://www.virustotal.com/analisis/44724069a536e87b7a9a25c7942a000cebbf595c726c95757370c8721ff39657-1268213045VT 3/42 (7.15%)

[jackberri]

IP 69.147.83.187
[p11p1.geo.sp1.yahoo.com]
AS36752

Code: [Select]

hxxp://pro-dancing.com/select.binmd5sum ===> 6f5a280e69f46c8fbcb43befd6b379c7

[jackberri]

IP 59.53.91.107
AS4134

Code: [Select]

hxxp://davaydavay.net/davay/cfg.binmd5sum ===> 78384e7a611feb51c01fee4764a5911d

Code: [Select]

hxxp://davaydavay.net/davay/folder/server.php

[jackberri]

IP 188.124.3.225
[static.vitalhosting.com.tr]
AS44565

Code: [Select]

hxxp://violgomebed.in/nnesx/cf.binmd5sum ===> 53bfb2d3bb0bb796197cfaab2161c353

[jackberri]

AS29371

Code: [Select]

hxxp://91.212.41.78/OhQu5i.php

[jackberri]

Code: [Select]

hxxp://bl.widget-des.in/mnz/mxx.binmd5sum ===> 1b1b64f9fff0cacbfc2351bd5f9aa5a2
SHA256   ===> 5ed19525591eefb2794acd610a0950e0bc4d7ba28928fbb28973aa44734e9911

IP Location China Beijing Chinanet Jiangxi Province Network
IP 59.53.91.116
AS4134

[jackberri]

Code: [Select]

hxxp://rainbox.info/tmp/tmp.php
IP Location: USA Virginia - Mclean - Smv
IP 216.22.26.29
[apple.dynadot.com]
AS25847

[jackberri]

IP 69.80.228.12
[hosted.by.x5x-noc.ru]
AS19166

Code: [Select]

hxxp://sexycheck.net/images/gate.php
IP 195.78.108.20
AS49544

Code: [Select]

hxxp://uagood.com/vOs58/tr.php

[jackberri]

IP 69.147.83.188
[p11p3.geo.sp1.yahoo.com]
AS36752

Code: [Select]

hxxp://demonvoploti.net/join.binmd5sum ===> 12e6cbbd974a5578fb2712c30c5e0bd3
SHA256   ===> aa174f93ea97cf6c83954ac74eae6afdf3842f11647b834b6dc9a939e6fcccd7

Code: [Select]

hxxp://demonvoploti.net/play.exemd5sum ===> 12c81a1d66cbe386e2082152ce0db6b6
SHA256   ===> fbc52962a44ca83392ac9ce65b1d902e7d9523331bd3d48594d61c0cd0430d3a
http://www.virustotal.com/analisis/fbc52962a44ca83392ac9ce65b1d902e7d9523331bd3d48594d61c0cd0430d3a-1268667741
VT 8/42 (19.05%)

Code: [Select]

hxxp://demonvoploti.net/test.php

[jackberri]

IP 124.217.254.201
[pegashosting.com]
AS45839

Code: [Select]

hxxp://mazavaza.co.uk/pp/suka.binmd5sum ===> 519625b275c603401a845897cc335812
SHA256   ===> 8f3626ebffcbca58154a4338919458384c4a49a1c31bfb78c7d2148fa2226d7a

Code: [Select]

hxxp://mazavaza.co.uk/pp/huy.exemd5sum ===> dc97e1f12aedb8190b6e812022515feb
SHA256   ===> 29de8c04d0970c14e2591aa3ebcb04d3bbad1daf1b00b2ddbaff9799621ad881
http://www.virustotal.com/analisis/29de8c04d0970c14e2591aa3ebcb04d3bbad1daf1b00b2ddbaff9799621ad881-1268854581
VT 6/42 (14.29%)

Code: [Select]

hxxp://mazavaza.co.uk/pp/tini.php

[jackberri]

IP 89.187.37.30
[host30-37.monitoring.md]
AS25129

Code: [Select]

hxxp://corpdonates.org/cnfgbts/updatesys.binmd5sum ===> 13c19a2d1681b753d4cf246583b9a779
SHA256   ===> b0370fc58b314cbfb90a21abd4b5da3afbe8290f742f8160aa64dd9c4d80ce76

[SysAdMini]

Very "creative" registration details for a zeus domain:

domain:         gilsenkirhen.at
registrant:     AA6976333-NICAT
admin-c:        AA6976332-NICAT
tech-c:         AA6976332-NICAT
nserver:        a.ns.joker.com
nserver:        b.ns.joker.com
nserver:        c.ns.joker.com
changed:        20100317 13:07:44
source:         AT-DOM

personname:     ara arovskii
organization:
street address: 123 abc rd
postal code:    8===3
city:           gilzenkirshen
country:        Holy See (Vatican City State)
nic-hdl:        AA6976333-NICAT
changed:        20100310 19:15:02
source:         AT-DOM

personname:     ara arovskii
organization:
street address: 123 abc rd
postal code:    8===3
city:           gilzenkirshen
country:        Holy See (Vatican City State)
nic-hdl:        AA6976332-NICAT
changed:        20100310 19:11:24
source:         AT-DOM

[jackberri]

IP 76.76.101.76
[reverse-mtl-76-76-101-76.gogax.com]
AS21793

Code: [Select]

hxxp://cralertyit.net/ini/clock.jpgmd5sum ===> 32e91d3f100c3433ab8cd5dfc09d49ae
SHA256   ===> 237e902353732ef974f83441e896dbb1732dc878e8a8f3ae3e8e3f46b7451fed

Code: [Select]

hxxp://cralertyit.net/cj/rp.php

[jackberri]

IP 218.240.28.34
AS23724

Code: [Select]

hxxp://dhsinfo.info/imgs/xd4sb8/nds28m.binmd5sum ===> 879206ec5c1147bb102e3c7401aa939a
SHA256   ===> a533448005695772d4433937bcb3b472b570ae50c1eaa1223a9df6c5adf6206a

Code: [Select]

hxxp://dhsinfo.info/templtes/a16ext/int3xs/s.php