Author Topic: New Zeus server  (Read 371117 times)

0 Members and 2 Guests are viewing this topic.

February 01, 2010, 05:19:22 pm
Reply #105

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://evetpotratrne.com
IP: 193.104.94.79
IP Location: Russian Federation - Group 3 Llc
AS50033

Updated Date: 28-jan-2010
Creation Date: 27-jan-2010

Registrant Name: Leon
email: admin@evetpotratrne.com

config url:
Code: [Select]
hxxp://evetpotratrne.com/barcelona/barccfg9832789/barccfg23084292.bin
dropzone:
Code: [Select]
hxxp://evetpotratrne.com/barcelona/barcgate80372750.php

February 01, 2010, 07:29:15 pm
Reply #106

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://193.105.0.41
IP Location: United Kingdom

AS50390

Name: Pavlenko Tetyana Oleksandrivna
email: t.pavlenko@smilanet.net

config url:
Code: [Select]
hxxp://193.105.0.41/offshore.bin
trojan:
Code: [Select]
hxxp://193.105.0.41/mranders.exemd5sum ===> c8e9c884a3c65a45385f8c68c955788a
http://www.virustotal.com/analisis/7a404d6a5937bd951b21e949981ca19e381543560025e7ce9941a37f5870396a-1265051638
VT 10/41 (24.4%)

dropzone:
Code: [Select]
hxxp://193.105.0.41/custumoper.php

February 02, 2010, 09:21:05 am
Reply #107

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://metacarantin.comIP: 69.147.83.187
Reverse: p11p1.geo.sp1.yahoo.com
AS36752

Creation Date........ 2009-12-23
Registration Date.... 2009-12-23

Name: Eliso Jr.
email: contact@myprivateregistration.com

config url:
Code: [Select]
hxxp://metacarantin.com/strt.bin
trojan:
Code: [Select]
hxxp://metacarantin.com/strt.exemd5sum  ===> 5ca76c6a5354744d90ae3ae8caec629c
http://www.virustotal.com/analisis/1dc01c4b4749d0ebd103556a4e196eea32305ad23cc4fa655b0fa144b7effc1f-1265101594
VT 7/40 (17.5%)

February 02, 2010, 09:49:30 am
Reply #108

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://stopstopstop33.com
IP: 115.100.250.118
IP Location  China  -Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd

AS9811

Creation.. 2010-01-09 19:32:31
Update.... 2010-01-09

Registrant: Real Host
email: abuseemaildhcp@gmail.com

config url:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/conf1.bin
trojan:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/theme/445.exemd5sum  ===> b97a5bfa381d88bc4ec1431b2c18f769
http://www.virustotal.com/analisis/88b97a89db7e158425f5d7c4daa11e80e35da5c686074a8f667efb6409644ed9-1265103254
VT 11/40 (27.5%)

dropzone:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/gtgy.php
Other domains:
Code: [Select]
1000zubov.net

February 02, 2010, 10:00:22 am
Reply #109

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

trojan:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/theme/445.exe

This file isn't a Zeus trojan, but looks like TDSS.
http://camas.comodo.com/cgi-bin/submit?file=88b97a89db7e158425f5d7c4daa11e80e35da5c686074a8f667efb6409644ed9

 The corresponding url is hxxp://stopstopstop33.com/bote1.exe,
but the file doesn't exist.

Thanks anyway.
Ruining the bad guy's day

February 02, 2010, 10:41:09 am
Reply #110

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508

This file isn't a Zeus trojan, but looks like TDSS.[/quote]

You're Right  :)

Another:

Only the config url ;)


Code: [Select]
hxxp://basiscause.comIP: 188.124.7.244
IP Location  Turkey - Vital Teknoloji - Dedicated Pool
Reverse: Vital-244-7-124-188.vitalhosting.com.tr
AS44565

Registrant: Nicole Kidman
email: beto34675@gmail.com

config url:
Code: [Select]
hxxp://basiscause.com/cfg3.txt

February 02, 2010, 05:23:09 pm
Reply #111

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://bpergroup.ruIP 195.242.161.190
AS47434
e-mail: gogoilyin@google.com

config url:
Code: [Select]
hxxp://bpergroup.ru/images/shcest.bmp
Other domains:

Code: [Select]
internazionale.vc (zeus server)
studiofilms.ru
www.studiofilms.ru

February 04, 2010, 06:34:16 pm
Reply #112

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ruIP 188.93.212.39

AS49352

email: domains@logol.ru


url config:
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ru/bin8.xls
trojan:
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ru/stb.exemd5sum ===> d1db23405cf0206f44e5c4fa70ecbebf
http://www.virustotal.com/analisis/cd902878e9b779765e7dfc1eae1ebe5056672dc791d0a8ca2d79755cd56cf2ea-1265308099
VT 4/40 (10%)


February 04, 2010, 07:58:00 pm
Reply #113

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://dfgdfgs.fileave.com
IP 64.62.181.43

AS6939

url config:
Code: [Select]
hxxp://dfgdfgs.fileave.com/dfgdfgs.bin

February 05, 2010, 05:54:58 pm
Reply #114

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://115.100.250.87
IP Location: China Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd. Langfang Branch

AS9811

config url:
Code: [Select]
hxxp://115.100.250.87/uk/price.xls
trojan:
Code: [Select]
hxxp://115.100.250.87/uk/pkzip.exemd5sum ===> ceb602edc5f8b429790bf5dabbef1e09
http://www.virustotal.com/analisis/6bdeb8d852b4e4966ee878df72a557778178b6770dd7a55b955c1d25e3557a31-1265391918
VT  16/38 (42.11%)

dropzone:
Code: [Select]
hxxp://115.100.250.87/ie.php

February 05, 2010, 05:56:59 pm
Reply #115

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
hxxp://115.100.250.87

Are you able to connect to this host ? Doesn't work here.
Ruining the bad guy's day

February 05, 2010, 06:18:21 pm
Reply #116

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
LFT trace started at 05-Feb-10 18:49:06 CET                         
                                     ^^^^^^^^^^^^^^                   
TTL LFT trace to 115.100.250.87:80/tcp                             
 [...]     
 8  [12956] ChinaNetCom11-0-0-0-grtpaopx2.red.telefonica-wholesale.net (213.140.55.14) 302.0/219.3ms
 9  [4837] 219.158.30.233 385.0ms                                                                   
**  [neglected] no reply packets received from TTL 10                                               
11  [4837] 219.158.4.41 524.0/421.8ms                                                               
12  [4808] 202.96.12.90 409.6ms                                                                     
**  [neglected] no reply packets received from TTL 13                                               
14  [4808] 61.148.156.118 452.7ms                                                                   
**  [neglected] no reply packets received from TTL 15                                               
16  [4808] 61.148.74.210 442.3ms                                                                   
17  [9811] 211.167.95.234 433.0/423.1ms                                                             
**  [neglected] no reply packets received from TTLs 18 through 19                                   
20  [9811] [target open] 115.100.250.87:80 432.4ms   

-----------------------------------------------------------

LFT trace started at 05-Feb-10 19:14:41 CET                                                                                                               
                                      ^^^^^^^^^^^^^^               
TTL LFT trace to 115.100.250.87:80/tcp                                                                                                                   
 
[...]

**  [neglected] no reply packets received from TTL 7
 8  [12956] ChinaNetCom11-0-0-0-grtpaopx2.red.telefonica-wholesale.net (213.140.55.14) 375.6/219.2ms
 9  [4837] 219.158.30.233 396.7ms
**  [neglected] no reply packets received from TTL 10
11  [4837] 219.158.4.41 551.8/441.8ms
**  [neglected] no reply packets received from TTL 12
13  [4808] 61.148.152.137 440.5ms
14  [4808] 61.148.156.118 445.8ms
15  [4808] 61.148.157.70 436.8ms
16  [4808] 61.148.74.210 463.1ms
17  [9811] 211.167.95.234 445.2ms
18  [23724] 218.240.7.103 456.4ms
**  [neglected] no reply packets received from TTL 19
20  [9811] [target open] 115.100.250.87:80 435.9ms
LFT trace finished at 05-Feb-10 19:15:31 CET (49.82s elapsed)

 ;)

February 05, 2010, 07:00:15 pm
Reply #117

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
[..]
11   386 ms   369 ms   374 ms  61.148.152.137
12   387 ms   388 ms   390 ms  61.148.156.118
13   421 ms   399 ms   386 ms  61.148.157.70
14   375 ms   369 ms   367 ms  61.148.74.210
15   373 ms   372 ms   388 ms  211.167.95.234
16   390 ms   485 ms   388 ms  218.240.7.103
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
Ruining the bad guy's day

February 05, 2010, 07:15:11 pm
Reply #118

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
[..]
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.

Yes, now is closed also for me:

14  [4808] 61.148.156.118 432.7/430.0ms
15  [4808] 61.148.157.70 418.6ms
16  [4808] 61.148.74.210 444.4ms
17  [9811] 211.167.95.234 423.7ms
18  [23724] 218.240.7.103 450.2/447.3ms
**  [neglected] no reply packets received from TTLs 19 through 20
21  [9811] [target closed] 115.100.250.87:80 434.9ms
LFT trace finished at 05-Feb-10 20:12:11 CET (53.51s elapsed)

February 05, 2010, 07:41:24 pm
Reply #119

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Yes, now is closed also for me:

And reopened:

[9811] [target open] 115.100.250.87:80 437.1ms
LFT trace finished at 05-Feb-10 20:38:21 CET (59.44s elapsed)

See also:

http://www.threatexpert.com/report.aspx?md5=ceb602edc5f8b429790bf5dabbef1e09