Author Topic: New Zeus server (Read 395422 times)

jackberri · April 14, 2010, 09:24:25 am

IP Location: China Beijing China Railway Telecommunications Center
IP 222.35.143.116
AS38356

hxxp://foinkto015.net/ckk/after.jpgmd5sum ===> c4a943a58ee46a6b6e19ef7a0d13d1a0
SHA256 ===> e9a94062fa4c9d1f9c006191a8d8aef64b5f7b998a32b38705badfba8224979c

Code: [Select]

hxxp://foinkto015.net/rep/d.exemd5sum ===> 445c4e6b4b73915bd44ad587223e8a49
SHA256 ===> 0e4d412e2052830ba2d5da9710b74e63fad1607a9c91907d115126199bdbe222
http://www.virustotal.com/es/analisis/0e4d412e2052830ba2d5da9710b74e63fad1607a9c91907d115126199bdbe222-1271236756
VT 6/40 (15%)

Code: [Select]

hxxp://foinkto015.net/ckk/nuker.php

jackberri · April 14, 2010, 02:38:20 pm

IP Location: United States Walnut Psychz Networks
IP 208.87.243.131
[bird.unixbsd.info]
AS40676

Code: [Select]

hxxp://spiritnum.com/sokol/cfg2.binmd5sum ===> 509b7768062f79b67e144c9c71e7a9b4
SHA256 ===> 09a2394e443bce4b37750210d538ccce26c43d42fe876f0ce6233d7467356f09

Code: [Select]

hxxp://spiritnum.com/booot.exemd5sum ===> 1924d6b0a8999e6dfae7e840d91dad44
SHA256 ===> 8372d95a6a884cec04905dcfb6b245a3444fa4273c54589c327ca5d0409c0057
http://www.virustotal.com/es/analisis/8372d95a6a884cec04905dcfb6b245a3444fa4273c54589c327ca5d0409c0057-1271254867
VT 23/40 (57.5%)

Code: [Select]

hxxp://spiritnum.com/sokol/gate.php

jackberri · April 15, 2010, 02:52:46 pm

IP Location: United States Dallas Theplanet.com Internet Services Inc
[9.89.5446.static.theplanet.com]
AS21844

Code: [Select]

hxxp://70.84.137.9/eg.jpgmd5sum ===> 1168e470f80e7e47c8d349d253dd9b93
SHA256 ===> 48da0403bc885b26498d5e8692c1a9b71a801531d95d93ef964b9d829d36e294

jackberri · April 16, 2010, 09:55:37 am

IP Location: China Beijing Beijing Linktom Network Technology Co. Ltd
IP 61.4.82.247
AS17964

Code: [Select]

hxxp://zalipuka.com/gogo/man.binmd5sum ===> 1be819e21bced8f2f34afbc927f220ed
SHA256 ===> 0e6e570880fd82a9f2d2c8f4c8aa826915ae5f7d05b7766b1336a5e548b11ba7

Code: [Select]

hxxp://zalipuka.com/gogo/index.php

jackberri · April 18, 2010, 10:17:55 am

IP Location: China Langfang Development Area Huarui Xintong Network Technology Co. Ltd
IP 119.255.23.47
AS4837

Code: [Select]

hxxp://ferrom.cz.cc/nnrro/local.php

jackberri · April 18, 2010, 05:31:01 pm

IP Location: China Langfang Development Area Huarui Xintong Network Technology Co. Ltd
IP 119.255.23.54
AS4837

Code: [Select]

hxxp://pipeccc.info/go/xpx.php

jackberri · April 18, 2010, 08:17:04 pm

IP Location: Moldova Eugenia E. Groza
AS48671

Code: [Select]

hxxp://91.209.238.24/index.php

Code: [Select]

hxxp://91.209.238.24/m5install/810/1
hxxp://91.209.238.24/admin

jackberri · April 20, 2010, 06:25:32 am

IP Location: France Paris Ovh Sas
IP 91.121.19.159
[ns24153.ovh.net]
AS16276

Code: [Select]

hxxp://ayelconsulting.net/ourvers/xdlogink/bropes.php?captchamd5sum ===> 3323616a4ce92f7deec35d3686d4ef8c
SHA256 ===> 3cf7a0cf9599fb798f73d6edc137378970acd6933fbaea50b9b5b4699a8fa204
related (already listed):

Code: [Select]

hxxp://termasllifen.cl/Locitos/pord/managessec/Pripm/Tearpt.php?confirm

SysAdMini · April 20, 2010, 08:19:51 am

Quote from: jackberri on April 20, 2010, 06:25:32 am

IP Location: France Paris Ovh Sas
IP 91.121.19.159
[ns24153.ovh.net]
AS16276
Code: [Select]
hxxp://ayelconsulting.net/ourvers/xdlogink/bropes.php?captchamd5sum ===> 3323616a4ce92f7deec35d3686d4ef8c
SHA256 ===> 3cf7a0cf9599fb798f73d6edc137378970acd6933fbaea50b9b5b4699a8fa204
related (already listed):
Code: [Select]
hxxp://termasllifen.cl/Locitos/pord/managessec/Pripm/Tearpt.php?confirm

I discovered some more:

Code: [Select]

ayelconsulting.net/ourvers/xdlogink/bropes.php?confirm
www.ancspeciality.com/aects/ewUser/monnelf/lormPlanale/mapturcha.php?confirm
bettercontabil.com.br/lrsontarman/ischel/dentor/bignuer/awSeaetal/mailp.php?confirm
www.weinviertler-heuriger.at/mervc/Dinerecal/trimewCard/opUnditorm/pques.php?confirm

These scripts are universal. Function depends on parameter only.
?confirm = trojan
?captcha = config file
without parameter = drop zone
?ip = ip check

jackberri · April 20, 2010, 09:40:00 am

IP Location: United States Houston Acronoc Inc
IP 69.80.228.12
[hosted.by.x5x-noc.ru]
AS19166

Code: [Select]

hxxp://genderswar.co.cc/changed3/newcfg.binmd5sum ===> b040a2bfb5e1242e26a1e8a15ac68b37
SHA256 ===> 40c8c455eacd3e87617de68442bf535139fc844f985631194b29704653be6d65

Code: [Select]

hxxp://genderswar.co.cc/changed3/ldr.exemd5sum ===> 0be1b3b740367dfea3e2966a82b8d7f5
SHA256 ===> 003476517fbf710da39f9cdc1881873e3a9ad9cfc69181360759b94cb6406c85
http://www.virustotal.com/es/analisis/003476517fbf710da39f9cdc1881873e3a9ad9cfc69181360759b94cb6406c85-1271755465
VT 14/41 (34.15%)

Code: [Select]

hxxp://genderswar.co.cc/changed3/guests1/gate.php

jackberri · April 20, 2010, 10:09:23 am

IP Location: Russian Federation Moscow Tetracom Cjsc
IP 193.148.47.82
AS34840

Code: [Select]

hxxp://myperfection.ru/forum2/viewtopic.php

jackberri · April 21, 2010, 07:44:23 pm

IP Location: Russian Federation Moscow Vline Ltd
IP 109.196.143.59
AS39150

Code: [Select]

hxxp://pares.biz/bong0.bmpmd5sum ===> b92290fa7f2d344a3529c678560d3e74
SHA256 ===> 25ca16f31198c614cbab65b31978b7de096d9276b4c8eb6ef4fc4c18b17d1604

Code: [Select]

hxxp://pares.biz/cristd32.exemd5sum ===> ec7fc197f8ce71f440c11182d79da563
SHA256 ===> a2c3e6f832eb0987db2c5e8cdbbbe0d2a401a748d7ba1c93f1988769837e2975
http://www.virustotal.com/es/analisis/a2c3e6f832eb0987db2c5e8cdbbbe0d2a401a748d7ba1c93f1988769837e2975-1271878591
VT 0/42 (0%)

Code: [Select]

hxxp://klastf.ru/index1.php

jackberri · April 23, 2010, 10:16:34 pm

IP Location: China Langfang Development Area Huarui Xintong Network
IP 119.255.23.16
AS4837

Code: [Select]

hxxp://www.softkill.in/server/config.binmd5sum ===> 5ede4de4539bdae744cf3f7f3ca9d657
SHA256 ===> c7643f8c37478d081c914a7c668dd7a65cc4dbcf2e8b4b4bcfa6f4947dea400d

Code: [Select]

hxxp://www.softkill.in/server/bot.exemd5sum ===> 1bca13f5e6aa61d157ada561ef2cd06f
SHA256 ===> 25f671c26acd6b1cdaf23808a0999caf4cf345031e55b2232cc12d5d2d084f2a
http://www.virustotal.com/analisis/25f671c26acd6b1cdaf23808a0999caf4cf345031e55b2232cc12d5d2d084f2a-1271695068
VT 27/40 (67.50%)

Code: [Select]

hxxp://www.softkill.in/server/gate.php

Code: [Select]

hxxp://popunserv.com/calc.xlsmd5sum ===> 340c2afde2ac26fc89df9b997ea07cda
SHA256 ===> f541438b73e38e4becf841b4cd76fe0b7b6716e4c5773de4704680afee837c0c

Code: [Select]

hxxp://popunserv.com/1.php
(already listed, now online)

Code: [Select]

hxxp://www.lpozz.com/video_secret/az.oggmd5sum ===> 9b5005d256380b81bffae88d29807c1e
SHA256 ===> 51378e9e531e1ca48b3f463b8ac1929dc64eef707e4ded473296ca60362bd5e5

Code: [Select]

hxxp://www.lpozz.com/odrstgvsl/in_12131.php

jackberri · April 27, 2010, 10:48:24 am

IP Location: United States Columbus Enet Inc
IP 207.182.135.7
[7.87.b6.static.xlhost.com]
AS10297

Code: [Select]

hxxp://vinnlife.info/logs/thisisencryptionkey9.binmd5sum ===> 3e5961ef08f35ae917678249fcd068ae
SHA256 ===> 479b4c1f067fcda7d9cb124fe99363cdbc5e9d3c7fa1641f96251874488f613c

Code: [Select]

hxxp://vinnlife.info/logs/logo.jpgmd5sum ===> 66f800090eef6410a1cda0f084400cea
SHA256 ===> a0ebe90562d83986f64fcdc6316d7b993078366f511e65e5301daa7b9adc0429

Code: [Select]

hxxp://vinnlife.info/logs/logo.exemd5sum ===> 65b316c067243d5e9f325b820ef30838
SHA256 ===> 10124447bb4f650db42fcf5ff8c4bd8acab8c3679ed8747d4387a24d609cf10f
http://www.virustotal.com/es/analisis/10124447bb4f650db42fcf5ff8c4bd8acab8c3679ed8747d4387a24d609cf10f-1272364732
VT 27/41 (65.86%)

related:

IP Location: Russian Federation East-siberian State Technological University
IP 86.110.96.29
AS35335

Code: [Select]

hxxp://cactus.esstu.ru/unesco/.ldjahs/botca2.exemd5sum ===> 601e77d9ee7b05dbd7c077929945b947
SHA256 ===> 86c7e64e7c42eb03e027487157041588a8d394a8648c171529b9d1f28fe58791
http://www.virustotal.com/es/analisis/86c7e64e7c42eb03e027487157041588a8d394a8648c171529b9d1f28fe58791-1272363276
VT 29/41 (70.74%)

Code: [Select]

hxxp://cactus.esstu.ru/unesco/.ldjahs/botca3.exemd5sum ===> 0cc99286850b6050fa07159fb0be6c4d
SHA256 ===> 8d6a74ba2f6f90c5e51d1dec1a64abbdd1c80bd6410e2fa79376117eb4e8f74f
http://www.virustotal.com/es/analisis/8d6a74ba2f6f90c5e51d1dec1a64abbdd1c80bd6410e2fa79376117eb4e8f74f-1272364238
VT 8/41 (19.52%)

Code: [Select]

hxxp://cactus.esstu.ru/unesco/.ldjahs/dexec2.exemd5sum ===> ba7adc27d8011f80ba8bd9704f41f6ec
SHA256 ===> f4b8844fac1d022032d907355e2cc4b175c8754a54ac81e690bf387e0aaf8c53
http://www.virustotal.com/es/analisis/f4b8844fac1d022032d907355e2cc4b175c8754a54ac81e690bf387e0aaf8c53-1272364515
VT 25/41 (60.98%)

jackberri · April 27, 2010, 12:24:47 pm

Quote from: jackberri on April 27, 2010, 10:48:24 am

Code: [Select]
hxxp://cactus.esstu.ru/unesco/.ldjahs/dexec2.exe
related:

Code: [Select]
hxxp://59.44.60.152:443/admin/113.jpgmd5sum ===> 72bbe8f05b65a35f4483cf3fb116db11
SHA256 ===> b34aaf03072a937b12d19550e20b9f7e2a3a85f757aba5ff7f9af05ea64ce709

Author Topic: New Zeus server (Read 395422 times)

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

SysAdMini

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server

jackberri

Re: New Zeus server