Malware Domain List

Malware Related => Malicious Domains => Topic started by: cr4shm0ney on August 09, 2010, 08:49:40 pm

Title: 89.149.227.252/f/getcfg.php ?
Post by: cr4shm0ney on August 09, 2010, 08:49:40 pm
Anyone know what this is? should it be listed on the MDL?
Title: Re: 89.149.227.252/f/getcfg.php ?
Post by: SysAdMini on August 09, 2010, 09:54:42 pm
Don't know. Returns 404 here.

hxxp://89.149.227.252/

shows a login page . Title is "Pirated-Edition".
Title: Re: 89.149.227.252/f/getcfg.php ?
Post by: eoin.miller on August 09, 2010, 10:29:42 pm
Could be related to silentbanker?

Code: [Select]
   * The following GET requests were made:
          o ~ipcount/ww8/getcfg.php?id=7BA89979-3476-400F-AF5B-5CD9F895E765&c=10&v=21&b=6&z=21762543
          o ww8/getcfg.php?id=7BA89979-3476-400F-AF5B-5CD9F895E765&c=10&v=21&b=6&z=21762543
          o ~ipcount/ww8/getcfg.php?id=7BA89979-3476-400F-AF5B-5CD9F895E765&c=20&v=21&b=6&z=21762543

    * The data identified by the following URLs was then requested from the remote web server:
          o http://72.29.67.30/~ipcount/ww8/getcfg.php?id=7BA89979-3476-400F-AF5B-5CD9F895E765&v=21&b=6&c=4&z=21762543
          o http://202.71.100.103/ww8/getcfg.php?id=7BA89979-3476-400F-AF5B-5CD9F895E765&v=21&b=6&c=4&z=21762543

http://www.threatexpert.com/report.aspx?md5=3fa46ac7652a1d5ea5275e564b0c60a3

Also:
Code: [Select]
    * The data identified by the following URLs was then requested from the remote web server:
          o http://ertanuskayert.com/Wmo1/1f0SQ0Qlw0or4Pp8Zry
          o http://209.160.20.34/spm/s_alive.php?id=57533320756088734268914066140505&tick=121843&ver=419&smtp=ok
          o http://78.159.121.49/w/getcfg.php
          o http://utorganedoskaw.com/files/_Add_._d_
          o http://utorganedoskaw.com/files/_GUI_._d_
          o http://utorganedoskaw.com/files/_SC_._d_
          o http://utorganedoskaw.com/files/_Upd_._d_
          o http://utorganedoskaw.com/files/avp21_d_/_1_._d_
          o http://utorganedoskaw.com/files/_AVE_._d_
Source: http://www.threatexpert.com/report.aspx?md5=71478079935d11d7ff76164a563f4f31
Title: Re: 89.149.227.252/f/getcfg.php ?
Post by: CkreM on August 10, 2010, 08:39:31 am
its probably black energy:
http://www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2