Author Topic: SpyEye C&C &files  (Read 39616 times)

0 Members and 1 Guest are viewing this topic.

December 09, 2010, 10:56:51 am
Reply #45

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: France - OVH
IP 178.33.24.108
[morpheus.dialadns.com]
AS16276
ns1.qs-hosting.me
ns2.qs-hosting.me
Registrant/Email Registrant: Milan Mirovic/signjatovich@gmail.com
Code: [Select]
netcaffe.info/admin/main/
Code: [Select]
hxxp://netcaffe.info/DEL PESCARA.zipmd5sum ===> f459eae9e9baea08d75f8bb7706fcefa

December 09, 2010, 05:10:06 pm
Reply #46

Yossarian

  • Newbie

  • Offline
  • *

  • 9
A couple of new C&C URL's...

http://klasterof1.ru/1/qweb.php?guid=<snip>
IP: 208.110.68.189
domain:     KLASTEROF1.RU
nserver:    ns1.nameself.com.
nserver:    ns2.nameself.com.
state:      REGISTERED, DELEGATED, UNVERIFIED
person:     Private Person
phone:      +7 8412 558503
e-mail:     avv20053@rambler.ru
registrar:  REGTIME-REG-RIPN
created:    2010.12.04


http://bp.olofyj.ru/derf/gate.php?guid=<snip>
IP: 91.211.119.167
domain:     OLOFYJ.RU
nserver:    ns1.r01.ru.
nserver:    ns2.r01.ru.
state:      REGISTERED, DELEGATED, VERIFIED
person:     R01 Personal Data Operator protected
phone:      +7 495 7950139 670310
e-mail:     olofyj.ru@r01-service.ru
registrar:  R01-REG-RIPN
created:    2010.12.06



December 12, 2010, 01:57:32 pm
Reply #47

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: United States - RR-RC-Wholesale Internet -  RoadRunner RR-RC-Wholesale Internet
IP 69.197.135.92
AS32097
Registrant/Email Registrant: Private Person/slava2008@lenta.ru
Code: [Select]
hxxp://cravityaz.ru/1/bin/inline.jpgmd5sum ===> 58c86a9027727973a3549ddeb434feab
Code: [Select]
hxxp://cravityaz.ru/1/

December 17, 2010, 12:34:14 pm
Reply #48

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: United States - RoadRunner RR-RC-Wholesale Internet
IP  204.12.208.106
AS32097
ns3.cnmsn.com
ns4.cnmsn.com
Email Registrant: Emanuel Baneyro/info@findtoup.com
Code: [Select]
hxxp://findtoup.com/find/bin/config.binmd5sum ===> ccac7bc63ee4a751f5a2e012e607bd22
Code: [Select]
hxxp://findtoup.com/find/bin/update.exemd5sum ===> a56e9d6a5ac4f298cbd108ad247fceed
http://www.virustotal.com/file-scan/report.html?id=b15efadf419bfca05f394f7325c866a88d7ad8b0dfffd8e7eeb3ecb11cfbf4fd-1292588947
VT 26/42 (61.9%)
Code: [Select]
hxxp://findtoup.com/find/gate.php

December 18, 2010, 09:15:10 am
Reply #49

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Italy - Aruba S.p.a
IP  62.149.128.154
[mxd7.aruba.it]
AS31034
DNS2.TECHNORAIL.COM
DNS.TECHNORAIL.COM
Email Registrant: Gianluca Panchetti/panko@email.it
Code: [Select]
hxxp://senzafreni.com/vip/pornTV.exemd5sum ===> 68f5b706dcad101c4b6a3301826f5a63
http://www.virustotal.com/file-scan/report.html?id=cebe98162e410e1e407bc72894b2023f90c589123bb4f57a7620e52b16f59388-1292663210
VT 28/42 (66.7%)
Code: [Select]
hxxp://senzafreni.com/vip/

December 23, 2010, 10:50:29 pm
Reply #50

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Ukraine - Datagroup PRIVATE JOINT STOCK COMPANY
IP  77.222.142.51
AS21219
ns29.domaincontrol.com
ns30.domaincontrol.com
Registrant ID:CR64075198
Registrant/Email Registrant: Registration Private/BROWSECAT.ORG@domainsbyproxy.com
Code: [Select]
hxxp://browsecat.org/images/clients/bin/ougrfsdvt.exe
hxxp://kanyx.org/images/clients/bin/ougrfsdvt.exe
hxxp://trimba.org/images/clients/bin/ougrfsdvt.exe
md5sum ===> 330e21be0e12bb30da71a3969433980f
http://www.virustotal.com/file-scan/report.html?id=2e98732dd62b71fe3b4605cd7acad59cef014ce6d84c772b3f500ddfd629c6c2-1293143926
VT 35/43 (81.4%)
Code: [Select]
hxxp://browsecat.org/images/clients/bin/ftygkht.exe
hxxp://kanyx.org/images/clients/bin/ftygkht.exe
hxxp://trimba.org/images/clients/bin/ftygkht.exe
md5sum ===> aaa301368a8ffd2c463cfa1473436afc
http://www.virustotal.com/file-scan/report.html?id=c0dec0a55b9270a331ac2dfc633c86175fd69b921a98d0d963a1397cbf15b5be-1293144125
VT 20/43 (46.5%)

December 29, 2010, 08:23:15 pm
Reply #51

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Russian Federation - PIN-AS Petersburg Internet Network LLC
IP  95.215.1.248
[master1.nx0.ru]
AS44050
ns1.nx0.ru
ns2.nx0.ru
Code: [Select]
hxxp://sweyes.co.cc/main/bin/config.binmd5sum ===> 206d140551a94e452cf2a93473a6c0a9
Code: [Select]
hxxp://sweyes.co.cc/main/gate.php

January 06, 2011, 07:38:07 pm
Reply #52

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Russian Federation  - DELFANET-AS Delfa Network AS
IP  194.0.245.77
AS42533
ns1.dns-diy.net
ns2.dns-diy.net
Registrant/Email Registrant: Idila Gomi/admin@derts3563d.net
Code: [Select]
hxxp://derts3563d.net/old_files/root/bin/config.binmd5sum ===> 159c9d350325bbe92b972bb0e838f97d
Code: [Select]
hxxp://derts3563d.net/old_files/root/bin/setup.exemd5sum ===> d8cb7feac86f0844a45f7c8d3ff94630
http://www.virustotal.com/file-scan/report.html?id=7d1742c17570ede202d3f2afea1f37cb32991758bfb915f12a1619d5e0f70e44-1293711935
VT 36/43 (83.7%)
Code: [Select]
hxxp://derts3563d.net/old_files/root/gate.php

January 07, 2011, 07:43:11 am
Reply #53

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Ukraine  - it-outsource-as LLC
IP  91.207.182.31
AS48280
NS3.CNMSN.COM
NS4.CNMSN.COM
Registrant ID:orgss91724002656
Registrant/Email Registrant: Whois Privacy Protection Service/kceccpusuc@whoisservices.cn
Code: [Select]
hxxp://domain291.org/vppa1/bin/rt.exemd5sum ===> d58a02ab8a9a9b2b6bc2a98937471b16
http://www.virustotal.com/file-scan/report.html?id=75a8a8ca07a4ed599b3b94f73f647ee4246df57f93fca661f761293150285dfb-1294380844
VT 28/42 (66.7%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/sssss.exemd5sum ===> 87d34819a04cda5ade2e0f460433c234
http://www.virustotal.com/file-scan/report.html?id=b1fde54d830df676673e6b7fb206e22e4cb711c77a524167cb499945b426b364-1294384367
VT 1/42 (2.4%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/ddd.exemd5sum ===> 748f5bbed99bb9d1235396fe88d288c2
http://www.virustotal.com/file-scan/report.html?id=7f219225f93a8e6d6ba23756750cd47fffa5aee109a70867bea56823b31d02d4-1294384732
VT 26/41 (63.4%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/hh.exemd5sum ===> 26ef9c0ac1cf945bb1a49c831eefe7dd
http://www.virustotal.com/file-scan/report.html?id=037c7ba5f8068de81ddc4b0b1f83ad5aeec70aeccae37b7bfcb64c7c047c3833-1294384839
VT 40/43 (93.0%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/vp_24_12_2010.exemd5sum ===> 636c1a74a0a7e285afbd29ada3ea941f
http://www.virustotal.com/file-scan/report.html?id=a4e4f06d009363dd964e8d7c179ebd9967bff32fda80f5775ad9653ba0ae05ab-1294385003
VT 35/41 (85.4%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/gfd.exemd5sum ===> 31cdb88439d363b970c03d5a4c6f86aa
http://www.virustotal.com/file-scan/report.html?id=c930f22feaed93c24e8d2dad3c37567a6ef9562e226c81a8e0e241e379d4bd85-1294385190
VT 33/41 (80.5%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/44.exemd5sum ===> c98aa1796a242491d9a85e0c9bd62ff7
http://www.virustotal.com/file-scan/report.html?id=9d8a1b9822c551c978aef5c51ebef5449166324bed4e9384b534670e6944d81a-1294385378
VT 38/43 (88.4%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/234.exemd5sum ===> 479c784213770a6fa16c8e8bb735b622
http://www.virustotal.com/file-scan/report.html?id=6c47d74d8f14009d466243059fc652e8ac77a2f3fed90b39d4e97a02f31f3b65-1294385644
VT 35/43 (81.4%)
Code: [Select]
hxxp://domain291.org/vppa1/bin/jhg.exemd5sum ===> a795dec6e0eb23505bebb0e4841edf61
http://www.virustotal.com/file-scan/report.html?id=6c47d74d8f14009d466243059fc652e8ac77a2f3fed90b39d4e97a02f31f3b65-1294385644
VT 37/42 (88.1%)
Code: [Select]
hxxp://domain291.org/vppb1/zkapida234.php

January 14, 2011, 01:06:54 pm
Reply #54

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: China - DXTNET
IP 61.4.82.131
AS17964
ns1.vps-server.ru
ns2.vps-server.ru
Registrant/Email Registrant: Sergey K Frodin/sergeifrodin@list.ru
Code: [Select]
hxxp://pornourl.tv/main/bin/config.binmd5sum ===> 883c947269ee252634186e53713fd46c
Code: [Select]
hxxp://pornourl.tv/spicing/notaporn/hook.jpg

January 30, 2011, 04:37:12 pm
Reply #55

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  China - Chinanet Jiangsu Province Network
IP 61.147.67.237
AS23650
lovingname.earth.orderbox-dns.com
lovingname.mars.orderbox-dns.com
lovingname.mercury.orderbox-dns.com
lovingname.venus.orderbox-dns.com
Registrant/Email Registrant: ramunas ltd/jamalek39@hotmail.co.uk
Code: [Select]
hxxp://mailservicenail.com/8956mainadmin/rxtdcfyvgubhinj.php
IP Location: Latvia - GENERALSERVICE-AS
IP 91.193.194.168
AS42872
ns1.fhfhfe880.com
ns2.fhfhfe880.com
Registrant/Email Registrant: Georg Nichalski/r1singmoon@gmail.com
Code: [Select]
hxxp://fhfhfe880.com/mains/bin/config.binmd5sum ===> 55ebc79acc5581cc2f36c77006518e9c
Code: [Select]
hxxp://fhfhfe880.com/mains/bin/200.exemd5sum ===> b845ae293007a49f1a104c561bd35733
http://www.virustotal.com/file-scan/report.html?id=2a48afac05b6cede55772a53b8af331db0e094eec5b7a1daf0dd03fcf5f0eb16-1296404398
VT 33/ 43 (76.7%)
Code: [Select]
hxxp://fhfhfe880.com/mains/gate.php

February 05, 2011, 05:21:08 pm
Reply #56

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  United Kingdom - Didjief Internation Kulinari Koncept Llc - XISOFT-AS XISOFT SRL
AS48709
Code: [Select]
hxxp://91.200.240.7/Yh89RfaPh7bBss1zOFn7saOaOOa/bin/config.binmd5sum ===> 1c9da99c89b06e0b5b111ea102498709
Code: [Select]
hxxp://91.200.240.7/Yh89RfaPh7bBss1zOFn7saOaOOa/bin/build___who.exemd5sum ===> d7578e550c0a4d4aca0cfd01ae19a331
http://www.virustotal.com/file-scan/report.html?id=3d509341107a9577899918ef3b2b63ceda0fcbcd09976e79e94610a3cf674b8a-1296919687
VT 24/43 (55.8%)
Code: [Select]
hxxp://91.200.240.7/Yh89RfaPh7bBss1zOFn7saOaOOa/gate.php

February 16, 2011, 03:21:17 pm
Reply #57

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP  Location: United States - THEPLANET-AS2
IP  174.123.144.11
[ns1.siteground307.com]
AS21844
NS3.AFRAID.ORG
NS2.AFRAID.ORG
NS4.AFRAID.ORG
NS1.AFRAID.ORG
Registrant/Email Registrant: Mirzik Zaris/newdomains@siteground.com
Code: [Select]
hxxp://uzimtasnikas.com/main/bin/config.binmd5sum ===> ec009e2efb14e6c93ed7f5a670e349e3
Code: [Select]
hxxp://uzimtasnikas.com/main/gate.php

February 18, 2011, 10:47:06 am
Reply #58

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Ukraine - Didjief Internation Kulinari Koncept Llc - XISOFT-AS XISOFT SRL
IP 91.200.241.251
AS48709
Name Server: yns2.yahoo.com yns1.yahoo.com
Registrant/Email Registrant: Andrew Hett/hett.andrew@yahoo.com
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/config.binmd5sum ===> 7fbfaac9702922a887dd826e58733fa8
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/program.exemd5sum ===> 49b9ea0cf3c0677b92f2db6a6ae63c39
http://www.virustotal.com/file-scan/report.html?id=280474b73ed5c32244b301164df4ebdf844e87fd0ea415e9b56744fd318ce83b-1298025305
VT 5/43 (11.6%)
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/signed.exemd5sum ===> 69e5af1c398f70e4f61c7c642cefc328
http://www.virustotal.com/file-scan/report.html?id=3d509341107a9577899918ef3b2b63ceda0fcbcd09976e79e94610a3cf674b8a-1296919687
VT 15/42 (35.7%)
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/spy_upx_signed.exemd5sum ===> 1d7f516c08833d543ca2feae45ef81a2
http://www.virustotal.com/file-scan/report.html?id=fc12bede445315a39c079f8fa4afefbf1238a14e8add536171ec58de6b606a67-1298025244
VT 10/43 (23.3%)
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/gate.php

February 18, 2011, 05:20:43 pm
Reply #59

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Russian Federation  - 2x4.ru Network
[heihachi.net]
AS41947
Code: [Select]
http://92.241.164.67/account/bin/config.binmd5sum ===> 54f6ba404980ab4246b0ee6b5d391c65
Code: [Select]
http://92.241.164.67/account/bin/2.exemd5sum ===> 33a577ec6415719819b5814eabd24eb0
http://www.virustotal.com/file-scan/report.html?id=0fb5fa1f5d4a9595e0aa109a41788de73e796d91eed84810db91c3388703bf21-1298048742
VT 5/43 (11.6%)
Code: [Select]
http://92.241.164.67/account/bin/msdll.exemd5sum ===> 5e3aaf667437148ff8afdb1ed2ef46ec
http://www.virustotal.com/file-scan/report.html?id=12e50095bacfb7db930ee1c0f9e8d5ad86a0e7ef5f87ec8078f5f3be88732d7f-1298048516
VT 6/43 (14.0%)
Code: [Select]
http://92.241.164.67/account/bin/rtsshare.exemd5sum ===> f097f811dd94df3d642deb5f3e6fe547
http://www.virustotal.com/file-scan/report.html?id=837bc7e1a21e484a1ab0fe4582d8feb2dc3eb5b2ac7feaf8772347ff69766b1d-1298049013
VT 3/43 (7.0%)
Code: [Select]
http://92.241.164.67/account/bin/sysdfd.exemd5sum ===> 3500bfb90db9d500b9e73929e0ebde27
http://www.virustotal.com/file-scan/report.html?id=837bc7e1a21e484a1ab0fe4582d8feb2dc3eb5b2ac7feaf8772347ff69766b1d-1298049013
VT 6/43 (14.0%)
Code: [Select]
http://92.241.164.67/account/gate.php