Author Topic: SpyEye C&C &files  (Read 41957 times)

0 Members and 1 Guest are viewing this topic.

February 18, 2011, 08:22:05 pm
Reply #60

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/config.binmd5sum ===> 7fbfaac9702922a887dd826e58733fa8
Code: [Select]
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/spy_upx_signed.exemd5sum ===> 1d7f516c08833d543ca2feae45ef81a2
http://www.virustotal.com/file-scan/report.html?id=fc12bede445315a39c079f8fa4afefbf1238a14e8add536171ec58de6b606a67-1298059818
VT 18/43 (41.9%)
Code: [Select]
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/signed.exemd5sum ===> 69e5af1c398f70e4f61c7c642cefc328
http://www.virustotal.com/file-scan/report.html?id=c5e07640599982c35aea5fdfcdc31022231b6a75291f280749c775a09115d0b6-1298059884
VT 20/41 (48.8%)
Code: [Select]
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/program.exemd5sum ===> 49b9ea0cf3c0677b92f2db6a6ae63c39
http://www.virustotal.com/file-scan/report.html?id=280474b73ed5c32244b301164df4ebdf844e87fd0ea415e9b56744fd318ce83b-1298060139
VT 17/43 (39.5%)
Code: [Select]
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/gate.php

February 21, 2011, 06:44:10 am
Reply #61

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/song18_signed.exe
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/song18_signed.exe
md5sum ===> 55494d984400d4ede235bd8106199120
http://www.virustotal.com/file-scan/report.html?id=3db2b7c2f7d3daaf9fe1607e1439c3303c286bf35abbb01d18c1307c8f6bb77d-1298269744
VT 17/43 (39.5%)
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/song20_upx_signed.exe
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/song20_upx_signed.exe
md5sum ===> f5f2b1bc7b17636b6f733863efc7127d
http://www.virustotal.com/file-scan/report.html?id=c838f54e1a29a5ff6d7a690a4dc83f8269b9df2de5e9d69c2d4562368898e8a7-1298269874
VT 1/43 (2.3%)
config file updated:
Code: [Select]
http://mansoitars.com/T6yRslk8JrR5sOpskHs51L/bin/config.bin
http://91.200.240.7/T6yRslk8JrR5sOpskHs51L/bin/config.bin
md5sum ===> bed6a0d0282da512675a486db9d543af

February 21, 2011, 07:35:19 am
Reply #62

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Ukraine - Didjief Internation Kulinari Koncept Llc - XISOFT-AS XISOFT SRL
IP 91.200.241.251
AS48709
Name Server: yns2.yahoo.com yns1.yahoo.com
Registrant/Email Registrant: Willie Vanhoy/vanhoywillie@yahoo.com
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/config.binmd5sum ===> bed6a0d0282da512675a486db9d543af
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/program.exemd5sum ===> 49b9ea0cf3c0677b92f2db6a6ae63c39
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/signed.exemd5sum ===> 69e5af1c398f70e4f61c7c642cefc328
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/spy_upx_signed.exemd5sum ===> 1d7f516c08833d543ca2feae45ef81a2
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/song18_signed.exemd5sum ===> 55494d984400d4ede235bd8106199120
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/bin/song20_upx_signed.exemd5sum ===> f5f2b1bc7b17636b6f733863efc7127d
Code: [Select]
http://bavolpatam.com/T6yRslk8JrR5sOpskHs51L/gate.php

February 23, 2011, 08:58:13 am
Reply #63

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Ukraine - FINACTIVE-AS
IP 193.186.9.97
AS44209
Name Server: NS1.EVERYDNS.NET  NS2.EVERYDNS.NET
Registrant/Email Registrant: Anton Unosov/admin@contentserver.ru
Code: [Select]
http://bigbadaboomboom.in/images/bin/upload/killcookies.exe                   
http://bigbadaboomboom.in/images/bin/upload/killcookies1.exe
md5sum ===> 140aba32a1057502e4898fb920657519
http://www.virustotal.com/file-scan/report.html?id=f63f85e92f9650719c39e3bf3d87235b4469c77b42f6f8547f9705c57f560053-1298450796
VT 2/43 (4.7%)
Code: [Select]
http://bigbadaboomboom.in/images/

February 24, 2011, 10:20:31 am
Reply #64

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Romania - CH-NET-AS CH-NET SRL
IP 188.240.32.164
AS41011
Name Server: ns-usa.topdns.com  ns-uk.topdns.com ns-canada.topdns.com             
Code: [Select]
http://milinewo.be/_cp/bin/config.bin                 md5sum ===> cd87da6b8d80b1197a567c3b8e9d5763
Code: [Select]
http://milinewo.be/_cp/bin/calc.exe                   md5sum ===> bdeecd7aa2ccbf3dbfce9ccc325e1c16http://www.virustotal.com/file-scan/report.html?id=834a410a2d42bff29febb7fdc4ef3a2b6d804fa13852571061bf5f7138f2cab9-1298541085
VT 3/43 (7.0%)
Code: [Select]
http://milinewo.be/_cp/bin/b2.exe                     md5sum ===> 93545d66e2288e4a6fcb2fdb92dbb157http://www.virustotal.com/file-scan/report.html?id=dd99992541a2254ede9f9b4907f3830d0ca38264ce6661b4e6985d1552a0afdd-1298541038
VT 26/43 (60.5%)
Code: [Select]
http://milinewo.be/_cp/bin/build.exe                  md5sum ===> 255d1750aafc6705c992648f2f461db5http://www.virustotal.com/file-scan/report.html?id=d77c78e2072153e437f854aa3d677d8b985680d1b58fa48089a93889befac0c2-1298541693
VT 34/43 (79.1%)
Code: [Select]
http://milinewo.be/_cp/gate.php
IP Location:  Romania - Titan Net - Enter-Net-Team-AS
IP 94.63.246.102
AS38913
Name Server: ns1.dns-diy.net  ns2.dns-diy.net
Registrant/Email Registrant: Andre Mazen/admin@porohh.net                       
Code: [Select]
http://porohh.net/ponelko/bin/config.bin               md5sum ===> 3d320e51a88aef8f97309f7ec0e0fa4d
http://porohh.net/ponelko/gate.php

February 25, 2011, 04:03:20 pm
Reply #65

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Germany  - NETDIRECT AS
IP 84.16.243.232
[84-16-243-232.local]
AS28753
Name Server: ns1.ipchecker006.com 84.16.243.232  ns2.ipchecker006.com 78.159.96.95
Registrant/Email Registrant: Nikolay A Alukov/checkip4u@yahoo.com 
Code: [Select]
http://ipchecker006.com/us5/bin/config.bin             md5sum ===> ec221241aabd28d7832d29df48706579
http://ipchecker006.com/us/bin/config.bin              md5sum ===> 32c8f3a474fcb1617f1164ebee20cf61
http://ipchecker006.com/us5/bin/1305.exe               md5sum ===> 7353d64c74c2fcaee4a2c87717611997
http://www.virustotal.com/file-scan/report.html?id=090f05562b089e8e4b94c4872be71acfcb6c415ec5fddc460352a132a43db7b5-1298649077
VT 23/43 (53.5%)
Code: [Select]
http://ipchecker006.com/us/bin/1305.exe                md5sum ===> cde940861d204406157169db98a3193ehttp://www.virustotal.com/file-scan/report.html?id=fe38963e010d80b1861aa9469a9fe8fa77dec345924f35493c0b26023aa3dfa8-1298649237
VT 25/42 (59.5%)
Code: [Select]
http://ipchecker006.com/us/bin/1280.exe                md5sum ===> f7ce22047736a258dba27bf06f809d6chttp://www.virustotal.com/file-scan/report.html?id=1cb902c34060da1b57e83e0af8548ccea5dc9db983fe912027146187c096ba27-1298640605
VT 39/43 (90.7%)
Code: [Select]
http://ipchecker006.com/us5/gate.php
http://ipchecker006.com/us/gate.php

March 02, 2011, 08:44:30 am
Reply #66

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Romania - UPC Broadband
IP 78.97.34.195
AS6830
Name Server: ns1.securitylabok1.com  ns2.securitylabok1.com
Registrant/Email Registrant: Johanna A. Quillen/johannaaquillen1171@gmail.com  
Code: [Select]
http://securitylabok1.com/mypanel/bin/config.bin                 md5sum ===> cf5d2357c08ff31b6bad7528924f65a5
http://securitylabok1.com/mypanel/

March 08, 2011, 02:37:23 pm
Reply #67

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Romania - CH-NET-AS CH-NET SRL
AS41011           
Code: [Select]
http://188.240.32.164/1/config.bin                             md5sum ===> 1c16ecb152e08350b1a29b63570e39a3
http://188.240.32.164/nfjgA/bin/spy.exe                        md5sum ===> 3a32de8e3a55a1368309e6507b9a28b1
http://188.240.32.164/nfjgA/bin/calc.exe                       md5sum ===> bdeecd7aa2ccbf3dbfce9ccc325e1c16
http://188.240.32.164/nfjgA/
http://www.virustotal.com/file-scan/report.html?id=ecc523216ceeb72f8fe892a11d7025b54f844bf36687e8f6e2b9837044458129-1299591491
VT 23/43 (53.5%)
http://www.virustotal.com/file-scan/report.html?id=834a410a2d42bff29febb7fdc4ef3a2b6d804fa13852571061bf5f7138f2cab9-1299594382
VT 35/43 (81.4%)

March 09, 2011, 05:10:23 pm
Reply #68

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Russian Federation - DINET-AS
IP 92.38.233.192
AS12695
Name Server: NS3.CNMSN.COM. NS4.CNMSN.COM
Registrant/Email Registrant: Tas Lodon/admin@rantigalta-industrellio.net         
Code: [Select]
http://rantigalta-industrellio.net/main/bin/54hj45j3.exe                        md5sum ===> 4e2d6a23618f15c2e49059686d94ada3
http://rantigalta-industrellio.net/main/
http://rantigalta-industrellio.net/main/gate.php?guid=User!SANDBOX2!D06F0742&ver=10299&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=2C684F2A&md5=4e2d6a23618f15c2e49059686d94ada3
http://www.virustotal.com/file-scan/report.html?id=401bc1f200cb535074bb6fd6a8fb1ecf59dbe4e650dbae12043eab4b63f344ee-1299690213
VT 8/40 (20.0%)

March 10, 2011, 01:55:27 am
Reply #69

APACHE

  • Guest
IP Location:  Russian Federation - DINET-AS
IP 92.38.233.192
AS12695
Name Server: NS3.CNMSN.COM. NS4.CNMSN.COM
Registrant/Email Registrant: Tas Lodon/admin@rantigalta-industrellio.net        

Code: [Select]
http://rantigalta-industrellio.net/main/bin/dd99.exeVT 18/ 43 MD5: 2c29360fe503cecd7a4ef1648eba7e83
http://www.virustotal.com/file-scan/report.html?id=92b7ba0bcbb24c5c0224210890493e270b5288b4c67249f74e8aed72fe959c4d-1299721595
Code: [Select]
http://rantigalta-industrellio.net/main/bin/ghk6g3.exeVT 21/ 42 MD5: f01c2beff8fb41ba560fe39b690f935b
http://www.virustotal.com/file-scan/report.html?id=01f3a5836f8553aac7fd0175d7051c67f3637d09910f4fb64f3f973966fb4644-1299721628
Code: [Select]
http://rantigalta-industrellio.net/main/bin/hhf64f3.exeVT 29/ 42  MD5: 87994045cabb730e0d66d73e3fc219e1
http://www.virustotal.com/file-scan/report.html?id=4f0d9b316b60d38d1e49e451bfbf628fd4b8eb4f8ae7fd4fcb1129d999bbb1d9-1299721463

March 13, 2011, 08:40:04 am
Reply #70

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
http://ipchecker006.com/us6/bin/config.bin       md5sum ===> 4afdc09dc9c03d1fd4cda7c2c95d23d5
http://ipchecker006.com/us6/bin/1310.exe         md5sum ===> 47e2200886fcf34bd8b835fd01353034
http://ipchecker006.com/us6/gate.php
http://www.virustotal.com/file-scan/report.html?id=4f0d54620592be8cc0418fed8e3385a9c0f3f2bb453e3f073fc18caed937c424-1300005054
VT 3/43 (7.0%)

March 13, 2011, 06:22:41 pm
Reply #71

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Russian Federation - PINROUTE - PIN-AS Petersburg Internet Network LLC
IP 46.161.29.68
AS44050
Name Server: ns1.sslverisign.ru. 46.161.29.67   ns2.sslverisign.ru. 46.161.29.68
Registrant/Email Registrant: Private Person/dns@sslverisign.ru
Code: [Select]
http://sslverisign.ru/neo/bin/config.bin               md5sum ===> 7a46b693de83066896acbf23ba0f546a
http://sslverisign.ru/neo/bin/update.exe               md5sum ===> 483894e94253b866bc498d7c2c84cfd0
http://sslverisign.ru/neo/gate.php
http://www.virustotal.com/file-scan/report.html?id=65bdc7f7ddc4c080b4ddd8b29416c1aaffd86039b7201df9e5b6fc5d1c682b15-1300040077
VT 6/43 (14.0%)

March 26, 2011, 05:40:13 pm
Reply #72

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
related SpyEye malware:

IP Location:  United Kingdom - CTIHK CITY TELECOM (HK) LTD
IP 91.207.192.37
AS9269
Name Server: ns1.hostecon.com  ns2.hostecon.com
Code: [Select]
http://madsmac.com/tish/cb.exe                    md5sum ===> 85007e984d79c952f465e207afda6e59http://www.virustotal.com/file-scan/report.html?id=142d736d933aa0ed120b2a38aa6aec8e6252a17e92a2fcc8104b161da5a40afe-1301152163
VT 23/41 (56.1%)

March 27, 2011, 05:54:57 pm
Reply #73

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Lithuania  - SPLIUS-AS SPLIUS, UAB
IP  77.79.4.200
[hst-4-200.duomenucentras.lt]
AS25406
Name Server: ns1.freedns.ws  ns2.freedns.ws
Registrant/Email Registrant: Private Person - UOL/gaze@bigmailbox.ru
Code: [Select]
http://newnut.ru/media/bin/config.bin                    md5sum ===> 8acd3f5413f93f471dcf6f31d2f6785f
http://newnut.ru/media/bin/support.exe                    md5sum ===> 6af3b246548f9d8c5f7374b4edbfbaf5
http://www.virustotal.com/file-scan/report.html?id=0099f35760198f5d51273b068ae0ea29078fd6c57132da3cc1914ba3648f3355-1301247818
VT 6/43 (14.0%)
sigcheck:
publisher....: BitDefender S.R.L.
copyright....: Copyright (C) 2010
product......: BitDefender 2010
description..: BitDefender Agent
original name: bdagent.exe
internal name: BDAgent
file version.: 13,0,20,4
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

related:
Code: [Select]
http://rapidshare.com/files/453988800/manga.jpg                    md5sum ===> 5ee7467964f38c7c27a14aad726526dahttp://www.virustotal.com/file-scan/report.html?id=ceadf583be647a1c6451d7dd48a03d4859d3f5d35aed38c42fa48613bd341804-1301246484
VT 3/41 (7.3%)
sigcheck:
publisher....: BitDefender S.R.L.
copyright....: Copyright (C) 2010
product......: BitDefender 2010
description..: BitDefender Agent
original name: bdagent.exe
internal name: BDAgent
file version.: 13,0,20,4
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Code: [Select]
http://easy-upload.nl/f/V6R7CkeW                    md5sum ===> ac1332094ab44fbaa2168392805ed5d7http://www.virustotal.com/file-scan/report.html?id=cecd3cac99d4771bd1501fea72662a81d1ff63f877c0b717aafde66bb58dc19e-1301245790
VT 6/42 (14.3%)
sigcheck:
publisher....: BitDefender S.R.L.
copyright....: Copyright (C) 2010
product......: BitDefender 2010
description..: BitDefender Agent
original name: bdagent.exe
internal name: BDAgent
file version.: 13,0,20,4
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

March 29, 2011, 06:37:42 am
Reply #74

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location:  Ukraine - KOSMOTEL-AS
IP 195.234.125.206
AS20489
Name Server: NS1.DNS-DIY.NET  NS2.DNS-DIY.NET
Registrant/Email Registrant: Kurban Shaid/admin@cossmar-goiano.asia                         
Code: [Select]
http://cossmar-goiano.asia/gdr/bin/config.bin                 md5sum ===> 28db6c042bfdba7d6be80114f0f0d623
http://cossmar-goiano.asia/gdr/bin/upload/msm.exe             md5sum ===> 610dea0c5fc27ee3e8dfb5afe5e7a1bf
http://cossmar-goiano.asia/gdr/gate.php
http://www.virustotal.com/file-scan/report.html?id=a15f27cc99f182ae9ffba8cb7c0653dccfb5cec6ef93ed0a282771ca185a89bb-1301380329
VT 14/41 (34.1%)