Author Topic: SpyEye C&C &files  (Read 40649 times)

0 Members and 1 Guest are viewing this topic.

July 31, 2010, 08:08:25 am
Reply #15

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: China - CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.208
AS4847
Registrant ID:orgte72810921924
Registrant/Registrant Email: Todd Echols/moonbeam@konocti.net
Code: [Select]
hxxp://planita.org/glavniy/bin/config.binmd5sum ===> 5b9a920ed14888764139006dc8f3638e
Code: [Select]
hxxp://planita.org/glavniy/gate.php
IP Location: Moldova - Najada route - INTERACTIVE3D-AS Interactive3D
IP 91.216.122.102
AS49544
Registrant/Registrant Email: John Iles/jhn_iles@yahoo.co.uk
Code: [Select]
hxxp://seotraffbuss.com/main/bin/config.binmd5sum ===> 49cbc1f5a1eaddb7f0ae4f2763982ff2
Code: [Select]
hxxp://seotraffbuss.com/main/bin/build.exemd5sum ===> c382468075e560f631a96f3794ed2d93
http://www.virustotal.com/es/analisis/89fec3dfca37c60ba4f8813b521cc77721a7c19c8765e83bb74669acdc15bc85-1280530607
VT 15/42 (35.72%)
Code: [Select]
hxxp://seotraffbuss.com/main/gate.php

July 31, 2010, 06:33:50 pm
Reply #16

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: China - CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.234
AS4847
Registrant/Registrant Email: Chang So/changso@yahoo.com
Code: [Select]
hxxp://festivaloffire.net/ninja/mainp/bin/config.binmd5sum ===> a9d3d33ac38b1ab6211c6e3a16894f74
Code: [Select]
hxxp://festivaloffire.net/ninja/mainp/bin/build.exemd5sum ===> 31eceeb5c09e80ba777351293546e4ac
http://www.virustotal.com/es/analisis/350a09e31a9d3bd90271f252adde96a75ef1b591595d87eb17cc3b2978aee5a7-1280600287
VT 0/41 (0%)

sigcheck:
publisher....: SOFTWIN S.R.L.
copyright....: 5430-8590
product......: ________
description..: BitDefender Management Console
original name: ybca.exe
internal name: _______
file version.: 117.107.24.51
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Code: [Select]
hxxp://festivaloffire.net/ninja/mainp/gate.php

August 01, 2010, 05:09:10 pm
Reply #17

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Latvia - BKCNET Autonomous System - BKCNET "SIA" IZZI
IP 91.188.59.205
AS6851
Registrant/Registrant Email: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://macromediasetup.com/zombie/load.php?f=1&e=5downloads ===> exe_1.exe
md5sum ===> cceac57adbdd88aa62f961c1820db6a1
http://www.virustotal.com/es/analisis/d317d01e8b781fc061189c9b81167936177949011a9ecde845a919cabd402f0c-1280681610
VT 3/41 (7.32%)
sigcheck:
publisher....: Macromedia, Inc.
copyright....: Copyright (c) 1996-2003 Macromedia, Inc.
product......: Shockwave Flash
description..: Macromedia Flash Player 7.0 r19
original name: SAFlashPlayer.exe
internal name: Macromedia Flash Player 7.0
file version.: 7,0,19,0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Code: [Select]
hxxp://macromediasetup.com/zombie/related:
IP Location: Russian Federation - NEVAL - NEVAL PE Nevedomskiy Alexey Alexeevich
IP 91.212.198.63
AS49314
Registrant/Registrant Email: Charles Anderson/charlesanderson@hotmailbox.com
Code: [Select]
hxxp://clickxfinder.com/warrior/bin/big.exemd5sum ===> 4f6451fb2a24d10692a42f51e87c87b0
http://www.virustotal.com/es/analisis/162ad0a285e0a6748266d1cb67473df7cb802b6f27579c127545c1aa0d9d9a62-1280681720
VT 0/42 (0%)
sigcheck:
publisher....: Hewlett-Packard
copyright....: (c) Hewlett-Packard. All rights reserved.
product......: HpqPhUnl
description..: QHouston
original name: HpqPhUnl.EXE
internal name: HpqPhUnl.exe
file version.: 7.0.0.229
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Code: [Select]
hxxp://clickxfinder.com/warrior/bin/corban.exemd5sum ===> 47f100ef490b28e14452a4eb4d3f5964
http://www.virustotal.com/es/analisis/305fb0dc66b176664bf74d0d4c5cc3440c3e6af7dc8a686ca6f23a83971b9a62-1280682008
VT 7/42 (16.67%)
Code: [Select]
hxxp://clickxfinder.com/warrior/bin/movie.exe/md5sum ===> cceac57adbdd88aa62f961c1820db6a1
Code: [Select]
hxxp://clickxfinder.com/warrior/bin/small.exe/md5sum ===> 7b2fa09191276db49b55d7cb6c34961c
http://www.virustotal.com/es/analisis/918468ae8d330d2e0bcfa1c74f91e786bad9d27b4eec60af3cd8f77356c35af5-1280682139
VT 14/42 (33.34%)


Code: [Select]
hxxp://77.78.240.162/spye/bin/build.exe.crypted.exemd5sum ===> 84a9aedb378c3ec297a775c1f7fc573a
http://www.virustotal.com/es/analisis/f5294af280e68229590d2061abe80c1f94d13c5a7e5dd1fdd2a7acaa229bc7e2-1280675032
VT 29/42 (69.05%)


August 01, 2010, 07:34:42 pm
Reply #18

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Germany - netdirect Frankfurt - NETDIRECT AS
IP 89.149.202.109
[worlddatahouse.com]
AS28753
Registrant ID: CR44633124
Registrant Email: Jack Sparrow/rapidwaysoft@yahoo.com
Code: [Select]
hxxp://bassjungle.info/eyjedai123/bin/config.bin
hxxp://detailmaster.info/eyjedai123/bin/config.bin
hxxp://mymusicbrowser.com/eyjedai123/bin/config.bin
md5sum ===> 21a8e27e53fbf757feb8f6d687c92697
Code: [Select]
hxxp://bassjungle.info/eyjedai123/bin/build.exe
hxxp://detailmaster.info/eyjedai123/bin/build.exe
hxxp://mymusicbrowser.com/eyjedai123/bin/build.exe
md5sum ===> 70bedc4e6b4c5c46cc085d34b57f50b6
http://www.virustotal.com/es/analisis/27641d8e9d0e9d0811dda24968fe76978b25c235d7f8b1c0ee104e308c76041f-1280689635
VT 13/42 (30.96%)
publisher....: SOFTWIN S.R.L.
copyright....: 8258-3305
product......: ________
description..: BitDefender Management Console
original name: ybmnvxv.exe
internal name: _________
file version.: 93.118.108.22
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Code: [Select]
hxxp://bassjungle.info/eyjedai123/bin/upload/rapport.exe
hxxp://detailmaster.info/eyjedai123/bin/upload/rapport.exe
hxxp://mymusicbrowser.com/eyjedai123/bin/upload/rapport.exe
md5sum ===> ae20e2a9d83628c6e5107537c6e37955
http://www.virustotal.com/es/analisis/6533408a8ed01b07d61a4e41e1aafc2056d92a64ec591fcb37f335e1b4b17eb2-1280690016
VT 23/42 (54.77%)
Code: [Select]
hxxp://bassjungle.info/eyjedai123/bin/upload/rapport1.exe
hxxp://detailmaster.info/eyjedai123/bin/upload/rapport1.exe
hxxp://mymusicbrowser.com/eyjedai123/bin/upload/rapport1.exe
md5sum ===> 7c0d41a2195091bd45a36edf17b06bb8
http://www.virustotal.com/es/analisis/0ac12d867d5c56f8b982a58c968e24badc90875f5a6a3bcca8492d18fe00c0f8-1280689879
VT 4/42 (9.53%)

September 02, 2010, 10:17:53 am
Reply #19

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Moldova - GlobalNET Bosnia - BA-GLOBALNET-AS
IP 77.78.240.172
AS42560
Registrant ID: orgbb80483769715
Registrant Email: qbhzruezwt@whoisservices.cn
Code: [Select]
hxxp://www.connectionsupport.org/f/bin/Test.exemd5sum ===> 8725c2a8be3958d04e32dafea21e0929
https://www.virustotal.com/file-scan/report.html?id=9e52cec6a2820780e2a9db45356d9914e4a0434aa9ca366027c2fbb89733a452-1283420725
VT 9/43 (20.9%)
Code: [Select]
hxxp://www.connectionsupport.org/f/bin/sp.exemd5sum ===> de47aedc4e2803477c5e6e900c998bfd
https://www.virustotal.com/file-scan/report.html?id=aeb0caf1ccd74577d76a70bae60d3046770c08fcc88477fa10bea1304c45cff7-1283420984
VT 9/43 (20.9%)
Code: [Select]
hxxp://www.connectionsupport.org/f/bin/config.binmd5sum ===> 0b5b6811d0fc161b05836ea22e9296d2
Code: [Select]
hxxp://www.connectionsupport.org/waDWd1aqw/cfg.binmd5sum ===> 2f18a05db00c78fdcc80d5752aa1eea9
Code: [Select]
hxxp://www.connectionsupport.org/f/bin/upload/c4te.exemd5sum ===> 15dac7d9f71724981b7906787260f790
https://www.virustotal.com/file-scan/report.html?id=bd418e230dd2115885034041e7e5b7a11f9aadd29ab154dbc56569c21698948b-1283421379
VT 13/43 (30.2%)
Code: [Select]
hxxp://www.connectionsupport.org/f/bin/upload/you.exe.crypted.exemd5sum ===> 4de5435d5cfd354051177d146a182992
http://www.virustotal.com/file-scan/report.html?id=4134beb3feb7518453d614446383f9ae9297b602a79715bd9d14c307dbb64edd-1283421675
VT 11/42 (26.2%)
Code: [Select]
hxxp://www.connectionsupport.org/waDWd1aqw/Jfu3876HaWf.php

September 07, 2010, 02:50:56 pm
Reply #20

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://xableupper.com/cp/bin/build.exe  (corrupted?)md5sum ===> 66b0905377507cd27b599390e2fe13db
http://www.virustotal.com/file-scan/report.html?id=5ad1c1890a2e7398c65f5667f92a7ef6acd79e17a47770df7875156b662a471a-1283870564
VT 1/43 (2.3%)

Code: [Select]
hxxp://xableupper.com/cp/bin/build_me.exe.crypted.exemd5sum ===> 8783d18b331e5846307cc2baa22128d7
http://www.virustotal.com/file-scan/report.html?id=c301ad806f68adb6769be3dce99875c87e3a9d843a7bf0e9dc9f24a194055945-1283870319
VT 8/43 (18.6%)
related:
Code: [Select]
hxxp://193.105.174.22:10006

September 09, 2010, 07:07:47 pm
Reply #21

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://91.211.117.25/sp/admin/bin/config.binmd5sum ===> 90452f2e87bd173664916c67c4ed9b5a
Code: [Select]
hxxp://91.211.117.25/sp/admin/bin/build.exemd5sum ===> 8904d483008d6284a8f76fb5b9a7cb39
http://www.virustotal.com/file-scan/report.html?id=844f77d6371f5cd62d7d77a0a78173bd6bc6524fadebbc32befd9f21dc839792-1284057600
VT 5/41 (12.2%)
Code: [Select]
hxxp://91.211.117.25/sp/admin/bin/upload/gbotout.exemd5sum ===> 87a5f7c496975c778d8c866195c9a7a5
http://www.virustotal.com/file-scan/report.html?id=8fa5d6d9c10b2dea88e72f87f201b62f9b60d480fd06599a554c0f50bae9c80c-1284057895
VT 8/43 (18.6%)
Code: [Select]
hxxp://91.211.117.25/sp/admin/bin/upload/out.exe
hxxp://91.211.117.25/sp/admin/bin/upload/out1.exe
md5sum ===> 143fdd161c7360060d30f540d7a86b27
http://www.virustotal.com/file-scan/report.html?id=30ab22ffbeec892f1055aab5b54ac4ec345404c8d53a17220a00a44263dc0b56-1284058359
VT 31/43 (72.1%)
Code: [Select]
hxxp://91.211.117.25/sp/admin/bin/upload/pedoout.exemd5sum ===> c35e406871df034041d5a92bcb01c85b
http://www.virustotal.com/file-scan/report.html?id=19b01311129a3fe8022e7bf2f56ba9ed8c958e68174ad942b53fad141857936e-1284058781
VT 10/43 (23.3%)
Code: [Select]
hxxp://91.211.117.25/spy/bin/621430spyeyecrypted.exemd5sum ===> 179d5d6c506a785d0f700468bf8ac97c
http://www.virustotal.com/file-scan/report.html?id=921863783b39c356745f6bbdce881148c2d7252e56c1a68036c6579ceddcd317-1284058618
VT 29/43 (67.4%)
Code: [Select]
hxxp://91.211.117.25/spy/bin/spyeye.exemd5sum ===> d69b970afe781b385b9c4856dd1690ea
http://www.virustotal.com/file-scan/report.html?id=21f95da39e87ac1c984ed45a7437b996fdcaf0591dc06cd508333463963184e1-1284058939
VT 35/43 (81.4%)

September 15, 2010, 09:06:17 am
Reply #22

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://xableupper.com/cp/bin/ddd.exemd5sum ===> 8706f85d9e518a6044b7cd8c64acd594
http://www.virustotal.com/file-scan/report.html?id=8bbf650eb7f426054eb6353e75f46412c43a28140cebcfda59dfeb385b58d8bb-1284541125
VT 23/43 (45.2%)

September 17, 2010, 04:34:44 pm
Reply #23

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Netherlands - ECATEL-AS
IP 89.248.168.121
[hosted-by.ecatel.net]
AS29073
Registrant/Registrant Email: Renate M. Stanley/RenateMStanley@gmail.com
Code: [Select]
hxxp://spysyst.com/main/bin/config.binmd5sum ===> c3d241a02c524535f8c4520477df1d06
Code: [Select]
hxxp://spysyst.com/main/gate.php

September 18, 2010, 02:38:47 pm
Reply #24

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://ipchecker911.com/us2/bin/1228.exemd5sum ===> 0c158cceb3f6442ce91071105f1cca33
http://www.virustotal.com/file-scan/report.html?id=f9cd91d3e13d4e31292d250fd5b9825a3f984685e87916c0c40bfac787bdbb4d-1284818868
VT 32/43 (74.4%)
Code: [Select]
hxxp://froot.nl/statistieken/us1.exemd5sum ===> 1e7c50eace3df1fe70cb8f388a769676
http://www.virustotal.com/file-scan/report.html?id=755321dc05871f483bede4e1c62ce7c2fe04fb380bac976fc9f5b88aa89be61b-1284818865
VT 34/43 (79.1%)
related malware:
Code: [Select]
hxxp://rapidshare.com/files/419309857/mir.exemd5sum ===> 94863eb254c5c4dc9736ead9b94d1972
http://www.virustotal.com/file-scan/report.html?id=c0c8839699a06e2a90cce2d3abae012e81fcc29002d32445bd2f4049d721edb4-1284818862
VT 24/42 (57.1%)
Code: [Select]
hxxp://91.211.117.76/d.exemd5sum ===> b0aea64d3b9a420e6623c9523e08d54d
http://www.virustotal.com/file-scan/report.html?id=35a16e95015ce0a6defd99e078ccf510abd3f72d988c7362f4e24d92036f43f4-1284818857
VT 25/43 (58.1%)
Code: [Select]
hxxp://froot.nl/wp-content/uploads/rich.exemd5sum ===> 117d9c3d827c8a50d033c9c30c5e3fff
http://www.virustotal.com/file-scan/report.html?id=5ea3a63ebae13f25b1255cd48f9b62ca3d369eb3092f186ca35fa1d59d73d993-1284819404
VT 14/42 (33.3%)
Code: [Select]
hxxp://193.104.186.88:51625/feelpl.exemd5sum ===> f77a2586ffc8838ff4a8e03dc084da29
http://www.virustotal.com/file-scan/report.html?id=7903d8fffd7f82e65ce90f99a4079825666a82bebafab7cd85b4ff0cf5f383f9-1284819797
VT 37/43 (86.0%)
Code: [Select]
hxxp://193.104.186.88:51625/fefmeo.exemd5sum ===> ac0258fb96a1cb2f1cdf5be2e260e177
http://www.virustotal.com/file-scan/report.html?id=bf5bce924f00c232bb1b498e1969dbae571a2251d87e701ad335ffd6997b384a-1284820121
VT 36/43 (83.7%)
Code: [Select]
hxxp://76.76.99.186:53651/vgrgfe.exemd5sum ===> 028494420c516417cd82be8eca360c27
http://www.virustotal.com/file-scan/report.html?id=efb7ff77b45ebfcf16f76d3c6f79185428ff7e540e685652e208f91f62d683c0-1284820166
VT 40/43 (93.0%)

September 22, 2010, 03:21:51 pm
Reply #25

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
Code: [Select]
hxxp://imagenabotam.com/n/bin/a.exe md5sum ===> f408d1920f873c80b2a8d8b91daa9986
http://www.virustotal.com/file-scan/report.html?id=32f57b48f064fd51b516bc4bc3df6a194dd9c3708b351bedb0f99754c143f87e-1285097936
VT 14/41 (34.1%)

October 07, 2010, 03:32:30 am
Reply #26

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: United States - FASTSERVERS, Inc
IP 209.16.111.241
AS16805
Name Server: dns010.d.register.com           
Name Server: dns049.c.register.com
Registrant/Registrant Email: Domain Discreet/5ef2a9880a141150009555f0a9837e03@domaindiscreet.com
Code: [Select]
hxxp://humirajustice.com/us1.exemd5sum ===> a9f4cb15dc59d1c580e4f48f6374af30
http://www.virustotal.com/file-scan/report.html?id=5cbedadd1942480cc62c7dde39da17fd386436d89c8445e2a927c5f27ce34c92-1286421861
VT 33/42 (78.6%)
related:
Code: [Select]
hxxp://91.211.117.76/dimark.exemd5sum ===> 237703f7d3eefb37ddfd76f3d15ba8d1
http://www.virustotal.com/file-scan/report.html?id=1be27aeadb3b7937740c241e1b1a4f3473cc91a3f7a1b9e1fa5db02be5523a29-1286421976
VT 34/42 (81.0%)


October 08, 2010, 10:13:35 pm
Reply #27

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Kazakhstan - ALFAHOSTNET Alfa-Host LLP
IP  193.105.207.120
AS50793
Name Server: ns1.stolimonov.ru
Name Server: ns2.stolimonov.ru
Registrant/Registrant Email: Private Person/dns@stolimonov.ru
Code: [Select]
hxxp://appppa1.ru/exe.exemd5sum ===> 7f1509001d2670787a52a95c6d87cb99
http://www.virustotal.com/file-scan/report.html?id=4a8cfca9e280f5586c69bd9948099936a3824b0221bb571680f121d1342b4fc3-1286574940
VT 0/41 (0.0%)
Code: [Select]
hxxp://appppa1.ru/lex/bin/exe.exemd5sum ===> bdb68d281dc94a0cb30a04ac82c45be8
http://www.virustotal.com/file-scan/report.html?id=fc61746dbb15d8fe27307e693becbbfe9a931369744f96155bfd297a1274af01-1286575755
VT 4/43 (9.3%)

October 10, 2010, 04:08:03 pm
Reply #28

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Russian Federation - RTCOMM-AS OJSC RTComm.RU
IP  81.177.32.182
AS8342
Code: [Select]
hxxp://www.4587avvv.1gb.ru/adminka/bin/bofa.exemd5sum ===> f62f0ea09dbce2004479913b32627c09
http://www.virustotal.com/file-scan/report.html?id=9e85108aad359dcf78b710219ac793ce8ec6f11c2b45d8752be0311918f5478e-1286725655
VT 12/42 (28.6%)
Code: [Select]
hxxp://www.4587avvv.1gb.ru/adminka/gate.php

October 16, 2010, 11:30:55 am
Reply #29

jackberri

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1508
IP Location: Ukraine - GORBY-AS Route Object - GORBY-AS Alexandr Gorbunov
IP  195.226.197.43
AS51303
Name Server: ns1.nsnoc.com
Name Server: ns2.nsnoc.com
Registrant/Registrant Email: Sylwester Markevitsh/Sylwester_84@hotmail.com
Code: [Select]
hxxp://xableupperxx3.com/cp/bin/build_crypted.exemd5sum ===> 5478b750f2e967af29b45c5ae8e1f572
http://www.virustotal.com/file-scan/report.html?id=25e8e0efb7086997f8a01c6c497a222be9bb0fe387cef307d16cceb09522d738-1287227114
VT 17/43 (39.5%)
Code: [Select]
hxxp://xableupperxx3.com/cp/bin/ddd.exemd5sum ===> 8706f85d9e518a6044b7cd8c64acd594
http://www.virustotal.com/file-scan/report.html?id=8bbf650eb7f426054eb6353e75f46412c43a28140cebcfda59dfeb385b58d8bb-1287227483
VT 37/43 (86.0%)
Code: [Select]
hxxp://xableupperxx3.com/cp/bin/build_me.exe.crypted.exemd5sum ===> 8783d18b331e5846307cc2baa22128d7
http://www.virustotal.com/file-scan/report.html?id=c301ad806f68adb6769be3dce99875c87e3a9d843a7bf0e9dc9f24a194055945-1287227667
VT 41/43 (95.3%)
Code: [Select]
hxxp://xableupperxx3.com/cp/gate.phpdata:
Code: [Select]
hxxp://xableupperxx3.com/cp/bin/build.exemd5sum ===> 66b0905377507cd27b599390e2fe13db