http://3v.irc.su/CET/Panel/
http://3v.irc.su/CET/Panel/bot.php
Post data made from bot:
mode=1
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}
Bot responding to a command:
mode=2
UID={0F798385-99F6-44B3-8628-0F7472F23D4F}
version=0.2.0
Process the bot runs as (Win7/Vista):
C:\Users\\AppData\Local\wincsrss.exe
Now we get into the irc side of this criminals server.
(Irc Side)GBot:
Server: 94.23.252.85:4747 (channel: #Gbot)
Topic On: [ #Gbot ] [ !prot http://3v.irc.su/gbot.exe 1 ]
Topic By: [ Ted ]
Hosting Info:
http://whois.domaintools.com/94.23.252.85
(France Ovh Systems)
Virus Scan:
http://www.virustotal.com/file-scan/report.html?id=76d385c04e71cd4808059eebeb459c12fa092c405fac226eb0743ad6f44885c7-1315872197
Analysis:
http://www.threatexpert.com/report.aspx?md5=ea78961231a757f5a592948df290d5d2
http://anubis.iseclab.org/?action=result&task_id=1de6c531e3e513e94ddb15212a0be92d8
Connects to irc server: 94.23.252.85:4747
Irc Conversations:
NICK n{USA|XP}erafhjg
USER n{USA|XP}erafhjg 0 0 :n{USA|XP}erafhjg
JOIN #Gbot GTFO
afhjg 0 0 :n{USA|XP}erafhjg
PONG :7110E098
PRIVMSG #Gbot :[FileProt]: File protection has been enabled for C:\WINDOWS\system32\Dwdjqfihf.exe
Bot reuploaded (For any further analyses):
http://www.mediafire.com/?utnq797aqbp69b2
http://www.multiupload.com/89FOAW25BF
No comments:
Post a Comment