A forum for reverse engineering, OS internals and malware analysis 

NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #16835  by markusg
 Sun Nov 25, 2012 7:12 pm
spreaded on skype.
and loads additional malware
Dropper:
af7876fa84d6296808b1ec382ec0b7489656e19ca3d9db3c4f3269508bdc3763

b2e6a0f96d642923a8af1b4114486e9dc9cda63b1009f8b5aaa234a31938a3f5
1e6e9b1afed021189fd1125d67ae41222ed731af855d40b6d1169dda7fdede06
Attachments
(143.47 KiB) Downloaded 86 times

Re: Trojan Ransom / FakePoliceAlert

 #17084  by EP_X0FF
 Sun Dec 09, 2012 12:37 pm
dumb110 wrote:German ransomware!
Moved from FakePoliceAlert thread. It is not a "ransomware". This is ngrbot. Decrypted attached.

And why it was multiple attached by you (same SHA-1) in that thread under different names? All removed except one.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot
How about doing a little research before posting mislabeled stuff?

Edit: seems I moved wrong file. First attached by dumb110 was Dorkbot, but second is indeed german ransomware. Apologies for inconsistency.
Attachments
pass: malware
(44.16 KiB) Downloaded 65 times
Last edited by EP_X0FF on Mon Dec 10, 2012 11:52 am, edited 2 times in total. Reason: edit

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #17100  by EP_X0FF
 Mon Dec 10, 2012 6:15 am
Turn off ollydbg plugin Phantom. Ollydbg2 or OllyDbg without phantom also causes BSOD?

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #17101  by thisisu
 Mon Dec 10, 2012 6:18 am
EP_X0FF wrote:Turn off ollydbg plugin Phantom. Ollydbg2 or OllyDbg without phantom also causes BSOD?
Thank you, regular OllyDbg worked. :)

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #20477  by Mosh
 Tue Aug 13, 2013 12:24 am
Found this on 146.185.246.160

SHA256: 92c2321d6a86bf0b5ae69873f010b5846de6c0e235f8d758928405b835deaefd
SHA1: 2c9a620d1a2a8af04aeb9196234d59f2d3ee8a10
MD5: 26e4d2a1a80b78a37864d3a5de25ff53
VT: 25/45
https://www.virustotal.com/en/file/92c2 ... /analysis/
Attachments
infected
(110.24 KiB) Downloaded 75 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #20480  by KoalaBear
 Tue Aug 13, 2013 6:37 am
Thanks, talks to y.k2111c21.ru on TCP port 6521 which is hosted on multiple Chinese IPs:
Code: Select all
$ nslookup y.k2111c21.ru
Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
Name:	y.k2111c21.ru
Address: 122.195.244.35
Name:	y.k2111c21.ru
Address: 61.191.188.122
Name:	y.k2111c21.ru
Address: 27.54.210.21
Name:	y.k2111c21.ru
Address: 113.105.157.7
Name:	y.k2111c21.ru
Address: 112.132.215.36
Name:	y.k2111c21.ru
Address: 59.51.114.85
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
 Return to “Malware”