Monday, August 30, 2010

APT IPs and Domains

From malware analysis, compromised systems, internet research and reader submissions
Last SeenIP (info link)CountryPortSource/Associated malwareMD5Domain/URLReverseContagio
2010-Aug-19
2010-May-13
202.175.83.10Macau8000
443
irmon32.dll ("Infrared Monitor" srvc)
rasauto16.dll (Remote Access Auto Connection Manager srvc)
irmon32.dll
1966B265272E1660E6F340B19A7E5567
rasauto16.dll
15138604260b1d27f92bf1ec6468b326
All are hardcoded in dll
hxxp://sync.ns06.net/expirat/billing.htm
z83l10.static.ctm.net Backdoor services

2010-May-13
202.153.103.83Hong Kong
443

rasauto32.dll (Remote Access Auto Connection Manager srvc)
995b44ef8460836d9091a8b361fde489 beta.nethost.hk Backdoor services

2010-Aug-19
64.184.2.11USA
443

sap.dll (SAP Agent srvc or NWSapagent)
795B5E3E3D6C25B007498203A62693FA


2010-Aug-19
63.134.215.218USA
443

sap.dll (SAP Agent srvc or NWSapagent)
F2A4B2F4A3EDFF07155C4F238240F40D

2010-Aug-19
2010-May-13
202.175.83.10Macau8000
443
irmon32.dll ("Infrared Monitor" srvc)
rasauto16.dll (Remote Access Auto Connection Manager srvc)
irmon32.dll
1966B265272E1660E6F340B19A7E5567
rasauto16.dll
15138604260b1d27f92bf1ec6468b326
All are hardcoded in dll

hxxp://sync.ns06.net/expirat/billing.htm
z83l10.static.ctm.net Backdoor services
2010-Aug-24211.234.11.125


 72.167.62.13
Republic of Korea

 GoDaddy, USA
443
?
irmon32.dll ("Infrared Monitor" srvc)irmon32.dll
E66DD357A6DFA6EBD15358E565E8F00F
C75D351D86DE26718A3881F62FDDDE99
All are is hardcoded in dll:
navl.oTZO.com (aug30)
grey.qHigh.com (it .-aug31)
  2010)--   211.234.11.125
atures.gotdns.com (aug30)
ccoun.dnsalias.org (agu31)-- (72.167.62.13)
211-234-111-125.kidc.net
ip-72-167-62-13.ip. secureserver.net

No comments:

Post a Comment