Friday, 20 December 2013

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'
And more recently ~ 1e8cd0f0f1702820c870302520bc0176.

This executable communicate with a C&C at dorblu99.net
Let's have a closer look.

Login:

Main:

Bot info:

Broken wordpress:

Statistics:

Add domains:

Add admin panels:

Add logins:

Add passwords:

Add module for jm(zip):

Add module for wp(zip):

Add shell jm(php):

Cron brute:

Ban list:

Logs:

Domains list (downloaded by the malware to know wich wordpress he should brute force):
36k urls.

Roman of abuse.ch have also wrote an interesting post about this threat.
Posted by at 21:44
Labels: , , , ,

7 comments:

  1. Anonymous21 December 2013 at 00:06

    delphi bot lolz not special

    ReplyDelete
  2. Anonymous21 December 2013 at 19:45

    I can't understand did u hacked it?? If yes, how? Bruteforce / url bruteforce / sqli or someone gave you login:pass? I ask because it is really very strange that u can have access to every botnet. :)

    ReplyDelete
  3. Anonymous1 January 2014 at 04:15

    When you bruteforce these panels, do they typically have weak credentials, or do you just have a really good wordlist and let it run for a while?

    ReplyDelete
  4. Steven K1 January 2014 at 14:49

    weak passwords in general

    ReplyDelete
    Replies
    1. whitehat5 January 2014 at 06:10

      how do you brute force the passwords? im trying to use hydra but isnt workin

      Delete
  5. Anonymous11 January 2014 at 14:03

    Patience is the key :)

    ReplyDelete
  6. Unknown7 May 2016 at 03:09

    Hi, where I can download?

    ReplyDelete

Subscribe to: Post Comments (Atom)