Technical Information
Malicious functions:
Removes itself
Launches itself as a daemon
Substitutes application name for:
- wzbf45vlnmqsobqxezgs
Network activity:
Awaits incoming connections on ports:
- 19#.##8.217.50:3467
Establishes connection:
- 8.#.8.8:53
- 5.###.227.140:4321
- 5.###.227.140:7685
Attacks using a special dictionary (brute-force technique) via the Telnet protocol.
Sends data to the following servers:
- 5.###.227.140:4321
- 5.###.227.140:7685
- 0.0.0.0:0
- 25#.##7.198.57:23
- 12#.##9.116.114:23
- 24#.#3.25.18:23
- 25#.##.21.249:23
- 72.##.31.63:23
- 24#.##.170.36:23
- 24#.#3.0.0:23
- 24#.##8.125.28:23
- 17#.##1.165.17:23
- 11#.##.187.136:23
- 26.###.230.95:23
- 15#.##0.232.140:23
- 41.###.83.222:23
- 21#.##4.98.34:23
- 19#.##9.164.142:23
- 15#.##7.199.227:23
- 24#.##1.93.197:23
- 49.###.46.246:23
- 14#.##.140.138:23
- 13.###.82.241:23
- 17#.##.67.164:23
- 18#.##.163.33:23
- 36.##4.38.26:23
- 4.##.52.115:23
- 97.###.155.207:23
- 15#.##1.205.181:23
- 25#.##4.191.75:23
- 17#.##6.168.66:23
- 20#.#.246.179:23
- 18#.##8.19.208:23
- 23.##.198.56:23
- 18#.##5.109.163:23
- 15#.##5.169.190:23
- 20#.##0.159.225:23
- 11#.##.191.240:23
- 14.##.217.36:23
- 66.###.133.122:23
- 67.##.64.138:23
- 13#.##.46.193:23
- 21#.##4.0.207:23
- 22#.##.109.121:23
- 24#.#8.90.39:23
- 18#.##.156.186:23
- 17#.##9.137.202:23
- 16#.##5.76.231:23
- 19#.##5.113.61:23
- 10#.##7.89.178:23
- 19#.##.216.238:23
- 14#.##.201.30:23
- 25#.##6.112.233:23
- 96.###.188.153:23
- 19.##2.53.15:23
- 24#.##.70.222:23
- 18#.##7.71.252:23
- 19#.##9.219.41:23
- 26.###.121.197:23
- 20#.#20.66.5:23
- 19#.##.234.19:23
- 12#.##.159.173:23
- 25#.##.104.11:23
- 91.###.23.124:23
- 12#.##4.130.151:23
- 73.###.244.242:23
- 53.###.242.127:23
- 25#.##.178.81:23
- 74.###.160.32:23
- 12#.##9.7.192:23
- 14#.##.96.156:23
- 22#.##4.42.123:23
- 71.###.126.195:23
- 68.###.217.181:23
- 36.###.254.161:23
- 15#.##.131.223:23
- 57.###.165.97:23
- 23#.##5.48.85:23
- 69.##.233.251:23
- 18#.##9.19.133:23
- 21#.##6.42.178:23
- 23#.#.127.52:23
- 16#.##6.50.104:23
- 24#.##6.28.28:23
- 23#.##5.188.15:23
- 22#.##.141.130:23
- 12#.##2.214.85:23
- 4.###.217.1:23
- 21#.##7.193.108:23
- 66.###.55.100:23
- 16#.##3.225.137:23
- 21#.#91.42.6:23
- 73.##4.35.43:23
- 97.###.171.126:23
- 18#.##.241.117:23
- 18#.##6.161.148:23
- 11#.##9.2.241:23
- 20#.##0.212.162:23
- 90.##1.65.77:23
- 98.###.217.233:23
- 58.###.138.133:23
- 16#.##.101.128:23
- 16#.##5.71.132:23
- 45.##0.97.66:23
- 23#.##7.49.47:23
- 11#.##.199.29:23
- 72.##6.76.0:23
- 24#.#5.33.53:23
- 13#.##7.209.25:23
- 38.##2.11.29:23
- 15#.##8.213.116:23
- 10#.##1.130.165:23
- 74.###.70.184:23
- 59.##.82.1:23
- 22.###.239.145:23
- 21.###.220.141:23
- 48.#.215.92:23
- 75.###.38.222:23
- 7.###.38.12:23
- 79.##.9.97:23
- 11#.##.234.15:23
- 17#.##.237.11:23
- 18#.##.66.126:23
- 60.###.50.179:23
- 13#.##4.155.180:23
- 10.##.60.102:23
- 24#.#1.50.3:23
- 7.###.0.253:23
Receives data from the following servers:
- 5.###.227.140:7685
- 5.###.227.140:4321