I actually don't give a fuck about the IP 49.176.67.225
Yes, I've used it before. I've been doing some digging on a RAT file that has the phone home set to my IP:
BTCTalkAccs pointed me to this virustotal analysis of a DarkComet/DarkKomet RAT with the name 'minecraft.exe':
https://www.virustotal.com/en/file/9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262/analysis/This RAT is set to phone home to: 58.111.143.105:200, which is my IP and on the port 200. However, this is quite meaningless as anyone can do that - it's no different than linking to another webpage. This is the first time I became aware of 'minecraft.exe', and a search on 9970283d1c08091f9260a5bbbc76220ed7b88b75d8352bcbfe35c4730f608262 doesn't turn up anything.
It also has the file name MSRSAAP.EXE, which turns up on virustotal here:
https://www.virustotal.com/en/file/4589cc7f0791e87906da850d27306637d01a71fb6aca9cee74be84c5bfff65c2/analysis/The SHA hash doesn't also turn up anything other than virustotal on Google, but there are a lot of info on the name MSRSAAP.EXE.
http://answers.yahoo.com/question/index?qid=20120219155647AAN5JIVhttp://softwaredownloadpro.com/question14580.htmlhttp://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=/search%3Fq%3DMSRSAAP.EXE%26safe%3Doff%26client%3Dfirefox-a%26hs%3DFi4%26sa%3DN%26rls%3Dorg.mozilla:en-US:official%26biw%3D1920%26bih%3D940&rurl=translate.google.com&sl=ru&u=http://otvet.mail.ru/question/76611000&usg=ALkJrhiiM8v8n5hHgMTrWiy8ZWjVQYIGJgThis malware has been posted by the user "manolz" as some anti-anticheat or something:
http://www.gamersoul.com/forums/showthread.php?185177-Hackshield-AntiHook-NoShield-0-1-beta/page3Also on youtube by "iCrack Trainers" (shell youtube account):
http://www.youtube.com/watch?v=VaKLmM40428So, there's two possibilities:
1) I've been spreading malware disguised as anticheat bypasses and trainers for games that has been documented in English, Chinese and Russian while using my own IP address and have been doing it from 2012 or earlier decides to make a new RAT and upload it to virustotal and do nothing with it.
2) Someone who wants to frame me / plant false evidence and has a history of making game-related malware makes a new RAT that connects to my IP and port 200 (which isn't even open), uploads it to virustotal and does nothing with it.
If you look at the date (2013-06-09), you'll see that exactly a week earlier MoneyPakTrader got butthurt that I penetrated his website (which deals with currency exchange) - without doing any malicious damage - and found my IP address:
https://bitcointalksearch.org/topic/scammer-tradefortress-p-ted-my-site-without-permission-no-damage-afaik-closed-223665June 02, 2013, 05:36:28 PM
(I also have some other info on MoneyPakTrader, in relation to some of his
other suspicious activites).
Given by the dates of MSRSAAP.EXE, I think it's also possible that it back when I was running a tor exit node on this IP and someone wanted to cloak their identity and tried to use Tor to do that. Obviously it didn't connect (not only is the port not open, but also you can't use tor to do this AFAIK as the command server packets will not be tunneled back), so they did nothing with minecraft.exe and somehow this was uploaded on June 09th (maybe because they got arrested, had HDD seized and had all the files analyzed)? I'm still leaning towards MoneyPakTrader.You decide. Thanks for digging that out, BTCTalkAccounts!
