vvv.exp1oit.in (Andromeda http hosted by France Roubaix Ovh Sas)

Resolved vvv.exp1oit.in to 178.33.241.61

This is the new andromeda of the french guy.
It is the full version with all of the plugins.

Server: vvv.exp1oit.in
Gate file:  /google/image.php

Plugins:
Formgrabber: beautyoftheworld.ca/xs/f.pack
Gate file: /google/fg.php
Socks: beautyoftheworld.ca/xs/s.pack
Rootkit: beautyoftheworld.ca/xs/r.pack

Downloads files from hxxp://jamboproducciones.com/xs/ and hxxp://ez-cs.net/dk/

He also has a new smoke loader up

Server: smk.cheatgame.org
Gate file: /phpbb/index.php
Confirm at smk.cheatgame.org/phpbb/guest.php   guest:guest

Hosting infos: http://whois.domaintools.com/178.33.241.61

Categories: Uncategorized

4 Comments

Anonymous - October 29, 2012 at 11:37 am

hey pig it would be super cool if you good check this sample, had a very strange spreading method.
Thanks
host : sd.ourcloudsfloat.com
malware sample : http://www.mediafire.com/?8ek1cyc4f562az8
possible syslock? comes up as varint.symmi on bd and fsecure

Pig - October 29, 2012 at 4:23 pm

yes looks like ransomware
this file is created by your sample:C:WINDOWSsystem32crypt32F.exe
this is registry value created by the crypt32F.exe:LMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRunTxvvzfqtj

the file conects to:intohave.com

Mutex created:WBEMPROVIDERSTATICMUTEX

Anonymous - October 30, 2012 at 8:25 am

What do you mean by the "new" andro of the french guy, is this v3 or just a new find of v2 or what not.

    I_Post_Ur_Info - October 31, 2012 at 4:58 pm

    New as in a new license, since it has all of the plugins. It's still v2 as v3 isn't out yet.

Comments are closed