5.199.167.219 (Citadel banking malware hosted by balticservers.com)

By I_Post_Ur_Info, February 20, 2013

Gate file: 5.199.167.219/mode.php
Config droppers (appear to be compromised sites)
shadowsfromlight.com/wp-content/upgrade/file.php
www.danainvestment.com/wp-content/upgrade/file.php
gregsmission.org/wp-content/upgrade/file.php
luna.pgnstudio.com/wp-content/upgrade/file.php

On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning.

Sample is located here

http://whois.domaintools.com/5.199.167.219

Categories: Uncategorized

Tags: citadel

Previous post92mb samples for analysis

Next posttommyslav.name (Ginemo winlocker hosted by justhost.in.ua)

wandingoo.net (Citadel banking malware hosted by qhoster.net)

updating-flash.cloudapp.net (Citadel banking malware hosted by Microsoft.com)

103.241.0.100(Citadel 1.3.5.1 hosted in Net Origin Group Pty Ltd)