Thanks to Xylitol for confirming this is Betabot.
Domain :
idan.work 162.245.216.60
Behaviours :
1 Contains Windows Firewall manipulation routine
2 Creates autorun registry key
3 Creates hook to unknown module
4 Deletes itself
5 Injects code into other processes
6 Makes DNS lookup of recently registered domain
7 Manipulates Internet Explorer settings
8 Runs existing executable
9 Steals local browser data
10 Suspicious delay
11 Tries to detect whether it is being emulated
Url’s :
http://idan.work/ here u have the panel encoded(ioncube) and betabot folders.
hxxp://idan.work/dn/blah.php alot of nazi pictures here u have to refresh your browser to see them all.
hxxp://sjc4911.com/.css/ some samples here.
Login Panel :
idan.work/local/login.php
idan.work/host/login.php
idan.work/dn/login.php
Get samples here : hxxp://www.datafilehost.com/d/0e4d7c63
Hosting infos :
http://whois.domaintools.com/162.245.216.60