URL: hxxp://shinyhosting.ws.gy/loli/image.php Hosting infos: http://whois.domaintools.com/93.188.160.131
xylox.su (Betabot and Andromeda http botnets hosted by Panamaserver.com)
Resolved xylox.su to 190.123.45.12 Betabot Gate file: /forums/order.php Andromeda Gate file: /foo/image.php hosting infos: http://whois.domaintools.com/190.123.45.12 Related mds5 (Download samples from Malwr.com) Betabot: a670deb3dd6febfcfda8392305041657 Andromeda: 26c7885b95501af4da1ffa621f793027
scum1904life.com (Andromeda http botnet hosted by 2×4.ru)
Resolved scum1904life.com to 193.107.16.146 Server: scum1904life.com Gate file: /gate.php Hosting infos: http://whois.domaintools.com/193.107.16.146 Related md5s (Search on Malwr.com to download samples) Andromeda: 6423dfa282aa03ee0e10c5331062a96c
adobe-helper.cloudapp.net (Andromeda http botnet hosted by microsoft.com)
Resolved adobe-helper.cloudapp.net to 168.63.166.85 Server: adobe-helper.cloudapp.net Gate file: /updates/gate.php It downloads a bitcoin miner and begins mining using this proxy, also hosted on the windows cloud: hxxp://updating-flash6.cloudapp.net Bonus andromeda 2.7 panel here: hxxp://adobe-helper.cloudapp.net/panel.zip Hosting infos: http://whois.domaintools.com/168.63.166.85 Related md5s (Search on Malwr.com to download samples) Andromeda: 2fd21454a5c17fcfffef9f900dec1434
dortnath.com (Andromeda http botnet hosted by sunhoster.ru)
Resolved dortnath.com to 185.6.80.48 Server: dortnath.com Gate file: /gate.php Hosting infos: http://whois.domaintools.com/185.6.80.48 Related md5s (search on malwr.com to download samples) Andromeda: 8d7d4ea8a5ef18341d5534056d60e061
towi4-place.com (Andromeda http botnet hosted by core-vps.lv)
Resolved towi4-place.com to 193.105.240.20 Server: towi4-place.com Gate file: /1800/image.php Downloads Cutwail as well as other malware. The owner has left a message on the index page. То, что мы называем злом, является всего лишь неизбежностью в нашем бесконечном развитии. Ф.Кафка >Вопросы и предожения сотрудничества (JID): ToWi4@cryptovpn.com Google translated: What we call evil is simply inevitableRead more...
ns1.androha.com (Andromeda http botnet hosted by namecheap.com)
Resolved ns1.androha.com to 162.213.250.141 Server: ns1.androha.com Gate file: /cgi/image.php Plugins: Rootkit: hxxp://ns1.androha.com/cgi/r.pack Socks: hxxp://ns1.androha.com/cgi/s.pack Formgrabber: hxxp://ns1.androha.com/cgi/f.pack Gate file: /cgi/fg.php First cracked andromeda I’ve seen in a while. Hosting infos: http://whois.domaintools.com/162.213.250.141 Related md5s (Search on malwr.com to download the sample) Andromeda: c5598dd742b5504084779ccfda0b207c
xvident.pw (andromeda http botnet hosted by maxhosting.ru)
Resolved xvident.pw to 192.162.100.211 Server: xvident.pw Gate file: gate.php There is a another domain pointed to the same IP which is also hosting a andromeda panel. Server: plesto.pw Gate file: gate.php Hosting infos: http://whois.domaintools.com/192.162.100.211 Related md5s (search on malwr.com to download samples) Andromeda 57e8423ba1a1d8816ba5d078fd9f64df
yt4cpa.us (Andromeda http botnet hosted by worldstream.nl)
Resoloved yt4cpa.us to 217.23.11.122 Server: yt4cpa.us Gate file: /gate.php Downloaded by this betabot phpinfo here: http://yt4cpa.us/test.php Hosting infos: http://whois.domaintools.com/217.23.11.122 Related md5s (search on malwr.com to download samples) Andromeda b887cdbc60cdbaecd6702405b57dc0a1
voscomptesenligne.eu(Andromeda Bot hosted in Netherlands International Widespread Services Limited)
Sample found by ALiSs urls’s: hxxp://voscomptesenligne.eu/joomla/image.php hxxp://www.curboc.com/joomla/image.php Plugins: hxxp://voscomptesenligne.eu/joomla/f.pack hxxp://voscomptesenligne.eu/joomla/s.pack hxxp://voscomptesenligne.eu/joomla/r.pack hxxp://www.curboc.com /joomla/f.pack hxxp://www.curboc.com /joomla/s.pack hxxp://www.curboc.com /joomla/r.pack hxxp://voscomptesenligne.eu/joomla/fg.php?id=1880376902 Love Poem dedicated to Brian Krebs here: hxxp://voscomptesenligne.eu/ Same Poem here : hxxp://www.curboc.com Samples: hxxp://91.223.82.147/andro.exe hxxp://www.curboc.com/andro.exe hxxp://www.curboc.com/miner.exe hxxp://voscomptesenligne.eu/miner.exe miner.exe downloads: hxxp://93.113.171.18/upl/pYofXDkAVERHbkeo/m.jpg (www.fisier.ro) hosting infos: http://whois.domaintools.com/91.223.82.179