Server: 37.9.53.121 Gate file: //xSZ64Wiax/WiOzJe3G7u7ok3gOYqHdv2xk.php According to virustotal this is an affiliate program, with the pony file downloaded from the same site. Hosting infos: http://whois.domaintools.com/37.9.53.121 Related md5s (Search on malwr.com to download the sample) Pony: 37ae22ba2799ed146c47085268dd481b
zbraaadanstfesse.org (Pony loader hosted by chicagovps.net)
Resolved zbraaadanstfesse.org to 172.245.5.137 Server: zbraaadanstfesse.org Gate file: /p/stats.php This is currently being downloaded by this citadel net. This is also a backup domain for a betabot, and is the domain currently used by it. Betabot login: hxxp://zbraaadanstfesse.org/~.poto/login.php Related md5s (Search on malwr.com for samples): 7ec71449228f4209b9df59bb68ec3a5f Hosting infos: http://whois.domaintools.com/172.245.5.137
175.41.29.181(Pony hosted in Hong Kong Hong Kong Unit 1702 Ramada Tower)
Admin Panel: 175.41.29.181/pfx/admin.php The rest of files are here: hxxp://175.41.29.181/pfx/ setup.php is still in this folder Pony sample: hxxp://175.41.29.181/pn1.exe hosting infos: http://whois.domaintools.com/175.41.29.181
92.243.77.139 (Pony loader hosted by infobox.ru)
Server: 92.243.77.139 Gate file: /Panel/gate.php Related md5s (search on malwr.com to download the samples): 160419b4c5f8415b41fb23e99be12b19 Hosting infos: http://whois.domaintools.com/92.243.77.139
belakey.com(Pony hosted in Germany Gunzenhausen Osauhing Future Technologies)
Resolved : [belakey.com] To [46.4.199.232] Pony Gate: belakey.com/pony/gate.php Admin Panel: hxxp://belakey.com/pony/admin.php Sample: hxxp://188.40.33.69/z/pony4.exe hosting infos: http://whois.domaintools.com/46.4.199.232
thinkgreensupply.com(Pony hosted in United States Portland Directspace Networks Llc.)
Resolved : [thinkgreensupply.com] To [174.140.168.239] Admin Panel: hxxp://thinkgreensupply.com/ponyb/admin.php Gate: hxxp://thinkgreensupply.com/ponyb/gate.php hosting infos: http://whois.domaintools.com/174.140.168.239
64.85.233.8 (Citadel banking malware hosted by home ip?)
Server: 64.85.233.8 Config file: /hide/1355/file.php Gate file: /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server: 64.85.233.8 Gate file: /smokeldr/index.php Pony Server: 64.85.233.8 Gate file: /js/gate.php The moron running this has Pony downloading itself, creating a continuousRead more...
toxhoster.net (Pony loader hosted by ecatel.net)
Resolved toxhoster.net to 80.82.79.35 Server: toxhoster.net Gate file: /forum/gate.php Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself. Hosting infos: http://whois.domaintools.com/80.82.79.35 Related md5s (search on malwr.com to download the samples): b22258989a5e93d4cb1c3960441c1c06
securityspecialiastinc.in(Pony hosted in Japan Tokyo Linode Llc)
Resolved : [securityspecialiastinc.in] To [106.187.88.52] Gate: securityspecialiastinc.in/p/gate.php Admin:securityspecialiastinc.in/p/admin.php sample: hxxp://106.187.88.52/p/p.exe Online Crypter: hxxp://securityspecialiastinc.in/crypt.php hosting infos: http://whois.domaintools.com/106.187.88.52
93.115.85.58 (Pony loader hosted by voxility.net)
Server: 93.115.85.58 Gate file: /pox/stats.php While investigating a betabot, I found a load of different malware. Here’s a pony loader. It downloads files from hxxp://cy-corp.com/pg/ Hosting infos: http://whois.domaintools.com/93.115.85.58