Resolved : [ilikeithard.tk] To [63.141.253.125] Panel: hxxp://ilikeithard.tk/Panel/admin.php Sample: directxex.com/uploads/1632963588.Pony.exe found by justaguy hosting infos: http://whois.domaintools.com/63.141.253.125
Sydnexoyex.us(Pony hosted in Germany Gunzenhausen Tt International D.o.o.)
Traffic – by URL Sydnexoyex.us/p.exe Sydnexoyex.us/4df1in1/gate.php Sydnexoyex.us/DiBU064/s.exe Sydnexoyex.us/DiBU064/st.exe j.maxmind.com/app/geoip.js euntsutviek.cm/CgUACgIOCEcKBgRGCkcZARlWAFQ5WBAlJltdOhMZCFFaGTgiHQ4cBC0ABTEKDSMhXi4kTFsvKx4ILzomWTsAOAQvBDEMPF8hBy8IJgIgUA4qHjE4GQ8OGB4ABCwnDFBYPh0bBwNfITo5CBMKWV0QGwhfJT8jJCQtE1oQAjAEACpcIh4kICwoUTEOESY9XhoqIw8/Bx0oGhANOA1YHV5YXjBdOQQoDD8sHyUAHy06HC0HXTtMWysaKF4BWVAgCycLPV4ODz4cCw4ZLTEhLyQjDlxdXiIuIVkKOExbLwITGl0dASsoClooHi8kCCAaKAsxPxEsOiUtGlgeL0xbLzgkXjMQJSA8OkxbLyw6WD0bEBwAEDM9Ox4EWicgHwMkUTkvD15RCCATODAfX10RKiswMxwnBhpRClEkE1sCLlEOBy0OXj4EDgsqJRAsJwdYIzhYUTABBVFQWS4ALQoRARkmDC8IAVEGPytRPR4xGCEKWSAhI14BXyhMWy8GK1w8MC0+BiscGSQ8ICRaUBAOGQQkBFECLloiKAwsXRgCAxsrWlk6GDgZIjorDBwrIzFZKCATWQUMXRg4A1hZKgMEHi8DPTkTLD4KHwg/LBolOlBYMwAYXQIhDgMEMExbLzwqAxBaCzoPEVseDR0IECJMWytMWysvKC04XSMRXkxbLxBZDzsDUBMCBxkaUF0rGCgmPAQlMR8wGjgsABpdXi4aEyIvMQw9Gy5RTFsvMFErWjomHzs+PVAfCz4NDV4wECgMXx1eUSoIKhpdLCpaXTEMI0xbL1o+UTEfMVsjARkMJhwBPD1RBzMqWAsCLjMvAwYYOysoHBMoURkKLwsxBSY7Xzw8LhkjUCI+KkxbKyQzWlABP1ECAVw6CwwGGjkmCisRUR0aES4MHQ8CJzsEXQEZL1oTLScFWjEBOCFdARwFAQtaLwwwLR0QDQwtKygNB1ECAwdRBzALGQ0iAF8PER8BKgUYWgcNXiY7LAAzGxoQHR8CEz8ZGyheAxAIMV89OxoAOgxYPlBREBsgTFsvMSABBFAEDgQ/MBooIg45Bz5MWys4GVhdWBwsLQMoLwcQTFsrMxAYJVkuM10mC1BbWx4kAio4G1ooPCE+IR8BACE/IAUtUBACJVw6LC4PWScdOD07URERXRwdETEsTFsvESUcICEGLFs9LAEQPT8HLBhZAVBbMF5eBlxMWysZEFkgIVAOWl4MDgInXzkcUAEMGFs7OwQIMx85HTskWCc6IiouGj0qMCUlWxw/OiIrEC8FOi4nXCYoWichPSgiECMuUAUeUBEBLQYuHlAaBUxbL18bHF0/TFsvLAgsISwTUAZYJlAFHzwsJRwfIjkiJQYjXRsYAF0bTFsrWjwuGyUjGiItGSUkHCEmKwImXz9YHC4NOF8POD8rDTpdWiolLExbKwwdWhBQMy0vEw8ZKCwhJVE8KgAuBAMuDyA+WD0RXjgZIVEaKj4gLAQGXCQqTFsrORoNAwYYEV1fC0xbLxoRDB1YK1wmWFAKMy4kOhsbPCw5P0xbK0xbK10aTFsrIwtfEV8wLh8/LSoLAl4AJxMtWTwTMywlHExbLygHAzo8Ah8CGDk5PgAAJyUuHQwqAkxaLQ== More files here hxxp://sydnexoyex.us/4df1in1/ Admin Panel:hxxp://sydnexoyex.us/4df1in1/admin.php hosting infos: http://whois.domaintools.com/176.9.208.113
616design.info (Pony loader and Zeus banking malware hosted by fastit.net)
Resolved 616design.info to 80.82.222.106 Pony Server: 616design.info Gate file: /forum/pony/gate.php This is by the same guy as this winlocker and andromeda bot. The server seems to be down at the moment, most likely due to zeus tracker posting the zeus bot I located on the same ip. Zeus Server: oppspeedy.co.ua Gate file: /forum/33/gate.php Config file: Read more...
fuelcw.org (Pony loader hosted by ihc.ru)
Resolved fuelcw.org to 37.143.9.173 Server: fuelcw.org Gate file: /ios.php http://whois.domaintools.com/37.143.9.173
kiz.no-ip.biz (Pony loader hosted by vmbox.co)
Resolved kiz.no-ip.biz to 94.242.238.213 Server: kiz.no-ip.biz Gate file: /xen/ride/gate.php Hosting infos: http://whois.domaintools.com/94.242.238.213
updates211.zapto.org(Pony hosted in United States Port Richey Private Customer – Verizon Internet Services Inc.)
Pony Gate :updates211.zapto.org/pony/gate.php Pony Admin:http://updates211.zapto.org/pony/admin.php Setup file is inside:http://updates211.zapto.org/pony/setup.php Here u can see Pony files and folders:http://updates211.zapto.org/pony/ Pony sample:hxxp://updates211.zapto.org/update211.exe hosting infos: http://whois.domaintools.com/96.254.171.6
3vi.tv(Pony hosted in Russian Federation Moscow Oversun-mercury Ltd)
Resolved : [3vi.tv] To [188.127.255.49] 3vi.tv/images/gate.php From Userbased: http://3vi.tv/l/guest.php guest:guest vuln here sample here hosting infos: http://whois.domaintools.com/188.127.255.49
198.8.81.127 (Pony http loader hosted by coloat.com)
Server: 198.8.81.127 Gate file: /Panel/gate.php Starting to see some pony bots now that it’s been leaked. FYI, pony just grabs passwords and uploads them, then downloads any files that are hard coded into it. If you set it to run at startup you’ll just get the same shit every time. Hosting infos: http://whois.domaintools.com/198.8.81.127
76.191.97.100 (Multiple http botnets hosted by sentris.com)
Andromeda Server: 76.191.97.100 Gate file: /andro/image.php Plugins Rootkit: http://76.191.97.100/andro/r.pack Socks: http://76.191.97.100/andro/s.pack Formgrabber: http://76.191.97.100/andro/f.pack Gate file: /andro/fg.php Smoke loader Server: 76.191.97.100 Gate file: /smoke/index.php Pony Server: 76.191.97.100 Gate file: /p/gate.php POE stealer Server: 76.191.97.100 Gate file /poe/index.php Login details are admin:admin Hosting infos: http://whois.domaintools.com/76.191.97.100 EDIT: I see he’s trying bitcoin mining Mining infos:Read more...
95.58.254.79(Pony hosted in Kazakhstan Almaty Jsc Kazakhtelecom)
Pony Gate:95.58.254.79/p/gate.php Pony admin login:http://95.58.254.79/p/admin.php Pony-legit-packed s.exe inside pony package is Autoiframer Bot, Version 1.0 here some strings from the sample: File: ZR1.exe Size: 193552 Bytes MD5: A889A2ADAFEFF5A16AFF93DD668B763C Packer: File not found C:peid.exe File Properties: CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion Exploit Signatures: --------------------------------------------------------------------------- Scanning for 19 signatures Scan Complete: 212Kb in 0,016Read more...