Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : 185.81.113.86:80 200.7.98.161:80 104.16.41.2:443 217.23.11.14:80 23.51.123.27:80 92.122.201.2:443 92.122.122.136:80 Samples : hxxp://185.81.113.106/ital2.exe hxxp://200.7.105.4/ital1.exe hxxp://200.7.98.161/myonly3d.exe hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.
frineon.su (Smoke loader hosted by fastflux botnet)
Server: frineon.su Gate file: /forum/index.php Hosting info: ;; QUESTION SECTION: ;frineon.su. IN A ;; ANSWER SECTION: frineon.su. 150 IN A 91.188.52.67 frineon.su. 150 IN A 212.92.228.65 frineon.su. 150 IN A 109.200.244.121 frineon.su. 150 IN A 76.66.174.231 frineon.su. 150 IN A 98.218.49.187 frineon.su. 150 IN A 72.185.70.143 frineon.su. 150 IN A 72.185.199.204 frineon.su. 150 IN ARead more...
www.pen-t-house.com (Smoke loader hosted by leaseweb.com)
Resolved www.pen-t-house.com to 85.17.139.16 Server: www.pen-t-house.com Gate file: /baby/index.php Hosting infos: http://whois.domaintools.com/85.17.139.16 Related md5s (Search on Malwr.com to find samples) Smoke: d24b40d1c7d410e6069fc3eaf101b171
Predhost.in (Smokeloader hosted by Digitalocean.com)
Resolved predhost.in to 198.199.109.163 Server: Predhost.in Gate file: /sm/index.php Logging into hxxp://predhost.in/sm/guest.php with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: http://whois.domaintools.com/198.199.109.163 Related md5s (Search on malwr.com to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a
64.85.233.8 (Citadel banking malware hosted by home ip?)
Server: 64.85.233.8 Config file: /hide/1355/file.php Gate file: /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server: 64.85.233.8 Gate file: /smokeldr/index.php Pony Server: 64.85.233.8 Gate file: /js/gate.php The moron running this has Pony downloading itself, creating a continuousRead more...
smokenoke.com (Smoke loader hosted by neoweb.ru)
Resolved smokenoke.com to 81.176.232.201 Server: smokenoke.com Gate file: /index.php Hosting infos: http://whois.domaintools.com/81.176.232.201
aeonhf.net (Smoke loader http botnet proxied by cloudflare)
Resolved aeonhf.net to 173.245.60.168, 173.245.61.168 (Cloudflare ips) Server: aeonhf.net, Alternate domain: aminserve.info (Currently has non-responsive nameservers) Gate file: /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.netRead more...
imageshoster.ru (Smoke loader http botnet hosted by santrex.net)
Resolved imageshoster.ru to 46.166.169.187 Server: imageshoster.ru Gate file: /pics/index.php This is the new smokebot domain of the beerpigfarm.ru installs guy. His previously domain adzu324nbasmdaoias.su is currently hosted on the same server. Sample: hxxp://46.166.177.120/smo Hosting infos: http://whois.domaintools.com/46.166.169.187
img152200.servepics.com (Smoke loader hosted by kimsufi.com)
Resolved img152200.servepics.com to 94.23.213.78 Server: img152200.servepics.com Gate file: /x3/index.php This is h4r3’s smoke, he has his andromeda hosted on the same server. Hosting infos: http://whois.domaintools.com/94.23.213.78
sharesend.info (smoke loader http botnet hosted by voxility.net)
Resolved sharesend.info to 37.221.170.8 Server: sharesend.info Gate file: /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp://sharesend.info/admin/admin.zip Hosting infos: http://whois.domaintools.com/37.221.170.8