Resolved genhagroup.com to 18.104.22.168
When this site first got posted I though it was hacked, but now that I’ve taken a closer look it’s actually a lame spreading attempt.
Gate file: /data/gate.php
Config file: /data/cf.bin
The zeus binary was hosted at utmeg.com, as a “resume creator”
The download page warns that it needs .NET 2.0, so the skid is obviously using a HF crypter.
The same download page is on genhagroup but it’s missing the file.
Hosting infos: http://whois.domaintools.com/22.214.171.124
EDIT: lol https://zeustracker.abuse.ch/monitor.php?host=genhagroup.com