(Citadel banking malware hosted by home ip?)

Config file:  /hide/1355/file.php
Gate file:  /hide/1355/enter.php

According to whois, this is a home cable internet ip (United States Concord Astound Broadband).

Also on the server, smoke loader and pony

Gate file:  /smokeldr/index.php

Gate file:  /js/gate.php

The moron running this has Pony downloading itself, creating a continuous chain of downloads.

Hosting infos: http://whois.domaintools.com/

Related md5s (search on malwr.com to download the samples):
Smoke loader: 1581f296eff953d727d26753ddd93bd2
Citadel: e8dd9cf3296861e9bc0dbffd533922b3
Pony loader: 40e688d7aa46c49bc8d6fb7a2dfcd2d9

Categories: Uncategorized


Anonymous - June 11, 2013 at 4:26 pm

-hosted by home ip?

You know being around for so long i actually personally believe people still do this, and if it's the case you made my day.

It's one thing to host a hostbooter on your own connection but hosting banking malware?


Anonymous - June 13, 2013 at 10:58 am

It's not a home IP,it's an office IP x)

Anonymous - June 18, 2013 at 1:55 pm

Kids a skid, browses TF thinking he is a banking malware boss yet he ended up getting hacked by xyli.

Very clueless boy.

Comments are closed