64.85.233.8 (Citadel banking malware hosted by home ip?)

By I_Post_Ur_Info, June 10, 2013

Server: 64.85.233.8
Config file: /hide/1355/file.php
Gate file: /hide/1355/enter.php

According to whois, this is a home cable internet ip (United States Concord Astound Broadband).

Also on the server, smoke loader and pony

Smoke
Server: 64.85.233.8
Gate file: /smokeldr/index.php

Pony
Server: 64.85.233.8
Gate file: /js/gate.php

The moron running this has Pony downloading itself, creating a continuous chain of downloads.

Hosting infos: http://whois.domaintools.com/64.85.233.8

Related md5s (search on malwr.com to download the samples):
Smoke loader: 1581f296eff953d727d26753ddd93bd2
Citadel: e8dd9cf3296861e9bc0dbffd533922b3
Pony loader: 40e688d7aa46c49bc8d6fb7a2dfcd2d9

Categories: Uncategorized

Tags: bl4kjcitadelPonysmokeloader

Previous post94.242.198.64(irc botnet hosted in Luxembourg Steinsel Root Sa)

Next postskyline2050.net (Andromeda http botnet hosted by infiumhost.com)

3 Comments

Anonymous - June 11, 2013 at 4:26 pm

-hosted by home ip?

You know being around for so long i actually personally believe people still do this, and if it's the case you made my day.

It's one thing to host a hostbooter on your own connection but hosting banking malware?

lol

Anonymous - June 13, 2013 at 10:58 am

It's not a home IP,it's an office IP x)

Anonymous - June 18, 2013 at 1:55 pm

Kids a skid, browses TF thinking he is a banking malware boss yet he ended up getting hacked by xyli.

Very clueless boy.

185.121.139.214 (Pony Hosted in United Kingdom London Hydra Communications Ltd)

flipcoin.co(Pony hosted in United States Piscataway Shock Hosting Llc)

farawayer.ru(Pony Hosted In Russian Federation Lenina Dom Dlya Saita Llc)

3 Comments

Anonymous - June 11, 2013 at 4:26 pm

Anonymous - June 13, 2013 at 10:58 am

Anonymous - June 18, 2013 at 1:55 pm

Comments are closed