Month: June 2015

Gorynych/DiamondFox (hosted in Hungary Budapest Doclerweb Kft)

Thanks to Xylitol for panels and executables. Panels : hxxp:// hxxp:// hxxp:// Files : > HTTP/1.1 Xylitol posted a vid with the vulnerability of the Panel. Now the ruski behind this shit updated the panel. Hosting infos :

KUKU v4.08 beta(Malware hosted in Germany Dortmund 1&1 Internet Ag)

Another version from this malware some domains changed. All hosts URL’S GET /?1453eea=21315306&id=212331279066 HTTP/1.1 User-Agent: KUKU v4.08 beta =212331279066 Host: Cache-Control: no-cache GET botnet hosted in Netherlands Roosendaal Nforce Entertainment B.v.)

Thanks to the anonymous guy  who send me the executable. Domains used from the botnet to connect to the server : IRC connection : Files downloaded from the botnet : URL: hxxp:// URL: hxxp:// URL: hxxp:// All Domains : Domain Address Country Romania Romania Romania Samples here. (Kasidet aka Neutrino bot)

Thnx to Xylitol for the name of the bot. Contacts domains details     “”     “”     “”     “” Runs shell commands details     “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details     “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows”    

KUKU406beta(Malware stealing passwords hosted in Germany Dortmund 1&1 Internet Ag)

This is spreading through torrents and cracks and looks like passwd stealer. Domains and ip’s used :