Gate here : hxxp://185.121.139.214/pon/gate.php Sample here : hxxp://185.121.139.214/pon/loader.exe Hosting infos : http://whois.domaintools.com/185.121.139.214
flipcoin.co(Pony hosted in United States Piscataway Shock Hosting Llc)
Domain : “flipcoin.co” Resolved [ flipcoin.co ] To [ 144.208.125.231 ] Sample : hxxp://flipcoin.co/pony/bin.exe Random panels and samples from Gaudox,Neutrino,Solar,Pony,Herpes,Betabot here : hxxp://flipcoin.co/ Hosting infos : http://whois.domaintools.com/144.208.125.231
farawayer.ru(Pony Hosted In Russian Federation Lenina Dom Dlya Saita Llc)
Sample here : hxxp://farawayer.ru/chibum/fire/blessing/micro.exe Panel : http://farawayer.ru/chibum/fire/blessing/gate.php All the rest here : http://farawayer.ru/chibum/fire/blessing/ Hosting Infos : http://whois.domaintools.com/91.227.68.183
inmrvogurin.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)
This guy keep changing domainnames but he uses the same shit. Resolved : [ inmrvogurin.ru ] To [ 163.53.247.144 ] URL’S : hxxp://inmrvogurin.ru/SY/test/gate.php hxxp://inmrvogurin.ru/SY/test/admin.php TF leters in red maybe a tribute to trojanforge. Sample here : hxxp://inmrvogurin.ru/SY/test/micro.exe Hosting Infos : http://whois.domaintools.com/163.53.247.144
paydbills.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)
Resolved : [ paydbills.ru ] To [ 163.53.247.144 ] Behaviours 1 Attempts to brute force passwords 2 Contains FTP stealing routine 3 Deletes itself 4 Manipulates Internet Explorer settings 5 Runs existing executable 6 Searches for digital certificates 7 Steals data 8 Steals local browser data 9 Suspicious delay URL’S : hxxp://paydbills.ru/RF/test/gate.php hxxp://www.facebook.com/ Sample hereRead more...
imaginecomputing.info(Pony Hosted in United States Scottsdale Godaddy.com Llc)
Domain : imaginecomputing.info 107.180.50.180 Sample : hxxp://imaginecomputing.info/pony/run.exe Other : hxxp://imaginecomputing.info/pony/gate.php Hosting Infos : http://whois.domaintools.com/107.180.50.180
nellisrealestate.com(Pony Hosted In United States Los Angeles Inmotion Hosting Inc.)
HTTP Requests : hxxp://nellisrealestate.com/wp-includes/images/okk/panelnew/gate.php hxxp://nellisrealestate.com/wp-includes/images/okk/panelnew/pony.exe hxxp://nellisrealestate.com/wp-includes/images/okk/ panel zip here. Hosting Infos : http://whois.domaintools.com/205.134.241.105
jdsiwiqweiqwyreqwi.com (Kasidet aka Neutrino bot)
Thnx to Xylitol for the name of the bot. Contacts domains details “34324325kgkgfkgf.com” “dsffdsk323721372131.com” “fdshjfsh324332432.com” “jdsiwiqweiqwyreqwi.com” Runs shell commands details “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows” Read more...
spamtheinter.net (Pony loader hosted by ecatel.net)
Resolved spamtheinter.net to 94.102.51.123 Server: spamtheinter.net Gate file: /pony/gate.php Hosting infos: http://whois.domaintools.com/94.102.51.123 Related md5 (Download sample from Malwr.com) Pony: ab5c96e927c863a773271347a5713486
main-firewalls.com (Pony stealer hosted by virtacore.com)
Resolved main-firewalls.com to 74.204.171.69 Server: main-firewalls.com Gate file: /gate.php Downloaded FakeAV and Zeroaccess Hosting infos: http://whois.domaintools.com/74.204.171.69 Related md5s (Search on malwr.com to download sample) Pony: a3243c1f6fe92db72af7b5c1f9b207ea