Pony

flipcoin.co(Pony hosted in United States Piscataway Shock Hosting Llc)

Domain : “flipcoin.co” Resolved [ flipcoin.co ] To [ 144.208.125.231 ] Sample : hxxp://flipcoin.co/pony/bin.exe Random panels and samples from Gaudox,Neutrino,Solar,Pony,Herpes,Betabot here : hxxp://flipcoin.co/ Hosting infos : http://whois.domaintools.com/144.208.125.231

inmrvogurin.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)

This guy keep changing domainnames but he uses the same shit. Resolved : [ inmrvogurin.ru ] To [ 163.53.247.144 ] URL’S : hxxp://inmrvogurin.ru/SY/test/gate.php hxxp://inmrvogurin.ru/SY/test/admin.php TF leters in red maybe a tribute to trojanforge. Sample here : hxxp://inmrvogurin.ru/SY/test/micro.exe Hosting Infos : http://whois.domaintools.com/163.53.247.144

paydbills.ru(Pony Hosted In Macao Macau Alan Hqservers Web Studio)

Resolved : [ paydbills.ru ] To [ 163.53.247.144 ] Behaviours 1 Attempts to brute force passwords 2 Contains FTP stealing routine 3 Deletes itself 4 Manipulates Internet Explorer settings 5 Runs existing executable 6 Searches for digital certificates 7 Steals data 8 Steals local browser data 9 Suspicious delay URL’S : hxxp://paydbills.ru/RF/test/gate.php hxxp://www.facebook.com/ Sample here

jdsiwiqweiqwyreqwi.com (Kasidet aka Neutrino bot)

Thnx to Xylitol for the name of the bot. Contacts domains details     “34324325kgkgfkgf.com”     “dsffdsk323721372131.com”     “fdshjfsh324332432.com”     “jdsiwiqweiqwyreqwi.com” Runs shell commands details     “cmd /c C:UsersPSPUBWSAppDataLocalTemp243765.bat” “C:38650f5c2beb183eaaba236d1b576c255a9be49af34db85705bed16d23ea11” on 2015-6-6.13:57:14.679 Dropped files details     “UserInfo.dll” has type “PE32 executable (DLL) (GUI) Intel 80386, for MS Windows”    

spamtheinter.net (Pony loader hosted by ecatel.net)

Resolved spamtheinter.net to 94.102.51.123 Server: spamtheinter.net Gate file:  /pony/gate.php Hosting infos: http://whois.domaintools.com/94.102.51.123 Related md5 (Download sample from Malwr.com) Pony: ab5c96e927c863a773271347a5713486

main-firewalls.com (Pony stealer hosted by virtacore.com)

Resolved main-firewalls.com to 74.204.171.69 Server:  main-firewalls.com Gate file:  /gate.php Downloaded FakeAV and Zeroaccess Hosting infos: http://whois.domaintools.com/74.204.171.69 Related md5s (Search on malwr.com to download sample) Pony: a3243c1f6fe92db72af7b5c1f9b207ea