Tag: smokeloader

bookwormsbiorhythm.top(Smoke Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : bookwormsbiorhythm.top charlesadvanced.top Ip’s : 185.81.113.86:80 200.7.98.161:80 104.16.41.2:443 217.23.11.14:80 23.51.123.27:80 92.122.201.2:443 92.122.122.136:80 Samples : hxxp://185.81.113.106/ital2.exe hxxp://200.7.105.4/ital1.exe hxxp://200.7.98.161/myonly3d.exe hxxp://theplatonicsolid.com/cftmon.exe hxxp://memorywedge.net/11/cftmon.exe hxp://memorywedge.net/11/1.zip : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker.

frineon.su (Smoke loader hosted by fastflux botnet)

Server:  frineon.su Gate file:  /forum/index.php Hosting info: ;; QUESTION SECTION: ;frineon.su. IN A ;; ANSWER SECTION: frineon.su. 150 IN A 91.188.52.67 frineon.su. 150 IN A 212.92.228.65 frineon.su. 150 IN A 109.200.244.121 frineon.su. 150 IN A 76.66.174.231 frineon.su. 150 IN A 98.218.49.187 frineon.su. 150 IN A 72.185.70.143 frineon.su. 150 IN A 72.185.199.204 frineon.su. 150 IN A

Predhost.in (Smokeloader hosted by Digitalocean.com)

Resolved predhost.in to 198.199.109.163 Server:  Predhost.in Gate file:  /sm/index.php Logging into hxxp://predhost.in/sm/guest.php with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: http://whois.domaintools.com/198.199.109.163 Related md5s (Search on malwr.com to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a

64.85.233.8 (Citadel banking malware hosted by home ip?)

Server:   64.85.233.8 Config file:  /hide/1355/file.php Gate file:  /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server:  64.85.233.8 Gate file:  /smokeldr/index.php Pony Server:  64.85.233.8 Gate file:  /js/gate.php The moron running this has Pony downloading itself, creating a continuous

aeonhf.net (Smoke loader http botnet proxied by cloudflare)

Resolved aeonhf.net to  173.245.60.168, 173.245.61.168 (Cloudflare ips) Server:  aeonhf.net, Alternate domain:  aminserve.info (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: ecatel.info Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: aeonhf.net

imageshoster.ru (Smoke loader http botnet hosted by santrex.net)

Resolved imageshoster.ru to 46.166.169.187 Server:  imageshoster.ru Gate file:  /pics/index.php This is the new smokebot domain of the beerpigfarm.ru installs guy. His previously domain adzu324nbasmdaoias.su is currently hosted on the same server. Sample: hxxp://46.166.177.120/smo Hosting infos: http://whois.domaintools.com/46.166.169.187

sharesend.info (smoke loader http botnet hosted by voxility.net)

Resolved sharesend.info to 37.221.170.8 Server:   sharesend.info Gate file:  /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp://sharesend.info/admin/admin.zip Hosting infos: http://whois.domaintools.com/37.221.170.8