smokeloader Loader + TeamViewer Rat)

Smoke Loader is used to infect with team viewer rat 4.34-2mb size of executable. Domains : Ip’s : Samples : hxxp:// hxxp:// hxxp:// hxxp:// hxxp:// hxp:// : The whole archive(shells,emailer,samples), his gmail adress to.This guy looks like big russki hecker. (Smoke loader hosted by fastflux botnet)

Server: Gate file:  /forum/index.php Hosting info: ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A 150 IN A (Smokeloader hosted by

Resolved to Server: Gate file:  /sm/index.php Logging into hxxp:// with guest:guest works. Anyone want to test if the sqli got fixed? Hosting infos: Related md5s (Search on to download samples) Smokeloader: 4c438005e17b968813f3df1fb2e15f4a (Citadel banking malware hosted by home ip?)

Server: Config file:  /hide/1355/file.php Gate file:  /hide/1355/enter.php According to whois, this is a home cable internet ip (United States Concord Astound Broadband). Also on the server, smoke loader and pony Smoke Server: Gate file:  /smokeldr/index.php Pony Server: Gate file:  /js/gate.php The moron running this has Pony downloading itself, creating a continuous (Smoke loader http botnet proxied by cloudflare)

Resolved to, (Cloudflare ips) Server:, Alternate domain: (Currently has non-responsive nameservers) Gate file:  /admin/index.php This is the latest skid who uses cloudflare to help host his botnet. Maybe this time they’ll do something about it? Hosting infos: Edit: CloudFlare received your abuse report dated February 24, 2013 regarding: (Smoke loader http botnet hosted by

Resolved to Server: Gate file:  /pics/index.php This is the new smokebot domain of the installs guy. His previously domain is currently hosted on the same server. Sample: hxxp:// Hosting infos: (smoke loader http botnet hosted by

Resolved to Server: Gate file:  /admin/index.php A pity the guest.php credentials have been changed from the default or fun could have be had. Download the panel from here if you want it: hxxp:// Hosting infos: