220.127.116.11 - VolumeDrive US
Citadel bot v.18.104.22.168
90% of bots located in India.
Evidence of stolen banking credentials.
This server panel is offline now, and its been removed from ZeuS Tracker now, so its ok to publish details about it.
Original ZeuS Tracker page:
Admin panel login:
and kick the door down..
first page of bot details:
(is that your IP?)
Evidence of stealing credentials.
ebs.ca-egypt.com (Crédit Agricole Egypt - Online Banking ePayroll System)
Here are some OS statistics to show what systems get infected.
XP, Win7, Win7 x64 and Server 2008 x64
AntiVirus software is commonly seen running in memory alongside the bot exe. :-)
encryption key: obi
The guy was in the process of updating when I broke in. Oops, sorry about that.
(volumedrive again, US PA - get your shit together)
more details on this host later..22.214.171.124
nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437
Virus Total detection 5 of 48
malware phones home to:
but the server has already been seen..https://zeustracker.abuse.ch/monitor.php?host=126.96.36.199
Interesting ports on 188.8.131.52:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1720/tcp filtered H.323/Q.931
3389/tcp open ms-term-serv
Win2k8 R2 Std