Citadel – ViriBack Blog https://viriback.com Malware Tracker, IOCs & more ... Sun, 13 May 2018 20:00:11 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 https://viriback.com/wp-content/uploads/2019/01/cropped-android-chrome-512x512-32x32.png Citadel – ViriBack Blog https://viriback.com 32 32 30 days later – 97 Panels https://viriback.com/30-days-later-97-panels/ Sun, 13 May 2018 19:55:19 +0000 https://viriback.com/?p=42 It’s been one month since I noticed an increase in number of malware communication to a certain IP: 185.6.242[.]251 and the trend has not slowed down in the last 30 days.

The total of web panel malware seen the last 30 days is totalling 97 as of this morning, as shown in this bar graph.

The distribution of malware C2 seen on this ip is uneven. Most are Lokibot and Pony instances, a few ISRStealer, LiteHTTP and Citadel have also been noticed.

A few stats:

  • 1 IP
  • 5 malware families
  • 30 Days
  • 47 Domains
  • 97 C2 Web panel instances
  • 222 MD5 hashes
malware panel_url date
Citadel www.dtron.gdn/testimony/cp.php?m=login 20180420
Citadel nsdic.pp.ru/pilot/cp.php?m=login 20180421
ISRStealer sellychukwu.ru/PHP/ 20180412
LiteHTTP posalive.su/login/ 20180413
Loki bellegin.ru/don-cha11/pen.php 20180412
Loki bellegin.ru/doncha10/pen.php 20180412
Loki bellegin.ru/oshok/pen.php 20180412
Loki gokuu.club/ckan/PvqDq929BSx_A_D_M1n_a.php 20180412
Loki lidgeys.ru/buch-k/pen.php 20180412
Loki lidgeys.ru/buch-m/pen.php 20180412
Loki papgon10.ru/davidm/pen.php 20180412
Loki papgon10.ru/don-12/pen.php 20180412
Loki papgon10.ru/kennyB-1/pen.php 20180412
Loki papgon10.ru/oshok-two/pen.php 20180412
Loki gokuu.club/M/PvqDq929BSx_A_D_M1n_a.php 20180414
Loki braithwalte.co.uk/konvict/five/PvqDq929BSx_A_D_M1n_a.php 20180418
Loki finelets.ru/fankzu/pen.php 20180418
Loki finelets.ru/buch-x3/pen.php 20180420
Loki finelets.ru/buch-x4/pen.php 20180420
Loki topreadz.ru/willy-1/pen.php 20180420
Loki lidgeys.ru/buch-x2/pen.php 20180421
Loki domainsender.info/moon/five/PvqDq929BSx_A_D_M1n_a.php 20180422
Loki dunysaki.ru/buch-x5/pen.php 20180423
Loki joanread.ru/work-1/pen.php 20180423
Loki dunysaki.ru/stephen/pen.php 20180424
Loki topreadz.ru/alexbe/pen.php 20180424
Loki unifarmex.net/Dstan/Panel/five/PvqDq929BSx_A_D_M1n_a.php 20180424
Loki braithwalte.co.uk/smith/five/PvqDq929BSx_A_D_M1n_a.php 20180425
Loki dunysaki.ru/doncha-2/pen.php 20180425
Loki lidgeys.ru/buch-l/pen.php 20180425
Loki vopspyder.website/log/five/PvqDq929BSx_A_D_M1n_a.php 20180425
Loki annamadums.ml/jazzy/PvqDq929BSx_A_D_M1n_a.php 20180426
Loki domainsender.info/sun/five/PvqDq929BSx_A_D_M1n_a.php 20180426
Loki papgon10.ru/don-one/pen.php 20180426
Loki vopspyder.website/home/five/PvqDq929BSx_A_D_M1n_a.php 20180427
Loki joanread.ru/decap/pen.php 20180429
Loki vailablity.ml/vaila/PvqDq929BSx_A_D_M1n_a.php 20180430
Loki braithwalte.co.uk/blam/five/PvqDq929BSx_A_D_M1n_a.php 20180502
Loki unifarmex.net/hsp1/Panel/five/PvqDq929BSx_A_D_M1n_a.php 20180502
Loki unifarmex.net/nesto/Panel/five/PvqDq929BSx_A_D_M1n_a.php 20180502
Loki viettrust-vn.net/samii/PvqDq929BSx_A_D_M1n_a.php 20180502
Loki braithwalte.co.uk/block/five/PvqDq929BSx_A_D_M1n_a.php 20180503
Loki ultrainstinct.ru/file/exe/five/PvqDq929BSx_A_D_M1n_a.php 20180504
Loki lidgeys.ru/buchX-1/pen.php 20180505
Loki topreadz.ru/doncha-3/pen.php 20180507
Loki bollingoes.ml/ngoes/PvqDq929BSx_A_D_M1n_a.php 20180508
Loki cadjetbums.ml/tbums/PvqDq929BSx_A_D_M1n_a.php 20180508
Loki erintoba.info/bbbb/Panel/five/PvqDq929BSx_A_D_M1n_a.php 20180508
Loki eriousimen.ml/eriou/PvqDq929BSx_A_D_M1n_a.php 20180508
Loki lidgeys.ru/eddy/pen.php 20180508
Loki thousandan.ml/andan/PvqDq929BSx_A_D_M1n_a.php 20180508
Loki uy-akwaibom.ru/vinho/Panel/five/PvqDq929BSx_A_D_M1n_a.php 20180510
Loki wheelonexs.ml/wheel/PvqDq929BSx_A_D_M1n_a.php 20180510
Pony hypercosine.ml/cosi/hyper/admin.php 20180412
Pony preutainer.ml/aine/preut/admin.php 20180412
Pony rolexkings.ml/king/rolex/admin.php 20180412
Pony theonlygoodman.com/dort/admin.php 20180412
Pony theonlygoodman.com/sekiz/admin.php 20180412
Pony theonlygoodman.com/yedi/admin.php 20180412
Pony vinglosine.ml/osin/vingl/admin.php 20180412
Pony theonlygoodman.com/bes/admin.php 20180413
Pony erintoba.info/user/admin.php 20180414
Pony theonlygoodman.com/alti/admin.php 20180414
Pony cuogargaming.com/sop/admin.php 20180416
Pony irishgrind.ml/irish/grind/admin.php 20180417
Pony hostelunke.ml/lunke/hoste/admin.php 20180418
Pony efficienci.ml/ienci/effic/admin.php 20180419
Pony grandmoney.ml/money/grand/admin.php 20180419
Pony theonlygoodman.com/on/admin.php 20180419
Pony centranets.ml/anets/centr/admin.php 20180420
Pony dazzlelogs.ml/elogs/dazzl/admin.php 20180422
Pony gokubid.review/chife/panelnew/admin.php 20180423
Pony gokubid.review/indo/panelnew/admin.php 20180423
Pony carikapapa.ml/apapa/carik/admin.php 20180424
Pony cuogargaming.com/klinsnip/admin.php 20180424
Pony braithwalte.co.uk/bass/admin.php 20180425
Pony pharma–partners.com/bfayz/admin.php 20180425
Pony theonlygoodman.com/dokuz/admin.php 20180425
Pony uy-akwaibom.ru/wise/Panel/admin.php 20180425
Pony pharma–partners.com/nonib/admin.php 20180426
Pony taineruder.ml/ruder/carik/admin.php 20180427
Pony totalguage.ml/guage/total/admin.php 20180427
Pony pharma–partners.com/twst/admin.php 20180428
Pony viettrust-vn.net/juzz/admin.php 20180502
Pony braithwalte.co.uk/ajjuu/admin.php 20180503
Pony carikapapa.ml/carik/admin.php 20180503
Pony irishgrind.ml/grind/admin.php 20180503
Pony stauniverseqp.com/roks2/admin.php 20180503
Pony bundletops.ml/bundl/etops/admin.php 20180504
Pony stauniverseqp.com/office1/admin.php 20180504
Pony viettrust-vn.net/adin/admin.php 20180507
Pony hostelunke.ml/lunke/admin.php 20180510
Pony suruperet.ml/eret/surup/admin.php 20180510
Pony taineruder.ml/ruder/admin.php 20180510
Pony theonlygoodman.com/aman/admin.php 20180510
Pony dunysaki.ru/buch-A3/admin.php 20180512
Pony thousandan.ml/lumin/sop/admin.php 20180513
]]>