[Xylitol]

i don't think we will broke it, for sure the pw used isn't in a dir brute list
for /if_Career/:

Code: Select all

-l admin -P pwd.lst -s 80 -w 64 -f -V 62.76.177.123 http-post-form "/if_Career/admin.php:pass=^PASS^:Log in"

but i'm sure this is a waste of time

[unixfreaxjp]

i don't think we will broke it, for sure the pw used isn't in a dir brute list

Roger. Thank you very much.

[unixfreaxjp]

i don't think we will broke it, for sure the pw used isn't in a dir brute list

Fortunately, I broke, wacked, and flushed all of this evil moronz service. All are evidence and tt's sent to FBI now.
These moronz lifetime is going to come.. If they think their evil service can fool us forever they'd better start to pray..

Friends, please see the data pasted below well, and learn it, spread it into your colleages so people can be MORE aware o fthis threat in real, and the court can be faster to issue the arrest warrant for my captured ID sooner.
I always thank Xylit0l who invited here & guide me from day zero.

PoC:

login panel:

this is for xylit0l w/thx!

the first layer of the DB:

second layer of the DB:

(all of the privacy ID IS NOT EXPOSED, the ID exposed above are malware related ID for evidence)
Wacked, PoC↓

This time I am sorry can not share database, I even erased it already from my PC.

God loves the braves! Slain Malware! Made them go to Jail! #MalwareMustDie!

[Xylitol]

yup webinject panel, btw 62.76 is a nginx proxy

[unixfreaxjp]

yup webinject panel, btw 62.76 is a nginx proxy

I can go very far with these.. Shall we?

[unixfreaxjp]

yup webinject panel, btw 62.76 is a nginx proxy

Xylit0l! Congrats friend. Is down DOWNNNNNNNN!! :D
No more Spam to Redirector Injector to BHEK to Cridex / Fareit no more!!!
yesss!! I'll drink for this, hahaha!
I am sorry, so happy! forgive my language! )))

[Xylitol]

Current urls

Code: Select all

htxp://82.100.228.130:8080/mx/2C/panel/
htxp://82.100.228.130:8080/mx/2C/in/cp.php
htxp://82.100.228.130:8080/if_Career/admin.php

[d.l.]

Code: Select all

http://37.139.47.124/if_Career/admin.php
http://37.139.47.124/mx/4A/in/cp.php
 
Another encoded IP's
http://188.117.44.241:8080
http://88.119.156.20:8080
http://217.65.100.41:8080
http://46.175.224.21:8080
http://203.114.112.156:8080

sample: 5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e

[Horgh]

https://www.virustotal.com/en/file/6abc ... /analysis/

sample + dump in the archive.

Cridex.B.7z

pwd : infected
(65.2 KiB) Downloaded 95 times

[EP_X0FF]

Cridex, payload of BH EK + deobfuscated dropper in attach.

SHA256: 875b0dd79d8bf426963a6de4b7ff83aea602a576e32d92b739d48e81bd5c6c41
SHA1: 0662abda182c3ac34adbefdd91d098994e917d79
MD5: f5955fbaeb424a7021e2f6fb5ece05b9

https://www.virustotal.com/en/file/875b ... /analysis/