Monday, July 29, 2013

PinkShop - Carder Shop
This pepto-bismol themed shop is selling stolen credit card details.
(These domains redirect to
OriginAS:       AS25761
I contacted both Staminus and CloudFlare about this domain. 

Adverts for shop:

Another advert:

Google the ICQ or admin email for this shop. You will see more ads.

The design of this site is so awful that it may damage your eyes. 

Login screen with some SEO keywords:

sell dumps, buy dumps, buy cvv, buy cvv2, sell dumps, sell track2, buy track2, buy cards,cheap cvv,buy cvv,sell cvv,fresh cvv,good cvv,buy good cvv,sell good cvv,best cvv,fresh paypal,carders market,check cvv,cvv2 dump,buy cvv online

Hideous welcome page:

User agreement and rules of site. (Lol)

Dumps - "a term which refers to stolen credit card data"



Fund Balance:
(see below for BlockChain details) (and Lol)  

(bottom of Funding page):

Contact :
No authentication check on this page.

Contact details:
ICQ: 627809737
Email :
Yahoo ID:

new > FULLZ 
 note the 1337 use of Z in FULLS - pretty cool.

Bitcoin address for PinkShop payments: 

No. Transactions63
Total Received12.43884827 BTC

The same bitcoin address is used to collect funds on other carding sites.

The admin is so lazy - he just copy/paste the same code all over!!

More notes:

In the source of site, reference to folder bulba.cc_files
stolen source or same admin? who cares. I would bet that all this garbage is offline soon. and 

good god - this is gross looking. 

Various Admin Contact Infos:

ICQ: 355555559
Yahoo Messenger >

Support / ICQ: 617580016

Contact support by hand
ICQ: 617580016
Email :

Wednesday, July 10, 2013

ZeuS Banking Trojan Botnet

ZeuS Banking Trojan C&C Server
Estimated Size:  500+ bots (small) 
Targeting: UA and RU

some of the banks being targeted:

URL listing on Cyber Crime Tracker

WHOIS details on the host network
inetnum: -
netname:       Clodo-Cloud
descr:            IT House, Ltd
person:          Maxim Dyubarev
address:        Kalyazinskaya,7, Saint-Petersburg, Russia, 194017

descr:            IT House, Ltd
origin:            AS57010 mnt-by:          ROSNIIROS-MNT

(no abuse email address) 

Some info from VirusTotal

I forgot to take a screenshot of the auth page. I went back and checked today and the server IP is now filtering all ports. The URL structure page.php?m=login is synonymous with ZeuS auth pages.

Nmap scan report for
Host is up. 
All 100 scanned ports on are filtered

Each bot has its own /reports/subdirectory on the C&C. When the server was online, the bad guys forgot to deny directory listings which allowed me to browse around to the "reports" folder. This is where bots upload data such as stolen credentials, screenshots, keystroke log files, etc. 

Here are screenshots I found of victims logging into bank accounts:

Usually the web injects and built in credential stealing modules are all these crooks need to steal from victims bank accounts. Banks are starting to use other (multi) verification/authentication methods that the bad guys need to take some screenshots and see how to login.. see above shot of auth window. 

More victim bank accounts

Personal Email Accounts
There were also screenshots of personal email accounts on these domains:

Bitcoin Miner
As if stealing money directly from victims bank accounts is not lucrative enough these assholes were mining for BitCoin on their bots as well. 

In the same directory of the panel on this server, I found a zip archive which contained a file wuaxctl.exe. > wuaxctl.exe

Russian Newspaper Editor Targeted

I also found some interesting screen shots - not just victims browsing to their online bank sites. This looks like a Russian newspaper or similar. This victim started up Adobe InDesign and then began editing a document..

ZeuS banking trojan screen shot taken of victim editing news print files.


Does anyone recognize this newspaper or speak Russian and can translate? 

It would be nice to let this organization know that they are infected with a banking trojan, and its probably not on just one machine. 

Wednesday, July 3, 2013 &

FakeAV - Affiliate
ZBot / ZeroAccess
Advert Panel > > >
netname:      TOEN
descr:            TOEN INCORPORATED
descr:            Middle East, U.A.E.

country:         AE

UPDATE 7/12/13 - Still Active
same server, same panel, same stats. 

I took another sample to check out. 

AV detecting up from 22/46
but still..20 vendors don't detect this fucker..WTF 


The .pcap file shows a DNS query to find >

After the DNS lookup, 21.1.exe talks to via HTTP and makes some requests like: 
hxxp://  (404, LOL) 

After this chatter it downloads a file, "SCC" which appears to be clean

Next, another api/ping GET

And then this: 

I'll dig into this more when I have time. 

Original Post:

First posted on in 2012!

07-11-2012 FakeAV PC Defender Plus

Panel still online


Money: $ 0 
no shit. 


Sub Acc

Get .exe

This page builds a new binary and associates it with a subaccount for tracking the install.

I build a test .exe (21.21) and submit it to VirusTotal. After I did this, I check the Geo page and see that there is a new install from France (must be VirusTotal sandbox allowing exe to run)

The first two builds (21.1.exe and 21.566.exe) were already in the panel.

(VT 22/46)

(VT 22/47)

21.21.exe (test build)
(VT 22/47)

Tuesday, July 2, 2013

Umbra Loader - Aldi Nord Clean

Found an Umbra Loader panel today and had a look inside..

hosted on: -

again, shared hosting...good spot for your panel, moron.



(see below for details on this binary)

Some pretty dope stats:
(nobody is online ??)



VT 33/47 (Lol)

Aldi Bot (aldi-nord-clean.exe) 

Ran the binary through Anubis and got a .pcap file with some DNS and HTTP traffic.

DNS query type A, class IN type A, class IN, addr

C&C Aldi Server

Whois info:
inetnum: -
netname:        MAIN-HOSTING-SERVERS
descr:          Main Hosting Servers
country:        US

c24 Stealer and HC Stealer

Crime24.Net Stealer by Ganja - Panel based on iStealer 6

This software appears to be used for stealing credentials (Steam, FTP, etc.) product keys, and is a generic keylogger for grabbing IM's and mail. See below.

hosted at:

ok...shared hosting, good place to put your panels.

Login panel:

Main (Logs) view:

List applications:

Export logs:

HC Stealer:

Not sure if they share a sql db or config files, but appears to have same 'victim' PC in each panel.
Looks like the only data captured was a Windows XP product key..sweet.

I cant even look at this one anymore, the design reminds me of HF trash.