Panel party - Loki, Pony.

Hunting via Hybrid Analysis I identified persistent offender(s) storing content on a panel. I kept my eye on it for a while, and when it was busy enough, I managed to get the entire server configuration panels.

Wallet stealer
  1. Loki admin
  2. Pony admin

Usernames, passwords for MySQL and database configurations, over 100 lists of target applications, BTC wallets, FTP clients, browsers, games

The most interesting thing for was that Loki has a POS module.

Here is the contents, ping me it become unavailable

  • SHASUM: 591cc7fe34d5cd76c7bd8be4ee9d94741e293946

Have fun.