The H e r m e s C&C domains have moved to a new address at:
46.28.71.19 information from FoX-IT International blog provided by Michael Sandee
See: http://urlquery.net/report.php?id=131791 also hosting Sakura exploit kit…

polonus

What IDS alert was flagged for this source IP is http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
gen_id 120, sig_id 3, type limit, track by_src, count 1, limit the alert to once per 10 minutes
See: http://129.81.224.37/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB
Valuable resource this Windows Intrusion Detection System!

polonus

Here we see that avast is not yet detecting this trojan: https://www.virustotal.com/file/F42E71F3E5121412E2C82D7AC982E5036F63D39C1C6591C3630F6B3FD8A48180/analysis/
also see: http://malwr.com/analysis/20be4f07f9a12c35463361a7212ca5ff/

polonus