W3ndige

2019-09-20-danabot-iocs

Sep 20th, 2019
560
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. * VBS network connections:
  2. 194.32.78[.]85:443
  3. 31.214.157.14:80
  4.  
  5. * Domains:
  6. minopells[.]xyz|194.32.78[.]85
  7. seioooi[.]xyz|31.214.157[.]14
  8.  
  9. * Domains found in Explorer.EXE memory:
  10. buismashallah[.]at
  11. ey7kuuklgieop2pq[.]onion
  12.  
  13. * URLs found in Explorer.EXE memory:
  14. hxxp://shoshanna[.]at/images/eEfnxMewtb/I9AeYNwCfQwIkCRhm/J1IBuvozvG67/pg_2Fy9xcSI/_2BcFNX0PkJz5t/6rTcnU_2B99DMTDSnXxUo/fcYxNb7xVXRxkiUw/nCLQNj8qHQqYQiY/biGuPIoNP_2F_2BlbN/exCxLKQJy/YIjke6u6Rx4nDEdET
  15.  
  16. * Explorer.EXE network connections:
  17. 151.251.23[.]210:80
  18. 79.136.8[.]168:80
  19.  
  20. * DNS records for Explorer.exe query for shoshanna[.]at:
  21.  
  22. shoshanna.at: type A, class IN, addr 201.189.177.2
  23. shoshanna.at: type A, class IN, addr 46.209.12.222
  24. shoshanna.at: type A, class IN, addr 151.251.23.210
  25. shoshanna.at: type A, class IN, addr 91.201.175.46
  26. shoshanna.at: type A, class IN, addr 124.195.215.242
  27. shoshanna.at: type A, class IN, addr 31.5.167.149
  28. shoshanna.at: type A, class IN, addr 217.27.35.117
  29. shoshanna.at: type A, class IN, addr 197.255.225.117
  30. shoshanna.at: type A, class IN, addr 89.215.216.77
  31. shoshanna.at: type A, class IN, addr 37.34.225.14
  32.  
  33. and
  34.  
  35. shoshanna.at: type A, class IN, addr 79.136.8.168
  36. shoshanna.at: type A, class IN, addr 188.254.186.158
  37. shoshanna.at: type A, class IN, addr 95.158.162.200
  38. shoshanna.at: type A, class IN, addr 201.189.177.2
  39. shoshanna.at: type A, class IN, addr 46.10.66.102
  40. shoshanna.at: type A, class IN, addr 46.237.80.152
  41. shoshanna.at: type A, class IN, addr 151.251.23.210
  42. shoshanna.at: type A, class IN, addr 37.247.216.118
  43. shoshanna.at: type A, class IN, addr 91.201.175.46
  44. shoshanna.at: type A, class IN, addr 188.112.188.207
  45.  
  46. * At later stage there were webinjects in Explorer.EXE memory with this domain:
  47. vaunuty[.]online
RAW Paste Data