API tools faq
paste
PepperPotts

azorult stealer unpacked mod strings (2018-01-30)

PepperPotts
Jan 30th, 2018
356
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.69 KB | None | 0 0
raw download clone embed print report
  1. From sample: https://www.virustotal.com/#/file/943a5b4337bad11108577c0a0dd63028a4f40a5618e8f3f6b75abb5d6163fbbe/community
  2.  
  3. First Submission 2018-01-30 13:53:13
  4.  
  5. CnC:
  6. -----
  7.  
  8. doueven.click/gate.php
  9. getcfg=
  10. POST
  11. HTTP/1.0
  12. Host:
  13. Connection: close
  14. Content-Length:
  15. Accept-Language: en-US
  16. Content-Type: image/jpeg
  17. URLDownloadToFileW
  18. urlmon.dll
  19. .bit
  20. DnsQuery_A
  21. dnsapi.dll
  22. bbYzla/ZHAchc9Wh8KBwFt8/Ijtx5N
  23. faSQX/Z/YMw8cua+h7ctWPTyY0MfeJdKU/tAWp9c4xt47xXKQmucPsVM7I7u5LPY7du8ukwqWr1lnpWWgvSi7v7RIfhMHcoGrRbajGxxaKb
  24.  
  25.  
  26. Antidebug trick?:
  27. ----------------
  28.  
  29. GlobalMemoryStatusEx
  30.  
  31.  
  32.  
  33. Info gathering:
  34. --------------
  35.  
  36. wallets:
  37. -------
  38.  
  39. wallet.dat
  40. \wallet.dat
  41. electrum.dat
  42. \electrum.dat
  43. .wallet
  44. \.wallet
  45. %APPDATA%\MultiBitHD
  46. mbhd.wallet.aes
  47. \MultiBitHD\
  48. \mbhd.wallet.aes
  49. \mbhd.checkpoints
  50. mbhd.checkpoints
  51. \mbhd.spvchain
  52. mbhd.spvchain
  53. \mbhd.yaml
  54. mbhd.yaml
  55. wallet_path
  56. Software\monero-project\monero-core
  57. \Monero\
  58. .address.txt
  59. .keys
  60. strDataDir
  61. Software\Bitcoin\Bitcoin-Qt
  62. \BitcoinBitcoinQT\wallet.dat
  63. Coins
  64.  
  65.  
  66. cookies, autocompletes, history, cache,...:
  67. -------------------------------------------
  68.  
  69. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  70. SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies
  71. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  72. SELECT fieldname, value FROM moz_formhistory
  73. SELECT name, value FROM autofill
  74. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  75. \Cookies
  76. \cookies.sqlite
  77. \*.txt
  78. \*.cookie
  79. .txt
  80. \*.*
  81. \Web Data
  82. .txt
  83. _CC.txt
  84. \*.*
  85. \formhistory.sqlite
  86. Browsers\Cookies
  87. Browsers\AutoComplete
  88. Passwords.txt
  89. CookieList.txt
  90. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  91. MicrosoftEdge_AC_INetCookies
  92. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  93. MicrosoftEdge_AC_001
  94. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  95. MicrosoftEdge_AC_002
  96. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  97. %APPDATA%\Microsoft\Windows\Cookies\
  98. %APPDATA%\Microsoft\Windows\Cookies\Low\
  99. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  100. </RecentServers>
  101. <RecentServers>
  102.  
  103. Steam:
  104. ------
  105.  
  106. SteamPath
  107. Software\Valve\Steam
  108. Steam
  109.  
  110. Chats:
  111. -----
  112.  
  113. %APPDATA%\Skype
  114. Pidgin
  115. Skype
  116.  
  117. Mail:
  118. -----
  119.  
  120. Outlook
  121. outlookDecrU
  122. FileZilla
  123.  
  124. Browser hooks:
  125. -------------
  126.  
  127. nss3.dll
  128. NSS_Init
  129. NSS_Shutdown
  130. InternetExplorer
  131. InternetExplorerLow
  132. InternetExplorerINetCache
  133. MicrosoftEdge_AC
  134. InternetExplorer
  135. MozillaFirefox
  136. GoogleChrome
  137. GoogleChrome64
  138. InternetMailRu
  139. YandexBrowser
  140. ComodoDragon
  141. Amigo
  142. Orbitum
  143. Bromium
  144. Chromium
  145. Nichrome
  146. RockMelt
  147. 360Browser
  148. Vivaldi
  149. Opera
  150.  
  151. \Login Data
  152. \logins.json
  153. IS_G_PWDS:
  154. IS_G_BROWSERS:
  155. IS_G_COINS:
  156. IS_G_SKYPE:
  157. IS_G_STEAM:
  158. IS_G_DESKTOP:
  159. G_DESKTOP_EXTS:
  160. G_DESKTOP_MAXSIZE:
  161. DAE:
  162. SOFT:
  163. HOST:
  164. USER:
  165. PASS:
  166. UNKN:
  167. Email
  168. User
  169. Server
  170. Port
  171. Password
  172. User:
  173. Pass:
  174. Mail:
  175. Serv:
  176. Port:
  177.  
  178. </account>
  179. <account>
  180. </Server>
  181. <Server>
  182. </Host>
  183. <Host>
  184. </Port>
  185. <Port>
  186. </User>
  187. <User>
  188. </Pass>
  189. <Pass>
  190. <Pass encoding="base64">
  191. HostName
  192. PortNumber
  193. UserName
  194. Password
  195. </a
  196. </jid>
  197. <jid type="QString">
  198. </password>
  199. <password type="QString">
  200. %Appdata%\Psi+\profiles\
  201. \*.*
  202. \accounts.xml
  203. %Appdata%\Psi\profiles\
  204. </account>
  205. <account>
  206. </name>
  207. <name>
  208. </password>
  209. <password>
  210. </protocol>
  211. <protocol>
  212. %APPDATA%\.purple\accounts.xml
  213. %TEMP%\tempbuffer.dat
  214. .tempcbss
  215. %TEMP%
  216. .txt
  217. main.db
  218. \main.db
  219. \ssfn*
  220. \Config\*.vdf
  221. \Config\
  222. vaultcli.dll
  223. VaultOpenVault
  224. VaultEnumerateItems
  225. VaultGetItem
  226. MicrosoftEdge
  227. Cannot Decrypt
  228. ie9-11
  229. Software\Microsoft\Internet Explorer
  230. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  231. POP3
  232. IMAP
  233. SMTP
  234. HTTP
  235. Server
  236. Cannot Decrypt
  237. CryptUnprotectData
  238. crypt32.dll
  239. Comp(User) :
  240. [Programms]
  241. %userprofile%\desktop
  242. Desktop
  243. </pwds
  244. <coks
  245. </coks
  246. <list
  247. </list
  248. <file
  249. </file
  250.  
  251.  
  252. Other:
  253. -----
  254.  
  255. x32
  256. x64
  257. SOFTWARE\Microsoft\Windows NT\CurrentVersion
  258. ProductName
  259. MachineGuid
  260. SOFTWARE\Microsoft\Cryptography
  261. %TEMP%\WinNtBackend-
  262. .tmp
  263. .exe
  264. PATH
  265. \*.*
  266. CurrentVersion
  267. \Main
  268. Install Directory
  269. Path
  270. TConfig
  271. TSwdPwd
  272. TPwdArray
  273. GlobalVars
  274. GlobalVars
  275. AA6EEE0A-97B7-46FE-BD01-0FC54FD36163-ED03A8DD-6213-4535-8891-5D0A112A3F40
  276. TStringArray
  277. GLOBALFUNC
  278. Windows
  279. CheckTokenMembership
  280. advapi32.dll
  281. ShellExecuteW
  282. shell32.dll
  283. WTSGetActiveConsoleSessionId
  284. kernel32.dll
  285. WTSQueryUserToken
  286. wtsapi32.dll
  287. CreateEnvironmentBlock
  288. userenv.dll
  289. SVW3
  290. PK11_GetInternalKeySlot
  291. PK11_Authenticate
  292. PK11SDR_Decrypt
  293. PK11_FreeSlot
  294. ,"logins":[{
  295. timesUsed":
  296. ,"hostname":"
  297. ","
  298. encryptedUsername":"
  299. encryptedPassword":"
  300. .tmp
  301. %TEMP%
  302. \*.*
  303. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  304. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  305. Version
  306. PVAULT_CRED8
  307. EdgePwds
  308. CLSIDFromString
  309. ole32.dll
  310. JUFQUERBVEElXGZpbGV6aWxsYVxyZWNlbnRzZXJ2ZXJzLnhtbA==
  311. </roster-cache>
  312. <roster-cache>
  313. PsiPlus
  314. Psi
  315. 1610149366
  316. JUxPQ0FMQVBQREFUQSVcR29vZ2xlXENocm9tZVxVc2VyIERhdGFc
  317. DisplayName
  318. DisplayVersion
  319. CPU Model:
  320. ProcessorNameString
  321. HARDWARE\DESCRIPTION\System\CentralProcessor\0
  322. /c timeout 1 & del "
  323. shell32.dll
  324. Software\Microsoft\Windows\CurrentVersion\Uninstall
  325. Software\Microsoft\Windows\CurrentVersion\Uninstall\
  326. CPU Count:
  327. GetRAM:
  328. GPU Info
  329. ========
  330. MachineID :
  331. EXE_PATH :
  332. DLL_PATH :
  333. Windows :
  334. 3C6CD5AB-3C41-4BE4-8A45-3AB5EDDCFC61
  335. 2FFD9CA6-360E-4D18-ABB8-A3DF730589AB
  336. exit
  337. BIN:
  338. SYSInfo.txt
  339. reportdata=<info
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!