Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- From sample: https://www.virustotal.com/#/file/943a5b4337bad11108577c0a0dd63028a4f40a5618e8f3f6b75abb5d6163fbbe/community
- First Submission 2018-01-30 13:53:13
- CnC:
- -----
- doueven.click/gate.php
- getcfg=
- POST
- HTTP/1.0
- Host:
- Connection: close
- Content-Length:
- Accept-Language: en-US
- Content-Type: image/jpeg
- URLDownloadToFileW
- urlmon.dll
- .bit
- DnsQuery_A
- dnsapi.dll
- bbYzla/ZHAchc9Wh8KBwFt8/Ijtx5N
- faSQX/Z/YMw8cua+h7ctWPTyY0MfeJdKU/tAWp9c4xt47xXKQmucPsVM7I7u5LPY7du8ukwqWr1lnpWWgvSi7v7RIfhMHcoGrRbajGxxaKb
- Antidebug trick?:
- ----------------
- GlobalMemoryStatusEx
- Info gathering:
- --------------
- wallets:
- -------
- wallet.dat
- \wallet.dat
- electrum.dat
- \electrum.dat
- .wallet
- \.wallet
- %APPDATA%\MultiBitHD
- mbhd.wallet.aes
- \MultiBitHD\
- \mbhd.wallet.aes
- \mbhd.checkpoints
- mbhd.checkpoints
- \mbhd.spvchain
- mbhd.spvchain
- \mbhd.yaml
- mbhd.yaml
- wallet_path
- Software\monero-project\monero-core
- \Monero\
- .address.txt
- .keys
- strDataDir
- Software\Bitcoin\Bitcoin-Qt
- \BitcoinBitcoinQT\wallet.dat
- Coins
- cookies, autocompletes, history, cache,...:
- -------------------------------------------
- SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
- SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies
- SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
- SELECT fieldname, value FROM moz_formhistory
- SELECT name, value FROM autofill
- SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
- \Cookies
- \cookies.sqlite
- \*.txt
- \*.cookie
- .txt
- \*.*
- \Web Data
- .txt
- _CC.txt
- \*.*
- \formhistory.sqlite
- Browsers\Cookies
- Browsers\AutoComplete
- Passwords.txt
- CookieList.txt
- %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
- MicrosoftEdge_AC_INetCookies
- %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
- MicrosoftEdge_AC_001
- %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
- MicrosoftEdge_AC_002
- %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
- %APPDATA%\Microsoft\Windows\Cookies\
- %APPDATA%\Microsoft\Windows\Cookies\Low\
- %LOCALAPPDATA%\Microsoft\Windows\INetCache\
- </RecentServers>
- <RecentServers>
- Steam:
- ------
- SteamPath
- Software\Valve\Steam
- Steam
- Chats:
- -----
- %APPDATA%\Skype
- Pidgin
- Skype
- Mail:
- -----
- Outlook
- outlookDecrU
- FileZilla
- Browser hooks:
- -------------
- nss3.dll
- NSS_Init
- NSS_Shutdown
- InternetExplorer
- InternetExplorerLow
- InternetExplorerINetCache
- MicrosoftEdge_AC
- InternetExplorer
- MozillaFirefox
- GoogleChrome
- GoogleChrome64
- InternetMailRu
- YandexBrowser
- ComodoDragon
- Amigo
- Orbitum
- Bromium
- Chromium
- Nichrome
- RockMelt
- 360Browser
- Vivaldi
- Opera
- \Login Data
- \logins.json
- IS_G_PWDS:
- IS_G_BROWSERS:
- IS_G_COINS:
- IS_G_SKYPE:
- IS_G_STEAM:
- IS_G_DESKTOP:
- G_DESKTOP_EXTS:
- G_DESKTOP_MAXSIZE:
- DAE:
- SOFT:
- HOST:
- USER:
- PASS:
- UNKN:
- Email
- User
- Server
- Port
- Password
- User:
- Pass:
- Mail:
- Serv:
- Port:
- </account>
- <account>
- </Server>
- <Server>
- </Host>
- <Host>
- </Port>
- <Port>
- </User>
- <User>
- </Pass>
- <Pass>
- <Pass encoding="base64">
- HostName
- PortNumber
- UserName
- Password
- </a
- </jid>
- <jid type="QString">
- </password>
- <password type="QString">
- %Appdata%\Psi+\profiles\
- \*.*
- \accounts.xml
- %Appdata%\Psi\profiles\
- </account>
- <account>
- </name>
- <name>
- </password>
- <password>
- </protocol>
- <protocol>
- %APPDATA%\.purple\accounts.xml
- %TEMP%\tempbuffer.dat
- .tempcbss
- %TEMP%
- .txt
- main.db
- \main.db
- \ssfn*
- \Config\*.vdf
- \Config\
- vaultcli.dll
- VaultOpenVault
- VaultEnumerateItems
- VaultGetItem
- MicrosoftEdge
- Cannot Decrypt
- ie9-11
- Software\Microsoft\Internet Explorer
- Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- POP3
- IMAP
- SMTP
- HTTP
- Server
- Cannot Decrypt
- CryptUnprotectData
- crypt32.dll
- Comp(User) :
- [Programms]
- %userprofile%\desktop
- Desktop
- </pwds
- <coks
- </coks
- <list
- </list
- <file
- </file
- Other:
- -----
- x32
- x64
- SOFTWARE\Microsoft\Windows NT\CurrentVersion
- ProductName
- MachineGuid
- SOFTWARE\Microsoft\Cryptography
- %TEMP%\WinNtBackend-
- .tmp
- .exe
- PATH
- \*.*
- CurrentVersion
- \Main
- Install Directory
- Path
- TConfig
- TSwdPwd
- TPwdArray
- GlobalVars
- GlobalVars
- AA6EEE0A-97B7-46FE-BD01-0FC54FD36163-ED03A8DD-6213-4535-8891-5D0A112A3F40
- TStringArray
- GLOBALFUNC
- Windows
- CheckTokenMembership
- advapi32.dll
- ShellExecuteW
- shell32.dll
- WTSGetActiveConsoleSessionId
- kernel32.dll
- WTSQueryUserToken
- wtsapi32.dll
- CreateEnvironmentBlock
- userenv.dll
- SVW3
- PK11_GetInternalKeySlot
- PK11_Authenticate
- PK11SDR_Decrypt
- PK11_FreeSlot
- ,"logins":[{
- timesUsed":
- ,"hostname":"
- ","
- encryptedUsername":"
- encryptedPassword":"
- .tmp
- %TEMP%
- \*.*
- {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
- {3CCD5499-87A8-4B10-A215-608888DD3B55}
- Version
- PVAULT_CRED8
- EdgePwds
- CLSIDFromString
- ole32.dll
- JUFQUERBVEElXGZpbGV6aWxsYVxyZWNlbnRzZXJ2ZXJzLnhtbA==
- </roster-cache>
- <roster-cache>
- PsiPlus
- Psi
- 1610149366
- JUxPQ0FMQVBQREFUQSVcR29vZ2xlXENocm9tZVxVc2VyIERhdGFc
- DisplayName
- DisplayVersion
- CPU Model:
- ProcessorNameString
- HARDWARE\DESCRIPTION\System\CentralProcessor\0
- /c timeout 1 & del "
- shell32.dll
- Software\Microsoft\Windows\CurrentVersion\Uninstall
- Software\Microsoft\Windows\CurrentVersion\Uninstall\
- CPU Count:
- GetRAM:
- GPU Info
- ========
- MachineID :
- EXE_PATH :
- DLL_PATH :
- Windows :
- 3C6CD5AB-3C41-4BE4-8A45-3AB5EDDCFC61
- 2FFD9CA6-360E-4D18-ABB8-A3DF730589AB
- exit
- BIN:
- SYSInfo.txt
- reportdata=<info
Add Comment
Please, Sign In to add comment