2018-05-01-Hancitor

1. Sender: [email protected]
2. Subjects: U.S. Bank Alert, U.S. Bank Notification, U.S. Bank Notice, U.S. Bank Message
3.  
4. #Doc Download Domains:
5. actuneupca.com
6. chiropracticlibrary.com
7. clifmays.com
8. expressairparcel.com
9. gamification4you.com
10. ifewholehomefans.com
11. ifewholehousefan.com
12. ifewholehousefan.net
13. ifewholehousefans.com
14. ifewholehousefans.info
15. ifewholehousefans.net
16. interfaithelectricandsolar.co
17. interfaithelectricnsolar.co
18. lmperfumes.com
19. spinalrt.com
20. superiorcomfortprohvac.com
21. superiorhvacuniversity.com
22. triadhangout.com
23. triadpain.com
24. triadpaingroup.com
25.  
26. #Hancitor C2s
27. hxxp://supratparfa.com/4/forum.php
28. hxxp://losupsofof.ru/4/forum.php
29. hxxp://depeparand.ru/4/forum.php
30.  
31. #Hancitor payload links
32. hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/1
33. hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/1
34. hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/1
35. hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/1
36. hxxp://bestwptricks.com/wp-content/plugins/polldaddy/1
37. hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/2
38. hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/2
39. hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/2
40. hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/2
41. hxxp://bestwptricks.com/wp-content/plugins/polldaddy/2
42. hxxp://kdprvirtual.com/wp-content/plugins/duplicate-post/3
43. hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/3
44. hxxp://rogersonenterprises.com/blog/wp-content/plugins/jetpack/3
45. hxxp://militaryschools101.com/wp-content/plugins/nofollow-for-external-link/3
46. hxxp://bestwptricks.com/wp-content/plugins/polldaddy/3
47.  
48. #Pony C2s
49. hxxp://supratparfa.com/mlu/forum.php
50. hxxp://losupsofof.ru/mlu/forum.php
51. hxxp://depeparand.ru/mlu/forum.php
52.  
53. #Panda Config
54. t": "2.6.8",
55. "check_config": 327685,
56. "send_report": 655370,
57. "check_update": 1966110,
58. "url_config": "hxxps://bithetbuter.ru/1afhecysoduunselisoig.dat",
59. "url_webinjects": "hxxps://bithetbuter.ru/68webinjects.dat",
60. "url_update": "hxxps://bithetbuter.ru/1afhecysoduunselisoig.exe",
61. "url_plugin_webinject32": "hxxps://bithetbuter.ru/68webinject32.bin",
62. "url_plugin_webinject64": "hxxps://bithetbuter.ru/68webinject64.bin",
63. "remove_csp": 0,
64. "inject_vnc": 0,
65. "url_plugin_vnc32": "hxxps://bithetbuter.ru/68vnc32.bin",
66. "url_plugin_vnc64": "hxxps://bithetbuter.ru/68vnc64.bin",
67. "url_plugin_vnc_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
68. "url_plugin_backsocks": "hxxps://bithetbuter.ru/68backsocks.bin",
69. "url_plugin_backsocks_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
70. "url_plugin_grabber": "hxxps://bithetbuter.ru/68grabber.bin",
71. "grabber_pause": 2,
72. "grab_softlist": 1,
73. "grab_pass": 1,
74. "grab_form": 1,
75. "grab_cert": 1,
76. "grab_cookie": 1,
77. "grab_del_cookie": 0,
78. "grab_del_cache": 0,
79. "url_plugin_keylogger": "hxxps://bithetbuter.ru/68keylogger.bin",
80. "keylog_process": "cHV0dHkuZXhlAAA=",
81. "screen_process": "cHV0dHkuZXhlAAA=",
82. "reserved": "EHWYzK2iP0NgfKxV26oNNeKpEAkvVm8bNJ1SS4imvpKRB25bHco/HcGjwZSyA+OKKL0gGIXEqmWsYkZo7WuMQbSohRkv3P9TCkMJKzx9NL4D9gUNY+VQCBUX01ZU+zZp5E5h"