API tools faq
paste
Advertisement
ExecuteMalware

2021-08-03 Hancitor IOCs

ExecuteMalware
Aug 3rd, 2021
11,203
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.98 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: HANCITOR / FICKER STEALER / COBALT STRIKE
  2.  
  3. HANCITOR BUILD NUMBER
  4. BUILD=0308_spnv5
  5.  
  6. SUBJECTS OBSERVED
  7. You got invoice from DocuSign Electronic Service
  8. You got invoice from DocuSign Electronic Signature Service
  9. You got invoice from DocuSign Service
  10. You got invoice from DocuSign Signature Service
  11. You got notification from DocuSign Electronic Service
  12. You got notification from DocuSign Electronic Signature Service
  13. You got notification from DocuSign Service
  14. You got notification from DocuSign Signature Service
  15. You received invoice from DocuSign Electronic Service
  16. You received invoice from DocuSign Electronic Signature Service
  17. You received invoice from DocuSign Service
  18. You received invoice from DocuSign Signature Service
  19. You received notification from DocuSign Electronic Service
  20. You received notification from DocuSign Electronic Signature Service
  21. You received notification from DocuSign Service
  22. You received notification from DocuSign Signature Service
  23.  
  24. SENDERS OBSERVED
  25. a@DEAPA.COM
  26. acidrli@DEAPA.COM
  27. acp@DEAPA.COM
  28. aduiwuc@DEAPA.COM
  29. aedurry@DEAPA.COM
  30. aguhm@DEAPA.COM
  31. ahjacl@DEAPA.COM
  32. aiumcau@DEAPA.COM
  33. amaijo@DEAPA.COM
  34. amoyi@DEAPA.COM
  35. amuroms@DEAPA.COM
  36. apa@DEAPA.COM
  37. aphftye@DEAPA.COM
  38. aquxuv@DEAPA.COM
  39. asiskc@DEAPA.COM
  40. asrud@DEAPA.COM
  41. au@DEAPA.COM
  42. auruyuf@DEAPA.COM
  43. axwzu@DEAPA.COM
  44. azbwede@DEAPA.COM
  45. b@DEAPA.COM
  46. baapmer@DEAPA.COM
  47. baelcun@DEAPA.COM
  48. beoaaky@DEAPA.COM
  49. bepoodq@DEAPA.COM
  50. beqdf@DEAPA.COM
  51. bf@DEAPA.COM
  52. bidy@DEAPA.COM
  53. boeqyv@DEAPA.COM
  54. bog@DEAPA.COM
  55. bzaxo@DEAPA.COM
  56. cacawuy@DEAPA.COM
  57. caiiy@DEAPA.COM
  58. cembl@DEAPA.COM
  59. cepe@DEAPA.COM
  60. ceuunjo@DEAPA.COM
  61. ceyfwen@DEAPA.COM
  62. cfyjytr@DEAPA.COM
  63. cnikyza@DEAPA.COM
  64. coee@DEAPA.COM
  65. cotuagi@DEAPA.COM
  66. cozuboz@DEAPA.COM
  67. crevby@DEAPA.COM
  68. ctaaxui@DEAPA.COM
  69. cueuu@DEAPA.COM
  70. d@DEAPA.COM
  71. daqyooi@DEAPA.COM
  72. darozf@DEAPA.COM
  73. ddike@DEAPA.COM
  74. dizwymh@DEAPA.COM
  75. doazi@DEAPA.COM
  76. dpu@DEAPA.COM
  77. dux@DEAPA.COM
  78. dyecob@DEAPA.COM
  79. dyir@DEAPA.COM
  80. dykwxi@DEAPA.COM
  81. dyoia@DEAPA.COM
  82. e@DEAPA.COM
  83. ebbajes@DEAPA.COM
  84. ec@DEAPA.COM
  85. ediedxu@DEAPA.COM
  86. ee@DEAPA.COM
  87. eej@DEAPA.COM
  88. eekzarr@DEAPA.COM
  89. eezaq@DEAPA.COM
  90. eikave@DEAPA.COM
  91. ejk@DEAPA.COM
  92. elbkyiz@DEAPA.COM
  93. emituqy@DEAPA.COM
  94. euujmyz@DEAPA.COM
  95. evhuc@DEAPA.COM
  96. evisiqj@DEAPA.COM
  97. eyvuexi@DEAPA.COM
  98. fceguc@DEAPA.COM
  99. fchoy@DEAPA.COM
  100. fdepyeo@DEAPA.COM
  101. feimu@DEAPA.COM
  102. felefao@DEAPA.COM
  103. ferg@DEAPA.COM
  104. ffujujt@DEAPA.COM
  105. fgha@DEAPA.COM
  106. fqojx@DEAPA.COM
  107. fuaxfut@DEAPA.COM
  108. fuub@DEAPA.COM
  109. fwo@DEAPA.COM
  110. fyaamez@DEAPA.COM
  111. fyinqu@DEAPA.COM
  112. fyyhu@DEAPA.COM
  113. g@DEAPA.COM
  114. gaf@DEAPA.COM
  115. gakeo@DEAPA.COM
  116. gbizb@DEAPA.COM
  117. gecdhz@DEAPA.COM
  118. gf@DEAPA.COM
  119. gic@DEAPA.COM
  120. givrbi@DEAPA.COM
  121. gizuw@DEAPA.COM
  122. gj@DEAPA.COM
  123. gondowx@DEAPA.COM
  124. gpeudiu@DEAPA.COM
  125. gqoyq@DEAPA.COM
  126. gtayuh@DEAPA.COM
  127. gtojac@DEAPA.COM
  128. gueiszo@DEAPA.COM
  129. guhgdoi@DEAPA.COM
  130. guoptl@DEAPA.COM
  131. gwnidwo@DEAPA.COM
  132. gyxylil@DEAPA.COM
  133. h@DEAPA.COM
  134. hjobkmk@DEAPA.COM
  135. hleh@DEAPA.COM
  136. huche@DEAPA.COM
  137. huieker@DEAPA.COM
  138. hwzys@DEAPA.COM
  139. hyqtu@DEAPA.COM
  140. i@DEAPA.COM
  141. icio@DEAPA.COM
  142. icuh@DEAPA.COM
  143. iewep@DEAPA.COM
  144. ifi@DEAPA.COM
  145. ifu@DEAPA.COM
  146. igki@DEAPA.COM
  147. ihnilya@DEAPA.COM
  148. ijhxolv@DEAPA.COM
  149. ijikowe@DEAPA.COM
  150. ikikyf@DEAPA.COM
  151. il@DEAPA.COM
  152. iludylo@DEAPA.COM
  153. imsao@DEAPA.COM
  154. iobkodi@DEAPA.COM
  155. ioeyypu@DEAPA.COM
  156. ioran@DEAPA.COM
  157. iosazom@DEAPA.COM
  158. ip@DEAPA.COM
  159. ipsero@DEAPA.COM
  160. iriho@DEAPA.COM
  161. irmuve@DEAPA.COM
  162. irxos@DEAPA.COM
  163. ismqi@DEAPA.COM
  164. ithiti@DEAPA.COM
  165. iujxwey@DEAPA.COM
  166. iviwybe@DEAPA.COM
  167. iwaezil@DEAPA.COM
  168. iwyaxn@DEAPA.COM
  169. iyklrq@DEAPA.COM
  170. izk@DEAPA.COM
  171. j@DEAPA.COM
  172. jae@DEAPA.COM
  173. jesoaaf@DEAPA.COM
  174. jifbata@DEAPA.COM
  175. jikahuk@DEAPA.COM
  176. jnnohui@DEAPA.COM
  177. jof@DEAPA.COM
  178. jpihdhh@DEAPA.COM
  179. ju@DEAPA.COM
  180. jumy@DEAPA.COM
  181. juucnen@DEAPA.COM
  182. jy@DEAPA.COM
  183. k@DEAPA.COM
  184. kage@DEAPA.COM
  185. kakrw@DEAPA.COM
  186. kb@DEAPA.COM
  187. kdgwse@DEAPA.COM
  188. kdoe@DEAPA.COM
  189. keaqwzm@DEAPA.COM
  190. kefawso@DEAPA.COM
  191. kfgmwom@DEAPA.COM
  192. kiii@DEAPA.COM
  193. kimyeaw@DEAPA.COM
  194. kyov@DEAPA.COM
  195. kyuum@DEAPA.COM
  196. kywuxd@DEAPA.COM
  197. ladicz@DEAPA.COM
  198. lakyfyy@DEAPA.COM
  199. lau@DEAPA.COM
  200. leoiuua@DEAPA.COM
  201. leynue@DEAPA.COM
  202. liupuak@DEAPA.COM
  203. lpxay@DEAPA.COM
  204. lunfsis@DEAPA.COM
  205. luycne@DEAPA.COM
  206. lyeqeao@DEAPA.COM
  207. lyvoalo@DEAPA.COM
  208. ma@DEAPA.COM
  209. maaxeie@DEAPA.COM
  210. mi@DEAPA.COM
  211. miil@DEAPA.COM
  212. minaede@DEAPA.COM
  213. miwcm@DEAPA.COM
  214. mpaoes@DEAPA.COM
  215. mteasul@DEAPA.COM
  216. my@DEAPA.COM
  217. myateys@DEAPA.COM
  218. myclu@DEAPA.COM
  219. myryqs@DEAPA.COM
  220. na@DEAPA.COM
  221. nakowd@DEAPA.COM
  222. nderjjq@DEAPA.COM
  223. nekeffa@DEAPA.COM
  224. nikuzxu@DEAPA.COM
  225. niywuk@DEAPA.COM
  226. nkxauna@DEAPA.COM
  227. nojb@DEAPA.COM
  228. nojniye@DEAPA.COM
  229. nool@DEAPA.COM
  230. noseuha@DEAPA.COM
  231. ny@DEAPA.COM
  232. nyb@DEAPA.COM
  233. nyyqq@DEAPA.COM
  234. o@DEAPA.COM
  235. oa@DEAPA.COM
  236. oboiyb@DEAPA.COM
  237. obyha@DEAPA.COM
  238. odiygfk@DEAPA.COM
  239. ogo@DEAPA.COM
  240. ohayjo@DEAPA.COM
  241. oioqixa@DEAPA.COM
  242. ojvejye@DEAPA.COM
  243. olaagoh@DEAPA.COM
  244. olsyrry@DEAPA.COM
  245. ooqy@DEAPA.COM
  246. opidaza@DEAPA.COM
  247. oqegv@DEAPA.COM
  248. oquloya@DEAPA.COM
  249. oqyxhi@DEAPA.COM
  250. osxkeaw@DEAPA.COM
  251. oucdimy@DEAPA.COM
  252. p@DEAPA.COM
  253. pakaua@DEAPA.COM
  254. pcgiv@DEAPA.COM
  255. pebxo@DEAPA.COM
  256. plotvly@DEAPA.COM
  257. poeka@DEAPA.COM
  258. pony@DEAPA.COM
  259. poxuxrz@DEAPA.COM
  260. pqakyma@DEAPA.COM
  261. py@DEAPA.COM
  262. pyhoz@DEAPA.COM
  263. qa@DEAPA.COM
  264. qao@DEAPA.COM
  265. qbifvju@DEAPA.COM
  266. qiisoka@DEAPA.COM
  267. qj@DEAPA.COM
  268. qmuar@DEAPA.COM
  269. qoilxja@DEAPA.COM
  270. qoj@DEAPA.COM
  271. qov@DEAPA.COM
  272. qwugann@DEAPA.COM
  273. qyacib@DEAPA.COM
  274. qyinays@DEAPA.COM
  275. rabevb@DEAPA.COM
  276. raeksal@DEAPA.COM
  277. ramzm@DEAPA.COM
  278. rcygdu@DEAPA.COM
  279. rgynydo@DEAPA.COM
  280. riiya@DEAPA.COM
  281. rijem@DEAPA.COM
  282. rlbogow@DEAPA.COM
  283. rrybyah@DEAPA.COM
  284. ruo@DEAPA.COM
  285. s@DEAPA.COM
  286. sazdysl@DEAPA.COM
  287. sbeppyj@DEAPA.COM
  288. seaznz@DEAPA.COM
  289. sixunax@DEAPA.COM
  290. skyziod@DEAPA.COM
  291. souynrs@DEAPA.COM
  292. sulfko@DEAPA.COM
  293. sydivay@DEAPA.COM
  294. szynone@DEAPA.COM
  295. t@DEAPA.COM
  296. tavyiw@DEAPA.COM
  297. taw@DEAPA.COM
  298. teymu@DEAPA.COM
  299. tez@DEAPA.COM
  300. tfolu@DEAPA.COM
  301. tieisi@DEAPA.COM
  302. tquy@DEAPA.COM
  303. trypz@DEAPA.COM
  304. ttunyow@DEAPA.COM
  305. tugwxox@DEAPA.COM
  306. tunao@DEAPA.COM
  307. tupadny@DEAPA.COM
  308. tv@DEAPA.COM
  309. typeji@DEAPA.COM
  310. tz@DEAPA.COM
  311. uberov@DEAPA.COM
  312. udaijt@DEAPA.COM
  313. udex@DEAPA.COM
  314. ueix@DEAPA.COM
  315. ufuiylo@DEAPA.COM
  316. ufutog@DEAPA.COM
  317. ufwmaeu@DEAPA.COM
  318. uidqi@DEAPA.COM
  319. uliesym@DEAPA.COM
  320. umidafe@DEAPA.COM
  321. umueqy@DEAPA.COM
  322. uobfaa@DEAPA.COM
  323. uohen@DEAPA.COM
  324. uubevfe@DEAPA.COM
  325. uur@DEAPA.COM
  326. uweyzaw@DEAPA.COM
  327. uzocam@DEAPA.COM
  328. v@DEAPA.COM
  329. vabitme@DEAPA.COM
  330. vaezpia@DEAPA.COM
  331. vdilb@DEAPA.COM
  332. vdu@DEAPA.COM
  333. vekujeu@DEAPA.COM
  334. veu@DEAPA.COM
  335. vhovqek@DEAPA.COM
  336. vidyaee@DEAPA.COM
  337. vkysia@DEAPA.COM
  338. vme@DEAPA.COM
  339. vmxvfi@DEAPA.COM
  340. votic@DEAPA.COM
  341. vudiyxy@DEAPA.COM
  342. vuijohf@DEAPA.COM
  343. vwbkd@DEAPA.COM
  344. vwkee@DEAPA.COM
  345. vy@DEAPA.COM
  346. vyabyne@DEAPA.COM
  347. vzaae@DEAPA.COM
  348. waui@DEAPA.COM
  349. weyjb@DEAPA.COM
  350. wfixcko@DEAPA.COM
  351. wfyxcu@DEAPA.COM
  352. wixeweg@DEAPA.COM
  353. wjizcu@DEAPA.COM
  354. wle@DEAPA.COM
  355. wobbjyx@DEAPA.COM
  356. wveqiqe@DEAPA.COM
  357. x@DEAPA.COM
  358. xacok@DEAPA.COM
  359. xaizgut@DEAPA.COM
  360. xe@DEAPA.COM
  361. xixivec@DEAPA.COM
  362. xkw@DEAPA.COM
  363. xmzre@DEAPA.COM
  364. xqumi@DEAPA.COM
  365. xxebedo@DEAPA.COM
  366. xybe@DEAPA.COM
  367. y@DEAPA.COM
  368. yaxuce@DEAPA.COM
  369. ycijne@DEAPA.COM
  370. yglawou@DEAPA.COM
  371. yiz@DEAPA.COM
  372. yleua@DEAPA.COM
  373. ylyu@DEAPA.COM
  374. yrekun@DEAPA.COM
  375. ysav@DEAPA.COM
  376. ysifj@DEAPA.COM
  377. ysoszax@DEAPA.COM
  378. yuhjhu@DEAPA.COM
  379. yumosin@DEAPA.COM
  380. yyixvo@DEAPA.COM
  381. zeuacom@DEAPA.COM
  382. ziwzol@DEAPA.COM
  383. zkebigr@DEAPA.COM
  384. znuli@DEAPA.COM
  385. zokley@DEAPA.COM
  386. ztqelai@DEAPA.COM
  387. zuaj@DEAPA.COM
  388. zuizafv@DEAPA.COM
  389. zur@DEAPA.COM
  390. zuygisf@DEAPA.COM
  391.  
  392. MALDOC PROXY DISTRIBUTION URLS
  393. feedproxy.google.com/~r/llyvx/~3/1HPbx2QTN34/big.php
  394. feedproxy.google.com/~r/pnuihnlrne/~3/fFNPamI_rn4/stillbirth.php
  395. feedproxy.google.com/~r/tulwjeay/~3/rMQGXOVy-3U/quizzicalness.php
  396. feedproxy.google.com/~r/gepgyjncs/~3/WgltbaxkTK0/dame.php
  397. feedproxy.google.com/~r/cglvzs/~3/14in7hXkVpk/lombardic.php
  398. feedproxy.google.com/~r/jnkdl/~3/c0JU-e5KhfU/teachable.php
  399. feedproxy.google.com/~r/obqzuacvxdu/~3/YjNhfl62jyM/unlabelled.php
  400. feedproxy.google.com/~r/yjpfbsue/~3/EsChJZogZGs/tractability.php
  401. feedproxy.google.com/~r/pccktuvx/~3/B6ffek3xi84/unsophisticated.php
  402. feedproxy.google.com/~r/mnqwvrz/~3/NeQSL1PG4cw/hitherto.php
  403. feedproxy.google.com/~r/hkqsdntbyym/~3/ATRcrg7bF64/transistor.php
  404.  
  405. MALDOC REDIRECT DOWNLOAD URLS
  406. https://bridgeroad.maverickpreviews.com/quizzicalness.php
  407. https://demo.sms.uproducts.in/lombardic.php
  408. https://nicelyeg.com/stillbirth.php
  409. https://thiagoribeirokungfu.com/hitherto.php
  410. https://www.cutting-edge.in/unlabelled.php
  411. https://www.mimejorprecioford.com/transistor.php
  412.  
  413. cutting-edge.in
  414. maverickpreviews.com
  415. mimejorprecioford.com
  416. nicelyeg.com
  417. thiagoribeirokungfu.com
  418. uproducts.in
  419.  
  420. MALDOC FILE HASHES
  421. 16885d6a4357b2589c61fbc9a2c725a2
  422. 1b64dc1f33508390eedf55d1c7df9a8b
  423. 32900dbc203bf7aa955788b7c7749955
  424. 52ee14e0cb8aebde975c3b269494fc37
  425. 9d056cda0c3873efb5ac0f56c3028ab1
  426.  
  427. HANCITOR PAYLOAD FILE HASH
  428. ier.dll
  429. d7c87a735968d424d5c0aa2794d23657
  430.  
  431. HANCITOR C2
  432. http://arviskeist.ru/8/forum.php
  433. http://priekornat.com/8/forum.php
  434. http://stionsomi.ru/8/forum.php
  435.  
  436. FICKER STEALER DOWNLOAD URL
  437. http://fiom65pre.ru/7sdjhui32sof.exe
  438.  
  439. FICKER STEALER FILE HASH
  440. 7sdjhui32sof.exe
  441. 270c3859591599642bd15167765246e3
  442.  
  443. FICKER STEALER C2
  444. http://pospvisis.com
  445.  
  446. COBALT STRIKE STAGER DOWNLOAD URLS
  447. http://fiom65pre.ru/0308.bin
  448. http://fiom65pre.ru/0308s.bin
  449.  
  450. COBALT STRIKE STAGER FILE HASHES
  451. 0308.bin
  452. 3a70e1933703eec9d17e92328d558854
  453.  
  454. 0308s.bin
  455. 6ebc14bf77c7f58d680b13af884fee23
  456.  
  457. COBALT STRIKE BEACON DOWNLOAD URL
  458. http://45.176.188.217/Kbv9
  459. https://45.176.188.217/YcPP
  460.  
  461. COBALT STRIKE BEACON FILE HASH
  462. Kbv9
  463. 017c19c9ef76a8ce0f89468dc7cc57d5
  464.  
  465. YcPP
  466. c756344c9374efac7a35c8345388346f
  467.  
  468. COBALT STRIKE C2
  469. http://45.176.188.217/g.pixel
  470. https://45.176.188.217/updates.rss
  471.  
  472. COBALT STRIKE POST URI
  473. http://45.176.188.217/submit.php?id=483523938
  474.  
  475. COBALT STRIKE STRIKE BEACON CONFIGS (from Didier Stevens' 1768 tool)
  476. Kbv9 Beacon Config
  477. 36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  478. 0x0008 server,get-uri 0x0003 0x0100 '45.176.188.217,/g.pixel'
  479. 0x0043 0x0001 0x0002 0
  480. 0x0044 0x0002 0x0004 4294967295
  481. 0x0045 0x0002 0x0004 4294967295
  482. 0x0046 0x0002 0x0004 4294967295
  483. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
  484. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
  485. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
  486. 0x001f CryptoScheme 0x0001 0x0002 0
  487. 0x001a get-verb 0x0003 0x0010 'GET'
  488. 0x001b post-verb 0x0003 0x0010 'POST'
  489. 0x001c HttpPostChunk 0x0002 0x0004 0
  490. 0x0025 license-id 0x0002 0x0004 0
  491. 0x0026 bStageCleanup 0x0001 0x0002 0
  492. 0x0027 bCFGCaution 0x0001 0x0002 0
  493. 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)'
  494. 0x000a post-uri 0x0003 0x0040 '/submit.php'
  495. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
  496. 0x000c http_get_header 0x0003 0x0200
  497. b'Cookie'
  498. 0x000d http_post_header 0x0003 0x0200
  499. b'&Content-Type: application/octet-stream'
  500. b'id'
  501. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
  502. 0x0032 UsesCookies 0x0001 0x0002 1
  503. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
  504. 0x003a 0x0003 0x0080 '\x00\x04'
  505. 0x0039 0x0003 0x0080 '\x00\x04'
  506. 0x0037 0x0001 0x0002 0
  507. 0x0028 killdate 0x0002 0x0004 0
  508. 0x0029 textSectionEnd 0x0002 0x0004 0
  509. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  510. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  511. 0x002d process-inject-min_alloc 0x0002 0x0004 0
  512. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
  513. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
  514. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
  515. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
  516. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
  517. 0x0000
  518.  
  519. YcPP Beacon Config
  520. File: YcPP
  521. xorkey(chain): 0x54811670
  522. length: 0x00033400
  523. payloadType: 0x10014fc2
  524. payloadSize: 0x00000000
  525. intxorkey: 0x00000000
  526. id2: 0x00000000
  527. Config found: xorkey b'.' 0x00030220 0x00033400
  528. 0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https
  529. 0x0002 port 0x0001 0x0002 443
  530. 0x0003 sleeptime 0x0002 0x0004 60000
  531. 0x0004 maxgetsize 0x0002 0x0004 1048576
  532. 0x0005 jitter 0x0001 0x0002 0
  533. 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a738cde75f1fbb1c18646c377e03016b162b12ba72bdf7dc36b4cd2e4e9bae12205a95c26170bf908105ad7fa4bbccfa798632261bed9870f975f20794e1fe499523d71f08a56cae0315bfde3d6c8a16386b03b7a6551aa1336d50325a3500db27d78ad8fd13b6a73b9fb7c3fb4d7a088e323f07618656ecd83595fa5f823613020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  534. 0x0008 server,get-uri 0x0003 0x0100 '45.176.188.217,/updates.rss'
  535. 0x0043 0x0001 0x0002 0
  536. 0x0044 0x0002 0x0004 4294967295
  537. 0x0045 0x0002 0x0004 4294967295
  538. 0x0046 0x0002 0x0004 4294967295
  539. 0x000e SpawnTo 0x0003 0x0010 (NULL ...)
  540. 0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
  541. 0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
  542. 0x001f CryptoScheme 0x0001 0x0002 0
  543. 0x001a get-verb 0x0003 0x0010 'GET'
  544. 0x001b post-verb 0x0003 0x0010 'POST'
  545. 0x001c HttpPostChunk 0x0002 0x0004 0
  546. 0x0025 license-id 0x0002 0x0004 0
  547. 0x0026 bStageCleanup 0x0001 0x0002 0
  548. 0x0027 bCFGCaution 0x0001 0x0002 0
  549. 0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MANM; MANM)'
  550. 0x000a post-uri 0x0003 0x0040 '/submit.php'
  551. 0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
  552. 0x000c http_get_header 0x0003 0x0200
  553. b'Cookie'
  554. 0x000d http_post_header 0x0003 0x0200
  555. b'&Content-Type: application/octet-stream'
  556. b'id'
  557. 0x0036 HostHeader 0x0003 0x0080 (NULL ...)
  558. 0x0032 UsesCookies 0x0001 0x0002 1
  559. 0x0023 proxy_type 0x0001 0x0002 2 IE settings
  560. 0x003a 0x0003 0x0080 '\x00\x04'
  561. 0x0039 0x0003 0x0080 '\x00\x04'
  562. 0x0037 0x0001 0x0002 0
  563. 0x0028 killdate 0x0002 0x0004 0
  564. 0x0029 textSectionEnd 0x0002 0x0004 0
  565. 0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  566. 0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
  567. 0x002d process-inject-min_alloc 0x0002 0x0004 0
  568. 0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
  569. 0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
  570. 0x0035 process-inject-stub 0x0003 0x0010 '2ÍAíð\x81\x0c[_I\x8eßG1Ìm'
  571. 0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
  572. 0x0034 process-inject-allocation-method 0x0001 0x0002 0
  573. 0x0000
  574.  
  575.  
  576.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!