Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- original hash: 878fce0c5cc666c7d242a6f23c34924f23884b89c2b687f463432a6f563d676c
- extracted hash: f687a654bd592a0b53034942cb1eca9291888a85153b4217b772f269e90198c9
- IP's
- 169.239.202.202
- 185.121.177.177
- 82.141.39.32
- 195.154.226.249
- 51.254.141.22
- 58.251.121.110
- 5.135.183.146
- 37.58.63.27
- 81.2.241.148
- 139.59.17.152
- 119.28.48.230
- 130.255.73.90
- 119.28.48.232
- 158.69.239.167
- 87.98.175.85
- 111.67.20.8
- 31.171.251.118
- 172.104.136.243
- 130.255.78.223
- 88.175.188.50
- 51.255.48.78
- 198.251.90.143
- 101.226.79.205
- 31.3.135.232
- 192.99.85.244
- 144.76.133.38
- 142.4.205.47
- 180.163.8.114
- 142.4.204.111
- 62.113.203.99
- 5.154.191.67
- 163.53.248.170
- 139.59.208.246
- 59.36.120.151
- 212.47.242.157
- other bits
- action=module&bot_id=
- action=command&bot_id=
- action=result&command_id=
- &command_result=
- &module_action=BrowserModule
- &module_action=KeyLoggerModule
- &module_action=ComplexModule
- &module_action=BTCModule
- &module_action=OutlookModule
- url.php?token=
- StartSpamEmail
- spam
- subject
- StartKeylogger
- KeyLogger started
- KeyLogger already works
- StopKeylogger
- yara rule:
- rule PsiX_bin
- {
- meta:
- author = " James_inthe_box"
- date = "2018/08"
- maltype = "PisX"
- strings:
- $var1 = "action=module&bot_id=" wide
- $var2 = "&module_action=" wide
- $var3 = "Keylogger" nocase
- condition:
- uint16(0) == 0x5A4D and all of ($var*) and filesize < 800KB
- }
- rule PsiX_mem
- {
- meta:
- author = " James_inthe_box"
- date = "2018/08"
- maltype = "PisX"
- strings:
- $var1 = "action=module&bot_id=" wide
- $var2 = "&module_action=" wide
- $var3 = "Keylogger" nocase
- condition:
- all of ($var*) and filesize > 800KB
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
