2018-07-31 Hancitor/Panda

1. Sender: irs@aubodyshop.com
2. Subjects: IRS Notification, Internal Revenue Service, IRS Notice to the Taxpayer, IRS Taxpayer Notice, IRS Taxpayer Notification, Internal Revenue Service Taxpayer Notice, IRS Notice of intent to levy, IRS Final Notice, Internal Revenue Service Important Notification
3.  
4. #Word doc loader domains
5. cliptrips.org
6. greatharvestfranchising.com
7. destinationvasectomy.net
8. greatharvestbreadco.info
9. greatharvestbread.info
10. destinationvasectomy.info
11. greatharvestbirmingham.com
12. greatharvest.info
13. govdelivery.co
14. marychurchphotography.net
15. racheldessinphotography.net
16. racheldessinphotography.com
17. richlandbrewingco.com
18. marychurchphotography.co
19. great-harvest.us
20. great-harvest.biz
21.  
22. #Hancitor C2s
23. fortryhowpar.com/4/forum.php
24. terabsedsand.ru/4/forum.php
25. widingwild.ru/4/forum.php
26.  
27. #Hancitor payload URLs
28. {l:
29. hxxp://uptowndermatologyandaesthetics.com/wp-content/plugins/header-footer/lib/easytabs/1
30. hxxp://powerplaygenerators.com/wp-content/plugins/et-shortcodes/1
31. hxxp://newswriting.com/wp-content/plugins/disable-comments/includes/1
32. hxxp://www.geriatricdementiaconsulting.com/wp-content/plugins/gravityforms/includes/1
33. hxxp://vermontlinestriping.com/wp-content/plugins/wp-super-cache/1
34. }
35.  
36. {b:
37. hxxp://uptowndermatologyandaesthetics.com/wp-content/plugins/header-footer/lib/easytabs/2
38. hxxp://powerplaygenerators.com/wp-content/plugins/et-shortcodes/2
39. hxxp://newswriting.com/wp-content/plugins/disable-comments/includes/2
40. hxxp://www.geriatricdementiaconsulting.com/wp-content/plugins/gravityforms/includes/2
41. hxxp://vermontlinestriping.com/wp-content/plugins/wp-super-cache/2
42. }
43.  
44. {r:
45. hxxp://uptowndermatologyandaesthetics.com/wp-content/plugins/header-footer/lib/easytabs/3
46. hxxp://powerplaygenerators.com/wp-content/plugins/et-shortcodes/3
47. hxxp://newswriting.com/wp-content/plugins/disable-comments/includes/3
48. hxxp://www.geriatricdementiaconsulting.com/wp-content/plugins/gravityforms/includes/3
49. hxxp://vermontlinestriping.com/wp-content/plugins/wp-super-cache/3
50. }
51.  
52. #Panda C2
53. nauseorofte.ru
54.  
55. #Panda Config
56. t": "2.6.10",
57. "check_config": 327685,
58. "send_report": 655370,
59. "check_update": 1966110,
60. "url_config": "https://nauseorofte.ru/1ifmuybbolakuotegepma.dat",
61. "url_webinjects": "https://nauseorofte.ru/610webinjects.dat",
62. "url_update": "https://nauseorofte.ru/1ifmuybbolakuotegepma.exe",
63. "url_plugin_webinject32": "https://nauseorofte.ru/610webinject32.bin",
64. "url_plugin_webinject64": "https://nauseorofte.ru/610webinject64.bin",
65. "remove_csp": 0,
66. "inject_vnc": 0,
67. "url_plugin_vnc32": "https://nauseorofte.ru/610vnc32.bin",
68. "url_plugin_vnc64": "https://nauseorofte.ru/610vnc64.bin",
69. "url_plugin_vnc_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
70. "url_plugin_backsocks": "https://nauseorofte.ru/610backsocks.bin",
71. "url_plugin_backsocks_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
72. "url_plugin_grabber": "https://nauseorofte.ru/610grabber.bin",
73. "grabber_pause": 2,
74. "grab_softlist": 1,
75. "grab_pass": 1,
76. "grab_form": 1,
77. "grab_cert": 1,
78. "grab_cookie": 1,
79. "grab_del_cookie": 0,
80. "grab_del_cache": 0,
81. "url_plugin_keylogger": "https://nauseorofte.ru/610keylogger.bin",
82. "keylog_process": "cHV0dHkuZXhlAAA=",
83. "screen_process": "cHV0dHkuZXhlAAA=",
84. "reserved": "EHWYzK2iP0NmeKxDwa0DPfOuV0QjVC0GY4BCSoGmr5mPGXJMBt07AMq1yJ7+Sea