Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- h/t https://twitter.com/James_inthe_box/status/1074688667858259968
- Hancitor
- -> Gozi ISFB v2
- Hancitor Payload Domains:
- // l -> Download and execute .EXE in separate thread (arg=1)
- {l:http://mail.porterranchpetnanny.com/wp-includes/1|http://rescuereinvented.org/wp-content/plugins/woocommerce/1|http://synergify.com/wp-content/themes/ward/1}
- // b -> Download and inject code into svchost.exe
- {b:http://mail.porterranchpetnanny.com/wp-includes/2|http://rescuereinvented.org/wp-content/plugins/woocommerce/2|http://synergify.com/wp-content/themes/ward/2}
- // r -> Download and execute .DLL or .EXE
- {r:http://mail.porterranchpetnanny.com/wp-includes/3|http://rescuereinvented.org/wp-content/plugins/woocommerce/3|http://synergify.com/wp-content/themes/ward/3}
- MD5 (2018-12-18.isfbv217.loader.packed.vk.exe) = b1b342d6b895840e5118e5a346333e5f
- Bot ['2.17']
- Build ['050']
- Botnet/Group ID ['2000']
- DGA TLDs ['com', 'ru', 'org']
- Server [’550’]
- Encryption key ['Gwe9HMygngWe8kPK']
- DGA CRC ['0x4eb7d2ca']
- DGA Base URL ['constitution.org/usdeclar.txt']
- Domains: ['api2.doter.at/webstore', 'beetfeetlife.bit/webstore', 'in.extermas.at/webstore', 'sx.zaronif.at/webstore', 'g2.ex100p.at/webstore', 'gif.doter.at/webstore', 'extra.avareg.cn/webstore', 'foo.avaregio.at/webstore', 'op.iovbased.at/webstore', 'ws.doter.at/webstore', 'f1.cnboal.at/webstore', 'xxx.doolap.at/webstore', '51.255.48.78', '192.71.245.208', '178.17.170.179', '193.183.98.66', '207.148.83.241', '111.67.20.8', '103.236.162.119', '142.4.205.47', '213.136.85.253', '159.89.249.249', '82.196.9.45']
- Path: ['/images/']
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement