2018-05-02-Hancitor

1. Sender: [email protected]
2. Subjects: Your Verizon Wireless invoice, Here is your Verizon Wireless bill, Your mobile bill, Here is your mobile invoice, Here is your Verizon Wireless invoice, Here is your Verizon cellular bill, Your Verizon cellular invoice, Here is your Verizon cellular invoice, Your Verizon cellular bill
3.  
4. #Doc Download Domains:
5. countywidememorials.com
6. ryanandrie.me
7. kwrn1550am.com
8. countywidemonuments.com
9. youngsvillehousevalues.com
10. sleeplavish.com
11. prescriptionerrorlawyer.com
12. solutionsforsanjose.info
13. solutionsforsanjose.net
14. sawgrasspark.com
15. youngsvilleproperties.com
16.  
17. #Hancitor C2
18. hxxp://hemfeketro.com/4/forum.php
19. hxxp://gejohntorsar.ru/4/forum.php
20. hxxp://tonstinnotna.ru/4/forum.php
21.  
22. #Hancitor Payload Links
23. hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/1
24. hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/1
25. hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/1
26. hxxp://mattbennett.ca/wp-content/themes/spark/inc/1
27. hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/1
28.  
29. hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/2
30. hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/2
31. hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/2
32. hxxp://mattbennett.ca/wp-content/themes/spark/inc/2
33. hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/2
34.  
35. hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/3
36. hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/3
37. hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/3
38. hxxp://mattbennett.ca/wp-content/themes/spark/inc/3
39. hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/3
40.  
41. #Pony C2
42. hxxp://hemfeketro.com/mlu/forum.php
43. hxxp://gejohntorsar.ru/mlu/forum.php
44. hxxp://tonstinnotna.ru/mlu/forum.php
45.  
46. #Panda Config
47. t": "2.6.8",
48. "check_config": 327685,
49. "send_report": 655370,
50. "check_update": 1966110,
51. "url_config": "https://robwassotdint.ru/1kewoimzatybewoliowof.dat",
52. "url_webinjects": "https://robwassotdint.ru/68webinjects.dat",
53. "url_update": "https://robwassotdint.ru/1kewoimzatybewoliowof.exe",
54. "url_plugin_webinject32": "https://robwassotdint.ru/68webinject32.bin",
55. "url_plugin_webinject64": "https://robwassotdint.ru/68webinject64.bin",
56. "remove_csp": 0,
57. "inject_vnc": 0,
58. "url_plugin_vnc32": "https://robwassotdint.ru/68vnc32.bin",
59. "url_plugin_vnc64": "https://robwassotdint.ru/68vnc64.bin",
60. "url_plugin_vnc_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
61. "url_plugin_backsocks": "https://robwassotdint.ru/68backsocks.bin",
62. "url_plugin_backsocks_backserver": "Z2KvEWWIVjHCjeytKlg4Ls8=",
63. "url_plugin_grabber": "https://robwassotdint.ru/68grabber.bin",
64. "grabber_pause": 2,
65. "grab_softlist": 1,
66. "grab_pass": 1,
67. "grab_form": 1,
68. "grab_cert": 1,
69. "grab_cookie": 1,
70. "grab_del_cookie": 0,
71. "grab_del_cache": 0,
72. "url_plugin_keylogger": "https://robwassotdint.ru/68keylogger.bin",
73. "keylog_process": "cHV0dHkuZXhlAAA=",
74. "screen_process": "cHV0dHkuZXhlAAA=",
75. "reserved": "EHWYzK2iP0NudL9QxrsRIfKqEAkvVm8bPoNaVoe6sIaDCm5FCsU7HMa/0JKyA+OKKL0gGIXEqmWsckB+8m+LUK6ohAJv2qQOTBRVPiJ9P7sN8BMNbfRQFgMayV1dpjMm9C8V7gI="
76. }