RESEARCH: Panda Banker Trojan Targets the US, Canada and Japan

Panda Banker is a banking trojan which uses a variant of the Zeus source code. First discovered in 2016 [1], this threat remains active and recently received numerous updates.

http://brn.firetrench.com

Panda Banker injects malicious script code into a target’s web page on the victim’s browser by using man-in-the-browser techniques. The injected code grabs bank account, credit card, and personal information.

Panda Banker has recently been delivered via Emotet [2, 3, 4]. Panda Banker takes several steps to hide its behavior. Heavy code obfuscation and multi-encryption layering make it difficult to dissect this malware’s C2 communication and malicious scripting.

Panda Banker primarily targets victims in the United States, Canada, and Japan. The malware focuses on bank account, credit card, and web wallet information. The following is a technical overview detailing what our threat research team uncovered.

Technical Analysis

Overview

Panda Banker has a sophisticated attack cycle (Figure 1). It begins by checking the victim’s environment to determine if it is in a sandbox. Next it creates a copy of itself to include extended file attributes. Once complete, the process launches the newly created malware copy before exiting. The new copy creates two svchost.exe processes, then injects itself into them.

Panda Banker gets the C2 URL from configuration data embedded in its payload. It also communicates with the C2 server to obtain additional configuration information. If it finds the process name of a known web browser it injects plugin dll into that web browser to intercept traffic.

Panda Banker waits for the infected browser to visit a target web site (such as a bank or credit card company). When a target site is visited the malware injects a target-specific grabber script to steal bank account, credit card, and personal information:

Figure 1: Panda Banker attack cycle

Evasion

Panda Banker checks the victim’s environment to evade sandbox and manual analysis (Table 1). It looks for packet capture programs, debuggers, disassemblers, and other useful tools for malware analysis. If it discovers these tools in the environment it will exit and delete the payload file:

Table 1: Strings Panda Banker checks for evasion

Action Target
Open File C:\\popupkiller.exe
C:\\stimulator.exe
C:\\TOOLS\\execute.exe
\\\\.\\NPF_NdisWanIp
\\\\.\\REGVXG
\\\\.\\FILEVXG
\\\\.\\REGSYS
\\\\.\\FILEM
\\\\.\\TRW
Load Library SbieDLL.dll
Create Mutex Sandboxie_SingleInstanceMutex_Control
Frz_State
Find Process Name Wireshark
Immunity
Processhacker
Procexp
Procmon
Idaq
regshot
aut2exe
perl
python
Open Registry HKCU\\Software\\WINE
HKLM\\Software\\WINE
Call GetProcAddress wine_get_unix_file_name

Once Panda Banker passes the environment check it creates four new files. One file is a copy of Panda Banker. In this case, blocklist.exe is the payload (Figure 2):

Figure 2: Four files were created by Panda Banker

Panda Banker assigns an extended file attribute to the malware copy through Ntseteafiles API. In this example the EaName is BEAR (Figure 3). The original payload exits after launching the copied one. Once Panda Banker finds “BEAR” in the extended file attributes, it creates two svchost.exe processes and injects itself into them:

Figure 3: EaName of extended file attribute assigned by Panda Banker

Configuration Data in Payload

Panda Banker’s payload contains configuration data which includes URLs to C2 servers and a public key. The configuration data is encrypted by an AES algorithm. The structure of its encrypted configuration data is detailed below (Figure 4):

Figure 4: Structure of the encrypted configuration data embedded in Panda Banker’s payload

Once decrypted, two critical items appear (Figure 5 and Figure 6): C2 URLs encrypted by RC4 and an RSA public key formatted by X.509 subjectPublicKeyInfo DER SEQUENCE.

The URLs are decrypted by RC4 with embedded RSA public key. In this case, 66 c7 5b 69 f4 5a 4e 12 means https://:

Figure 5: C2 URLs encrypted by RC4

Figure 6: RSA public key

URL Generation Algorithm

Panda Banker generates URLs whenever it accesses to C2 server, see Figure 7. Generated URLs look like random strings, but they follow an algorithm:

Figure 7: An example of a generated URL

Panda Banker uses the Mersenne Twister algorithm to get a random value. The entire URL algorithm is described below. Steps 1-5 describe the 1st part, 6-10 the 2nd part.

  1. Determine the length of part 1 based on this formula: mod(A random value from Mersenne Twister, 9) + 2. The result will be between 2 and 10.
  2. Get a random index value based on this formula: mod(A random value from Mersenne Twister, 62). The result will be between 0 and 61.
  3. Pick an alpha numeric character from a pre-defined string. The result of step 2 becomes the index value.
    1. e.g. using a pre-defined string: qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890

If the index value is 1, ‘w’ is selected.

  1. Append the result of step 3 to the URL as the 1st part section.
  2. Repeat steps 2 and 4 a number of times, as determined by the result of step 1.
  3. Obtain 4 values.
    1. Get computer name through GetComputerNameW API
    2. Get InstallDate from HKLM\software\microsoft\windows nt\currentversion
    3. Get DigitalProductId from HKLM\software\microsoft\windows nt\currentversion and calculate the CRC value.
    4. Get OSVERSIONINFOEX’s value by GetVersionEx API and calculate the CRC value.
  4. Pack the results of step 6 and calculate the SHA256 value.
  5. Use the first 16 bytes from the result of step 7.
  6. XOR the results of steps 4 and 8 based on this pseudo code.
    resultlist = []

for i in range(0, 16):

xoredvalue = the_begining_of_16bytes_from_result_of_8[i] ^ 1st_part[i % len(1st_part)]

resultlist.append(xoredvalue)

  1. Each value in resultlist is encoded by base64 and ‘+’, ‘/’, and ‘=’ are replaced. Afterward, Panda Banker calculates a modulo based on d’s formula. If the value is less than 20 (< 20), it adds ‘/’ to the last of the 2nd part.
    1. ‘+’ -> ‘-‘ (hyphen)
    2. ‘/’ -> ‘_’ (underbar)
    3. ‘=’ -> ” (Nothing)
    4. mod(A random value from Mersenne Twister, 100)
  2. Concatenate C2 domain, 1st part, and 2nd part.
    C2 domain/1st part/2nd part

C2 Communication

Request

An example of Panda Baker’s POST request parameter can be seen in Figure 8. It is encrypted by AES-256 CBC mode with a 32-byte key and a 16-byte IV. The “process” line below shows Panda Banker injecting itself into svchost.exe. The “name” value is preconfigured in Panda Banker’s payload. The malware also receives configuration data from the C2 server, if other files are necessary:

Figure 8: Plain POST parameter example

Per POST request, Panda Banker creates a 32-byte key and a 16-byte IV for AES encryption. The generated AES key is encrypted by the RSA key in Figure 6. Next, the AES key encrypted by RSA, the 16-byte AES IV, and the AES encrypted POST parameter are packed. Panda Banker then calculates a SHA256 value from the 1st part and 2nd part of the generated URL and the packed contents (Figure 9). Lastly, everything is encoded by base64:

Figure 9: Binary data of POST body

Response from C2 Server

Panda Banker’s C2 server sends multi-encrypted binary data to the victim. Decryption steps are detailed below.

First layer

Response data from the C2 server is encoded by base64. Once it is decoded, the binary format is revealed as seen in Figure 10. The SHA256 value in the binary data is used for the integrity check. In order to decrypt the AES encrypted data, Panda Baker reuses the AES key for the POST request:

Figure 10: Binary response data from C2 server

When decrypted, JSON data is revealed, see Figure 11:

Figure 11: Decrypted first layer

Second layer

Once the “data” in Figure 11 is decoded, another binary format appears (see Figure 4). After decryption, more JSON data is revealed as seen in Figure 12:

Figure 12: Decrypted second layer

The decoded “sign” value is used for an integrity check. Panda Banker has an RSA public key it can use to check the integrity of the decoded “data” value. If the calculated signature and the signature from the JSON value do not match the decoded “data” value is ignored.

The decrypted “data” are encoded by base64 and contain one of two things:

  • Configuration data or web injection data
  • PE32 (or PE32++) executable file

In the first case the decoded binary format is the same as shown in Figure 4. Once it is decrypted we discover a configuration file or web injection data. In the second case, the decoded data is a PE executable file (dynamic link library).

Configuration from C2 Server

Actual C2 configuration data can be seen in Figure 13. It includes URLs which deliver several plugins such as: url_plugin_webinject32, url_plugin_webinject64, url_plugin_vnc32, url_plugin_vnc64, url_plugin_backsocks, url_plugin_grabber, and url_plugin_keylogger.

Also, it shows the current setting of VNC injection (inject_vnc), grabbing data (grab_pass, grab_cookie, etc.), and logging process name (keylog_process and screen_process). In this example, the process name performing key logging and screen monitoring is putty.exe:

Figure 13: Configuration data from C2 server

Web Injection Method

Panda Banker intercepts a browsers web traffic through API hooking. It injects malicious scripts into a target web page on the victim’s web browser. It also impairs web browser security by removing the Content Security Policy header.

The url_plugin_webinject32 plugin is designed for web injection. According to our analysis, it hooks some APIs used by iexplore.exe, microsoftedge.exe, microsoftedgecp.exe, firefox.exe, chrome.exe, and opera.exe. Once the browser visits URLs found in the configuration data from url_webinjects, the plugin injects the appropriate script into the web page on web browser.

Some example API hooks are listed below:

API Hooks affecting MS browsers

  • HttpSendRequestsW
  • HttpSendRequestsA
  • HttpSendRequestsExW
  • HttpSendRequestsExA
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • InternetQueryDataAvailable
  • InternetCloseHandle
  • HttpOpenRequestsA
  • HttpOpenRequestsW
  • HttpQueryInfoA
  • InternetConnectA
  • InternetConnectW
  • InternetWriteFile

API Hooks affecting Firefox

  • PR_Close
  • PR_Read
  • PR_Write
  • PR_Poll

API Hooks affecting Chrome / Opera

  • closesocket
  • WSASend
  • WSARecv
  • recv

Web Injection Target

According to our analysis, data from url_webinjects mainly targets bank and credit card companies. Example web injection data used against a bank web site is shown in Figure 14. In this example, malicious script code was injected after the <head> tag. This code includes a URL to download a target-specific grabber script. These commands are normally obfuscated to conceal Panda Banker’s behavior from malware analysts:

Figure 14: Injection code launched against a bank web site

Once the grabber script is de-obfuscated it reveals some interesting functions:

  • Injecting a bogus message (see Figure 15)
  • Stealing card numbers (see Figure 16)
  • Collecting the nickname, purchase limits, and withdrawal limits for debit and credit cards (see Figure 17)

Figure 15: Injection code – bogus message

Figure 16: Injection code – steal card number

Figure 17: Injection code – collect nickname, purchase limits, and withdrawal limits for a debit card

Web Injection Target Analysis

Table 2 is summary of target countries and industries observed by our researchers:

Table 2: Target countries and industries

Target Country Industry
JP 1 video streaming services / E-commerce
1 porn video streaming service
11 credit card companies
US 8 banking companies
2 payroll systems
1 block chain company
CA 9 banking companies

According to our analysis, the United States, Canada, and Japan were major targets of Panda Banker. The malware focused primarily on stealing bank account and credit card information, as well as personal information in payroll systems. Web wallet and block chain information were also targeted.

According to previous research [5], Panda Banker started targeting financial institutions in Japan in March of 2018. In late August we confirmed Panda Banker is still targeting companies in Japan. This time threat actors targeted well-known credit card companies and a large bank. The cybercriminals also targeted users of a streaming porn video service and another video streaming service / E-commerce company.

Conclusion

Panda Banker is a heavily obfuscated, highly configurable, and active malware. Threat actors use this malware to steal bank/credit card information, personal data, and web wallet/blockchain information. Major targets include companies in United States, Canada, and Japan.

If you are a Cylance customer using CylancePROTECT®, you were already protected from this attack by our machine learning models: read how here.

 

References

[1] https://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/

[2] https://threatvector.cylance.com/en_us/home/threat-spotlight-emotet-infostealer-malware.html

[3] https://threatvector.cylance.com/en_us/home/cylance-vs-updated-emotet.html

[4] https://isc.sans.edu/forums/diary/Recent+Emotet+activity/23908/

[5] https://asert.arbornetworks.com/panda-banker-zeros-in-on-japanese-targets/

IoCs

  • SHA256 values (Panda Banker payloads)
    • 088E2DE6E3CF283F6B7CB518655ADB32F1DE8A0D14EFF9E8A10AA16D1420CC4B
    • 0DD11E77562E51DE1C12C1D7EDF9C34C115F79F13CDC8D2A4743F41515D069F1
    • 111B67B802426C2E94E933761CBB6168A6730C99849244E518D11E1474218088
    • 200DD176ECCFE11A3456193BF1FE7D46D23408834E172991B883D59AA59CE259
    • 20F4445B40DC0CD1830DEE6031A7342284E51DC4C399D331507B28F74BA0727B
    • 2527C9EB597BD85C4CA2E7A6550CC7480DBB3129DD3D6033E66E82B0988EE061
    • 333AFF311B07C5CBEDFB618FF902B0DD663C0BA50B2DC8A2A590E9409CB9BC3C
    • 3DD50E3C6F108C9E7289E797127527B7E5321F360893FC1FCC41B19B06DD65BF
    • 45C7C91EBB315A77DD28E0092913184CB6A4A8D0387D29384B273EBF9BCE9A74
    • 57CFD2DA86195B4D5636579ABA6C61FA7FC9D0646EA6FE7CB4752DDBC789428A
    • 5B7F1708092A1FECF4AD1DC22CCCCA62C1648361F805762C465F12B9501E485C
    • 5CDE033FD3D5E1F4750034E262F7E913A26231DCD2D658581557387C1FA7306B
    • 6030CE3ACF4DD0729B30795B23A4DC9983A9363E5BF6B1E7DC82EF4CCAEF7754
    • 8327163CF9C9DC8C4680AD6ADCCF10AAF4458F75C4DB045E7E3608081CE6FAE1
    • 85D8829D7795AF046E238D9981592F96AD49DCB2CCB9E5C6BB938BC04B1E8552
    • 8A26412234EC7CB43B07BAE7E9910EB0F7EB807CF8581ABED56AAFAF514AC4A2
    • 997A9A38AAE2BE74659296DF901AED09EF5ADB671EE682605DD999243F9E9983
    • AD7B21F9C14C49EA28F7E98A8E3B44973446342537D9817EC91C13681BAE0023
    • B1EBF3D44D496EE574831266474B10B55C06E30AEA56D41AC8830BA2B28F7A0F
    • B6708BB21911FE143FDC33A57993DB91BE7F90EBACC0EAC302019B2D12A763E3
    • BC394CA7B7DB058DAB18AD8F612FE99C734006F034945B1336682E4728A4E932
    • C83D21DDCC75D410A3F40B9C869E7C75861240077BE7A174F6D2B574BF6BC2C0
    • C93F049BFD7E1E5B9FAFB04100CACC156FE76D69D4CC0A1DF27D29B057371E05
    • CB050E95CE7CD9CDD444741C8BF80E913297565EEBB7B8CB64B4F69407017944
    • CEB3CC460681D1274113D2A983B143049C139261D03552356C0F95F8C140B669
    • DD4FF33E8853E34480E820A3D2D11E6FC87BC75EFBEEBFE324664D4013DEE0B0
    • E187DF28541A1296D10A6AC2FF7ED5A52CE7577FCC8BC3811AF3238AF0E5E991
    • F87439636B309409B96B336099D84FFF56773391CFA52FAF069C3B7B517BA154
    • FACD400EB4530F6C0357C1115C3275E7FEEFDB982DF96F13FFEC62F56B95CCB2
    • FBC8126A3BC0746E57DBD4AE29C64006B79825243E47659E0FF57B5B27641123
  • Persistency
    • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Name: An executable file name Panda Banker created (e.g., blocklist.exe)
    • Data: path to : An executable file Panda Banker created (e.g., path to blocklist.exe)
  • C2 domain names
    • RXDirectories[.]top
    • adshiepkhach[.]top
    • akihabrajdu[.]xyz
    • antrefurniture[.]top
    • bloodskin[.]website
    • canariasmotor[.]top
    • cebabsebi[.]com
    • coloredcredit[.]pw
    • connectionjump[.]top
    • dintlasirob[.]com
    • downloadmasala[.]website
    • encitimefoan[.]ru
    • fullspectrumavs[.]top
    • gmokkasd[.]website
    • haketsitet[.]com
    • hogamotin[.]com
    • humoronoff[.]top
    • indolentgames[.]top
    • inghapwilhe[.]ru
    • jecrusandsi[.]com
    • joltter[.]top
    • legaleeny[.]pw
    • letretuthes[.]com
    • luxurygoosedown[.]top
    • lyletening[.]ru
    • majorhunt[.]top
    • mihecksandca[.]ru
    • miliocife[.]aktyubinsk[.]su
    • myaningmuchme[.]ru
    • myhubcloud[.]website
    • mykeeptake[.]xyz
    • mystratusstore[.]xyz
    • nauseorofte[.]ru
    • nodoimain[.]local
    • nybaseballfans[.]website
    • picosloop[.]top
    • rebretaci[.]com
    • rombutcading[.]ru
    • smartnutriment[.]top
    • speakeasyclan[.]top
    • tailbackuisback[.]xyz
    • theeunload[.]website
    • thevisitorsfilm[.]top
    • uiaoduiiej[.]chimkent[.]su
    • umirushieteg[.]website
    • vethatnetont[.]com
    • vudoshakar123123[.]website
    • watercraftuavs[.]top
    • wegmanss[.]pw
    • zanhimnohedt[.]com
  • URLs in configuration from C2 server
    • hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]dat
    • hXXps://vudoshakar123123[.]website/webinjects_new3[.]dat
    • hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]exe
    • hXXps://vudoshakar123123[.]website/webinject32_new3[.]bin
    • hXXps://vudoshakar123123[.]website/webinject64_new3[.]bin
    • hXXps://vudoshakar123123[.]website/vnc32_new3[.]bin
    • hXXps://vudoshakar123123[.]website/vnc64_new3[.]bin
    • hXXps://vudoshakar123123[.]website/backsocks_new3[.]bin
    • hXXps://vudoshakar123123[.]website/grabber_new3[.]bin
    • hXXps://vudoshakar123123[.]website/keylogger_new3[.]bin
    • hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]dat
    • hXXps://mystratusstore[.]xyz/webinjects_new3[.]dat
    • hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]exe
    • hXXps://mystratusstore[.]xyz/webinject32_new3[.]bin
    • hXXps://mystratusstore[.]xyz/webinject64_new3[.]bin
    • hXXps://mystratusstore[.]xyz/vnc32_new3[.]bin
    • hXXps://mystratusstore[.]xyz/vnc64_new3[.]bin
    • hXXps://mystratusstore[.]xyz/backsocks_new3[.]bin
    • hXXps://mystratusstore[.]xyz/grabber_new3[.]bin
    • hXXps://mystratusstore[.]xyz/keylogger_new3[.]bin
    • hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]dat
    • hXXps://mihecksandca[.]ru/610webinjects[.]dat
    • hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]exe
    • hXXps://mihecksandca[.]ru/610webinject32[.]bin
    • hXXps://mihecksandca[.]ru/610webinject64[.]bin
    • hXXps://mihecksandca[.]ru/610vnc32[.]bin
    • hXXps://mihecksandca[.]ru/610vnc64[.]bin
    • hXXps://mihecksandca[.]ru/610backsocks[.]bin
    • hXXps://mihecksandca[.]ru/610grabber[.]bin
    • hXXps://mihecksandca[.]ru/610keylogger[.]bin
    • hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat
    • hXXps://rombutcading[.]ru/610webinjects[.]dat
    • hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe
    • hXXps://rombutcading[.]ru/610webinject32[.]bin
    • hXXps://rombutcading[.]ru/610webinject64[.]bin
    • hXXps://rombutcading[.]ru/610vnc32[.]bin
    • hXXps://rombutcading[.]ru/610vnc64[.]bin
    • hXXps://rombutcading[.]ru/610backsocks[.]bin
    • hXXps://rombutcading[.]ru/610grabber[.]bin
    • hXXps://rombutcading[.]ru/610keylogger[.]bin
    • hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat
    • hXXps://betrephengu[.]ru/69webinjects[.]dat
    • hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe
    • hXXps://betrephengu[.]ru/69webinject32[.]bin
    • hXXps://betrephengu[.]ru/69webinject64[.]bin
    • hXXps://betrephengu[.]ru/69vnc32[.]bin
    • hXXps://betrephengu[.]ru/69vnc64[.]bin
    • hXXps://betrephengu[.]ru/69backsocks[.]bin
    • hXXps://betrephengu[.]ru/69grabber[.]bin
    • hXXps://betrephengu[.]ru/69keylogger[.]bin
    • hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat
    • hXXps://betrephengu[.]ru/69webinjects[.]dat
    • hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe
    • hXXps://betrephengu[.]ru/69webinject32[.]bin
    • hXXps://betrephengu[.]ru/69webinject64[.]bin
    • hXXps://betrephengu[.]ru/69vnc32[.]bin
    • hXXps://betrephengu[.]ru/69vnc64[.]bin
    • hXXps://betrephengu[.]ru/69backsocks[.]bin
    • hXXps://betrephengu[.]ru/69grabber[.]bin
    • hXXps://betrephengu[.]ru/69keylogger[.]bin
    • hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]dat
    • hXXps://humoronoff[.]top/webinjects_new3[.]dat
    • hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]exe
    • hXXps://humoronoff[.]top/webinject32_new3[.]bin
    • hXXps://humoronoff[.]top/webinject64_new3[.]bin
    • hXXps://humoronoff[.]top/vnc32_new3[.]bin
    • hXXps://humoronoff[.]top/vnc64_new3[.]bin
    • hXXps://humoronoff[.]top/backsocks_new3[.]bin
    • hXXps://humoronoff[.]top/grabber_new3[.]bin
    • hXXps://humoronoff[.]top/keylogger_new3[.]bin
    • hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]dat
    • hXXps://nauseorofte[.]ru/610webinjects[.]dat
    • hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]exe
    • hXXps://nauseorofte[.]ru/610webinject32[.]bin
    • hXXps://nauseorofte[.]ru/610webinject64[.]bin
    • hXXps://nauseorofte[.]ru/610vnc32[.]bin
    • hXXps://nauseorofte[.]ru/610vnc64[.]bin
    • hXXps://nauseorofte[.]ru/610backsocks[.]bin
    • hXXps://nauseorofte[.]ru/610grabber[.]bin
    • hXXps://nauseorofte[.]ru/610keylogger[.]bin
    • hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]dat
    • hXXps://myaningmuchme[.]ru/610webinjects[.]dat
    • hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]exe
    • hXXps://myaningmuchme[.]ru/610webinject32[.]bin
    • hXXps://myaningmuchme[.]ru/610webinject64[.]bin
    • hXXps://myaningmuchme[.]ru/610vnc32[.]bin
    • hXXps://myaningmuchme[.]ru/610vnc64[.]bin
    • hXXps://myaningmuchme[.]ru/610backsocks[.]bin
    • hXXps://myaningmuchme[.]ru/610grabber[.]bin
    • hXXps://myaningmuchme[.]ru/610keylogger[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]dat
    • hXXps://uiaoduiiej[.]chimkent[.]su/webinjects[.]dat
    • hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]exe
    • hXXps://uiaoduiiej[.]chimkent[.]su/webinject32[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/webinject64[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/vnc32[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/vnc64[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/backsocks[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/grabber[.]bin
    • hXXps://uiaoduiiej[.]chimkent[.]su/keylogger[.]bin
    • hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat
    • hXXps://rombutcading[.]ru/610webinjects[.]dat
    • hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe
    • hXXps://rombutcading[.]ru/610webinject32[.]bin
    • hXXps://rombutcading[.]ru/610webinject64[.]bin
    • hXXps://rombutcading[.]ru/610vnc32[.]bin
    • hXXps://rombutcading[.]ru/610vnc64[.]bin
    • hXXps://rombutcading[.]ru/610backsocks[.]bin
    • hXXps://rombutcading[.]ru/610grabber[.]bin
    • hXXps://rombutcading[.]ru/610keylogger[.]bin
    • hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat
    • hXXps://adshiepkhach[.]top/webinjects_new2[.]dat
    • hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe
    • hXXps://adshiepkhach[.]top/webinject32_new2[.]bin
    • hXXps://adshiepkhach[.]top/webinject64_new2[.]bin
    • hXXps://adshiepkhach[.]top/vnc32_new2[.]bin
    • hXXps://adshiepkhach[.]top/vnc64_new2[.]bin
    • hXXps://adshiepkhach[.]top/backsocks_new2[.]bin
    • hXXps://adshiepkhach[.]top/grabber_new2[.]bin
    • hXXps://adshiepkhach[.]top/keylogger_new2[.]bin
    • hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat
    • hXXps://adshiepkhach[.]top/webinjects_new2[.]dat
    • hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe
    • hXXps://adshiepkhach[.]top/webinject32_new2[.]bin
    • hXXps://adshiepkhach[.]top/webinject64_new2[.]bin
    • hXXps://adshiepkhach[.]top/vnc32_new2[.]bin
    • hXXps://adshiepkhach[.]top/vnc64_new2[.]bin
    • hXXps://adshiepkhach[.]top/backsocks_new2[.]bin
    • hXXps://adshiepkhach[.]top/grabber_new2[.]bin
    • hXXps://adshiepkhach[.]top/keylogger_new2[.]bin