Threat Spotlight: Panda Banker Trojan Targets the US, Canada and Japan

Panda Banker is a banking trojan which uses a variant of the Zeus source code. First discovered in 2016 [1], this threat remains active and recently received numerous updates.

Panda Banker injects malicious script code into a target's web page on the victim's browser by using man-in-the-browser techniques. The injected code grabs bank account, credit card, and personal information.

Panda Banker has recently been delivered via Emotet [2, 3, 4]. Panda Banker takes several steps to hide its behavior. Heavy code obfuscation and multi-encryption layering make it difficult to dissect this malware’s C2 communication and malicious scripting.

Panda Banker primarily targets victims in the United States, Canada, and Japan. The malware focuses on bank account, credit card, and web wallet information. The following is a technical overview detailing what our threat research team uncovered.

Technical Analysis

Overview

Panda Banker has a sophisticated attack cycle (Figure 1). It begins by checking the victim’s environment to determine if it is in a sandbox. Next it creates a copy of itself to include extended file attributes. Once complete, the process launches the newly created malware copy before exiting. The new copy creates two svchost.exe processes, then injects itself into them.

Panda Banker gets the C2 URL from configuration data embedded in its payload. It also communicates with the C2 server to obtain additional configuration information. If it finds the process name of a known web browser it injects plugin dll into that web browser to intercept traffic.

Panda Banker waits for the infected browser to visit a target web site (such as a bank or credit card company). When a target site is visited the malware injects a target-specific grabber script to steal bank account, credit card, and personal information:

Figure 1: Panda Banker attack cycle

Evasion

Panda Banker checks the victim's environment to evade sandbox and manual analysis (Table 1). It looks for packet capture programs, debuggers, disassemblers, and other useful tools for malware analysis. If it discovers these tools in the environment it will exit and delete the payload file:

Table 1: Strings Panda Banker checks for evasion

  Action

  Target

  Open File

  C:\\popupkiller.exe

  C:\\stimulator.exe

  C:\\TOOLS\\execute.exe

  \\\\.\\NPF_NdisWanIp

  \\\\.\\REGVXG

  \\\\.\\FILEVXG

  \\\\.\\REGSYS

  \\\\.\\FILEM

  \\\\.\\TRW

  Load Library

  SbieDLL.dll

  Create Mutex

  Sandboxie_SingleInstanceMutex_Control

  Frz_State

  Find Process Name      

  Wireshark

  Immunity

  Processhacker

  Procexp

  Procmon

  Idaq

  regshot

  aut2exe

  perl

  python

  Open Registry

  HKCU\\Software\\WINE

  HKLM\\Software\\WINE

  Call GetProcAddress

  wine_get_unix_file_name


Once Panda Banker passes the environment check it creates four new files. One file is a copy of Panda Banker. In this case, blocklist.exe is the payload (Figure 2):

Figure 2: Four files were created by Panda Banker

Panda Banker assigns an extended file attribute to the malware copy through Ntseteafiles API. In this example the EaName is BEAR (Figure 3). The original payload exits after launching the copied one. Once Panda Banker finds “BEAR” in the extended file attributes, it creates two svchost.exe processes and injects itself into them:

Figure 3: EaName of extended file attribute assigned by Panda Banker

Configuration Data in Payload

Panda Banker’s payload contains configuration data which includes URLs to C2 servers and a public key. The configuration data is encrypted by an AES algorithm. The structure of its encrypted configuration data is detailed below (Figure 4):

Figure 4: Structure of the encrypted configuration data embedded in Panda Banker's payload

Once decrypted, two critical items appear (Figure 5 and Figure 6): C2 URLs encrypted by RC4 and an RSA public key formatted by X.509 subjectPublicKeyInfo DER SEQUENCE.

The URLs are decrypted by RC4 with embedded RSA public key. In this case, 66 c7 5b 69 f4 5a 4e 12 means https://:

Figure 5: C2 URLs encrypted by RC4

Figure 6: RSA public key

URL Generation Algorithm

Panda Banker generates URLs whenever it accesses to C2 server, see Figure 7. Generated URLs look like random strings, but they follow an algorithm:


Figure 7: An example of a generated URL

Panda Banker uses the Mersenne Twister algorithm to get a random value. The entire URL algorithm is described below. Steps 1-5 describe the 1st part, 6-10 the 2nd part.

        1.      Determine the length of part 1 based on this formula: mod(A random value from Mersenne Twister, 9) + 2. The result will be between 2 and 10.
        2.      Get a random index value based on this formula: mod(A random value from Mersenne Twister, 62). The result will be between 0 and 61.
        3.      Pick an alpha numeric character from a pre-defined string. The result of step 2 becomes the index value.
                a.      e.g. using a pre-defined string: 
                qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890
                If the index value is 1, ‘w’ is selected.
        4.      Append the result of step 3 to the URL as the 1st part section.
        5.      Repeat steps 2 and 4 a number of times, as determined by the result of step 1.
        6.      Obtain 4 values.
                a.      Get computer name through GetComputerNameW API
                b.      Get InstallDate from HKLM\software\microsoft\windows nt\currentversion
                c.      Get DigitalProductId from HKLM\software\microsoft\windows nt\currentversion and calculate the CRC value.
                d.      Get OSVERSIONINFOEX's value by GetVersionEx API and calculate the CRC value.
        7.      Pack the results of step 6 and calculate the SHA256 value.
        8.      Use the first 16 bytes from the result of step 7.
        9.      XOR the results of steps 4 and 8 based on this pseudo code.
            resultlist = []
            for i in range(0, 16):
                xoredvalue = the_begining_of_16bytes_from_result_of_8[i] ^ 1st_part[i % len(1st_part)]
                resultlist.append(xoredvalue)
        10.      Each value in resultlist is encoded by base64 and '+', '/', and '=' are replaced. Afterward, Panda Banker calculates a modulo based on d’s formula. If the value is less than 20 (< 20), it adds '/' to the last of the 2nd part.
                a.      '+' -> '-' (hyphen)
                b.      '/' -> '_' (underbar)
                c.      '=' -> '' (Nothing)
                d.      mod(A random value from Mersenne Twister, 100)
        11.      Concatenate C2 domain, 1st part, and 2nd part.
                 C2 domain/1st part/2nd part

 

C2 Communication

Request

An example of Panda Baker’s POST request parameter can be seen in Figure 8. It is encrypted by AES-256 CBC mode with a 32-byte key and a 16-byte IV. The “process” line below shows Panda Banker injecting itself into svchost.exe. The "name" value is preconfigured in Panda Banker’s payload. The malware also receives configuration data from the C2 server, if other files are necessary:

Figure 8: Plain POST parameter example

Per POST request, Panda Banker creates a 32-byte key and a 16-byte IV for AES encryption. The generated AES key is encrypted by the RSA key in Figure 6. Next, the AES key encrypted by RSA, the 16-byte AES IV, and the AES encrypted POST parameter are packed. Panda Banker then calculates a SHA256 value from the 1st part and 2nd part of the generated URL and the packed contents (Figure 9). Lastly, everything is encoded by base64:

Figure 9: Binary data of POST body

Response from C2 Server

Panda Banker's C2 server sends multi-encrypted binary data to the victim. Decryption steps are detailed below.

First layer

Response data from the C2 server is encoded by base64. Once it is decoded, the binary format is revealed as seen in Figure 10. The SHA256 value in the binary data is used for the integrity check. In order to decrypt the AES encrypted data, Panda Baker reuses the AES key for the POST request:

Figure 10: Binary response data from C2 server

When decrypted, JSON data is revealed, see Figure 11:

Figure 11: Decrypted first layer

Second layer

Once the "data" in Figure 11 is decoded, another binary format appears (see Figure 4). After decryption, more JSON data is revealed as seen in Figure 12:

Figure 12: Decrypted second layer

The decoded "sign" value is used for an integrity check. Panda Banker has an RSA public key it can use to check the integrity of the decoded "data" value. If the calculated signature and the signature from the JSON value do not match the decoded "data" value is ignored.

The decrypted "data" are encoded by base64 and contain one of two things:

  • Configuration data or web injection data
  • PE32 (or PE32++) executable file

In the first case the decoded binary format is the same as shown in Figure 4. Once it is decrypted we discover a configuration file or web injection data. In the second case, the decoded data is a PE executable file (dynamic link library).

Configuration from C2 Server

Actual C2 configuration data can be seen in Figure 13. It includes URLs which deliver several plugins such as: url_plugin_webinject32, url_plugin_webinject64, url_plugin_vnc32, url_plugin_vnc64, url_plugin_backsocks, url_plugin_grabber, and url_plugin_keylogger.

Also, it shows the current setting of VNC injection (inject_vnc), grabbing data (grab_pass, grab_cookie, etc.), and logging process name (keylog_process and screen_process). In this example, the process name performing key logging and screen monitoring is putty.exe:

Figure 13: Configuration data from C2 server

Web Injection Method

Panda Banker intercepts a browsers web traffic through API hooking. It injects malicious scripts into a target web page on the victim’s web browser. It also impairs web browser security by removing the Content Security Policy header.

The url_plugin_webinject32 plugin is designed for web injection. According to our analysis, it hooks some APIs used by iexplore.exe, microsoftedge.exe, microsoftedgecp.exe, firefox.exe, chrome.exe, and opera.exe. Once the browser visits URLs found in the configuration data from url_webinjects, the plugin injects the appropriate script into the web page on web browser.

Some example API hooks are listed below:

API Hooks affecting MS browsers

  • HttpSendRequestsW
  • HttpSendRequestsA
  • HttpSendRequestsExW
  • HttpSendRequestsExA
  • InternetReadFile
  • InternetReadFileExA
  • InternetReadFileExW
  • InternetQueryDataAvailable
  • InternetCloseHandle
  • HttpOpenRequestsA
  • HttpOpenRequestsW
  • HttpQueryInfoA
  • InternetConnectA
  • InternetConnectW
  • InternetWriteFile

API Hooks affecting Firefox

  • PR_Close
  • PR_Read
  • PR_Write
  • PR_Poll

API Hooks affecting Chrome / Opera

  • closesocket
  • WSASend
  • WSARecv
  • recv

Web Injection Target

According to our analysis, data from url_webinjects mainly targets bank and credit card companies. Example web injection data used against a bank web site is shown in Figure 14. In this example, malicious script code was injected after the <head> tag. This code includes a URL to download a target-specific grabber script. These commands are normally obfuscated to conceal Panda Banker’s behavior from malware analysts:

Figure 14: Injection code launched against a bank web site

Once the grabber script is de-obfuscated it reveals some interesting functions:

  • Injecting a bogus message (see Figure 15)
  • Stealing card numbers (see Figure 16)
  • Collecting the nickname, purchase limits, and withdrawal limits for debit and credit cards (see Figure 17)

Figure 15: Injection code - bogus message 

Figure 16: Injection code - steal card number

Figure 17: Injection code - collect nickname, purchase limits, and withdrawal limits for a debit card

Web Injection Target Analysis

Table 2 is summary of target countries and industries observed by our researchers:

Table 2: Target countries and industries

  Target Country

  Industry

  JP

  1 video streaming services / E-commerce

  1 porn video streaming service

  11 credit card companies

  US

  8 banking companies

  2 payroll systems

  1 block chain company

  CA

  9 banking companies


According to our analysis, the United States, Canada, and Japan were major targets of Panda Banker. The malware focused primarily on stealing bank account and credit card information, as well as personal information in payroll systems. Web wallet and block chain information were also targeted.

According to previous research [5], Panda Banker started targeting financial institutions in Japan in March of 2018. In late August we confirmed Panda Banker is still targeting companies in Japan. This time threat actors targeted well-known credit card companies and a large bank. The cybercriminals also targeted users of a streaming porn video service and another video streaming service / E-commerce company.

Conclusion

Panda Banker is a heavily obfuscated, highly configurable, and active malware. Threat actors use this malware to steal bank/credit card information, personal data, and web wallet/blockchain information. Major targets include companies in United States, Canada, and Japan.

If you are a Cylance customer using CylancePROTECT®, you were already protected from this attack by our machine learning models: read how here.

References

[1] https://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/

[2] https://threatvector.cylance.com/en_us/home/threat-spotlight-emotet-infostealer-malware.html

[3] https://threatvector.cylance.com/en_us/home/cylance-vs-updated-emotet.html

[4] https://isc.sans.edu/forums/diary/Recent+Emotet+activity/23908/

[5] https://asert.arbornetworks.com/panda-banker-zeros-in-on-japanese-targets/

IoCs

  • SHA256 values (Panda Banker payloads)

088E2DE6E3CF283F6B7CB518655ADB32F1DE8A0D14EFF9E8A10AA16D1420CC4B

0DD11E77562E51DE1C12C1D7EDF9C34C115F79F13CDC8D2A4743F41515D069F1

111B67B802426C2E94E933761CBB6168A6730C99849244E518D11E1474218088

200DD176ECCFE11A3456193BF1FE7D46D23408834E172991B883D59AA59CE259

20F4445B40DC0CD1830DEE6031A7342284E51DC4C399D331507B28F74BA0727B

2527C9EB597BD85C4CA2E7A6550CC7480DBB3129DD3D6033E66E82B0988EE061

333AFF311B07C5CBEDFB618FF902B0DD663C0BA50B2DC8A2A590E9409CB9BC3C

3DD50E3C6F108C9E7289E797127527B7E5321F360893FC1FCC41B19B06DD65BF

45C7C91EBB315A77DD28E0092913184CB6A4A8D0387D29384B273EBF9BCE9A74

57CFD2DA86195B4D5636579ABA6C61FA7FC9D0646EA6FE7CB4752DDBC789428A

5B7F1708092A1FECF4AD1DC22CCCCA62C1648361F805762C465F12B9501E485C

5CDE033FD3D5E1F4750034E262F7E913A26231DCD2D658581557387C1FA7306B

6030CE3ACF4DD0729B30795B23A4DC9983A9363E5BF6B1E7DC82EF4CCAEF7754

8327163CF9C9DC8C4680AD6ADCCF10AAF4458F75C4DB045E7E3608081CE6FAE1

85D8829D7795AF046E238D9981592F96AD49DCB2CCB9E5C6BB938BC04B1E8552

8A26412234EC7CB43B07BAE7E9910EB0F7EB807CF8581ABED56AAFAF514AC4A2

997A9A38AAE2BE74659296DF901AED09EF5ADB671EE682605DD999243F9E9983

AD7B21F9C14C49EA28F7E98A8E3B44973446342537D9817EC91C13681BAE0023

B1EBF3D44D496EE574831266474B10B55C06E30AEA56D41AC8830BA2B28F7A0F

B6708BB21911FE143FDC33A57993DB91BE7F90EBACC0EAC302019B2D12A763E3

BC394CA7B7DB058DAB18AD8F612FE99C734006F034945B1336682E4728A4E932

C83D21DDCC75D410A3F40B9C869E7C75861240077BE7A174F6D2B574BF6BC2C0

C93F049BFD7E1E5B9FAFB04100CACC156FE76D69D4CC0A1DF27D29B057371E05

CB050E95CE7CD9CDD444741C8BF80E913297565EEBB7B8CB64B4F69407017944

CEB3CC460681D1274113D2A983B143049C139261D03552356C0F95F8C140B669

DD4FF33E8853E34480E820A3D2D11E6FC87BC75EFBEEBFE324664D4013DEE0B0

E187DF28541A1296D10A6AC2FF7ED5A52CE7577FCC8BC3811AF3238AF0E5E991

F87439636B309409B96B336099D84FFF56773391CFA52FAF069C3B7B517BA154

FACD400EB4530F6C0357C1115C3275E7FEEFDB982DF96F13FFEC62F56B95CCB2

FBC8126A3BC0746E57DBD4AE29C64006B79825243E47659E0FF57B5B27641123

  • Persistency

                o   Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                o   Name: An executable file name Panda Banker created (e.g., blocklist.exe)
                o   Data: path to : An executable file Panda Banker created (e.g., path to blocklist.exe)

  •  C2 domain names

                o   RXDirectories[.]top

                o   adshiepkhach[.]top

                o   akihabrajdu[.]xyz

                o   antrefurniture[.]top

                o   bloodskin[.]website

                o   canariasmotor[.]top

                o   cebabsebi[.]com

                o   coloredcredit[.]pw

                o   connectionjump[.]top

                o   dintlasirob[.]com

                o   downloadmasala[.]website

                o   encitimefoan[.]ru

                o   fullspectrumavs[.]top

                o   gmokkasd[.]website

                o   haketsitet[.]com

                o   hogamotin[.]com

                o   humoronoff[.]top

                o   indolentgames[.]top

                o   inghapwilhe[.]ru

                o   jecrusandsi[.]com

                o   joltter[.]top

                o   legaleeny[.]pw

                o   letretuthes[.]com

                o   luxurygoosedown[.]top

                o   lyletening[.]ru

                o   majorhunt[.]top

                o   mihecksandca[.]ru

                o   miliocife[.]aktyubinsk[.]su

                o   myaningmuchme[.]ru

                o   myhubcloud[.]website

                o   mykeeptake[.]xyz

                o   mystratusstore[.]xyz

                o   nauseorofte[.]ru

                o   nybaseballfans[.]website

                o   picosloop[.]top

                o   rebretaci[.]com

                o   rombutcading[.]ru

                o   smartnutriment[.]top

                o   speakeasyclan[.]top

                o   tailbackuisback[.]xyz

                o   theeunload[.]website

                o   thevisitorsfilm[.]top

                o   uiaoduiiej[.]chimkent[.]su

                o   umirushieteg[.]website

                o   vethatnetont[.]com

                o   vudoshakar123123[.]website

                o   watercraftuavs[.]top

                o   wegmanss[.]pw

                o   zanhimnohedt[.]com

  • URLs in configuration from C2 server

                o   hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]dat

                o   hXXps://vudoshakar123123[.]website/webinjects_new3[.]dat

                o   hXXps://vudoshakar123123[.]website/1rifoluwaqyseawawuvza[.]exe

                o   hXXps://vudoshakar123123[.]website/webinject32_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/webinject64_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/vnc32_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/vnc64_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/backsocks_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/grabber_new3[.]bin

                o   hXXps://vudoshakar123123[.]website/keylogger_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]dat

                o   hXXps://mystratusstore[.]xyz/webinjects_new3[.]dat

                o   hXXps://mystratusstore[.]xyz/2itopfetoebenfeakoqas[.]exe

                o   hXXps://mystratusstore[.]xyz/webinject32_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/webinject64_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/vnc32_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/vnc64_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/backsocks_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/grabber_new3[.]bin

                o   hXXps://mystratusstore[.]xyz/keylogger_new3[.]bin

                o   hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]dat

                o   hXXps://mihecksandca[.]ru/610webinjects[.]dat

                o   hXXps://mihecksandca[.]ru/1ixcyidwexoumibewibbi[.]exe

                o   hXXps://mihecksandca[.]ru/610webinject32[.]bin

                o   hXXps://mihecksandca[.]ru/610webinject64[.]bin

                o   hXXps://mihecksandca[.]ru/610vnc32[.]bin

                o   hXXps://mihecksandca[.]ru/610vnc64[.]bin

                o   hXXps://mihecksandca[.]ru/610backsocks[.]bin

                o   hXXps://mihecksandca[.]ru/610grabber[.]bin

                o   hXXps://mihecksandca[.]ru/610keylogger[.]bin

                o   hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat

                o   hXXps://rombutcading[.]ru/610webinjects[.]dat

                o   hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe

                o   hXXps://rombutcading[.]ru/610webinject32[.]bin

                o   hXXps://rombutcading[.]ru/610webinject64[.]bin

                o   hXXps://rombutcading[.]ru/610vnc32[.]bin

                o   hXXps://rombutcading[.]ru/610vnc64[.]bin

                o   hXXps://rombutcading[.]ru/610backsocks[.]bin

                o   hXXps://rombutcading[.]ru/610grabber[.]bin

                o   hXXps://rombutcading[.]ru/610keylogger[.]bin

                o   hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat

                o   hXXps://betrephengu[.]ru/69webinjects[.]dat

                o   hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe

                o   hXXps://betrephengu[.]ru/69webinject32[.]bin

                o   hXXps://betrephengu[.]ru/69webinject64[.]bin

                o   hXXps://betrephengu[.]ru/69vnc32[.]bin

                o   hXXps://betrephengu[.]ru/69vnc64[.]bin

                o   hXXps://betrephengu[.]ru/69backsocks[.]bin

                o   hXXps://betrephengu[.]ru/69grabber[.]bin

                o   hXXps://betrephengu[.]ru/69keylogger[.]bin

                o   hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]dat

                o   hXXps://betrephengu[.]ru/69webinjects[.]dat

                o   hXXps://betrephengu[.]ru/1haetibatiqinoktaitov[.]exe

                o   hXXps://betrephengu[.]ru/69webinject32[.]bin

                o   hXXps://betrephengu[.]ru/69webinject64[.]bin

                o   hXXps://betrephengu[.]ru/69vnc32[.]bin

                o   hXXps://betrephengu[.]ru/69vnc64[.]bin

                o   hXXps://betrephengu[.]ru/69backsocks[.]bin

                o   hXXps://betrephengu[.]ru/69grabber[.]bin

                o   hXXps://betrephengu[.]ru/69keylogger[.]bin

                o   hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]dat

                o   hXXps://humoronoff[.]top/webinjects_new3[.]dat

                o   hXXps://humoronoff[.]top/1uqboygheizxeraneorlo[.]exe

                o   hXXps://humoronoff[.]top/webinject32_new3[.]bin

                o   hXXps://humoronoff[.]top/webinject64_new3[.]bin

                o   hXXps://humoronoff[.]top/vnc32_new3[.]bin

                o   hXXps://humoronoff[.]top/vnc64_new3[.]bin

                o   hXXps://humoronoff[.]top/backsocks_new3[.]bin

                o   hXXps://humoronoff[.]top/grabber_new3[.]bin

                o   hXXps://humoronoff[.]top/keylogger_new3[.]bin

                o   hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]dat

                o   hXXps://nauseorofte[.]ru/610webinjects[.]dat

                o   hXXps://nauseorofte[.]ru/1ifmuybbolakuotegepma[.]exe

                o   hXXps://nauseorofte[.]ru/610webinject32[.]bin

                o   hXXps://nauseorofte[.]ru/610webinject64[.]bin

                o   hXXps://nauseorofte[.]ru/610vnc32[.]bin

                o   hXXps://nauseorofte[.]ru/610vnc64[.]bin

                o   hXXps://nauseorofte[.]ru/610backsocks[.]bin

                o   hXXps://nauseorofte[.]ru/610grabber[.]bin

                o   hXXps://nauseorofte[.]ru/610keylogger[.]bin

                o   hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]dat

                o   hXXps://myaningmuchme[.]ru/610webinjects[.]dat

                o   hXXps://myaningmuchme[.]ru/1waemgadyezabawhakavi[.]exe

                o   hXXps://myaningmuchme[.]ru/610webinject32[.]bin

                o   hXXps://myaningmuchme[.]ru/610webinject64[.]bin

                o   hXXps://myaningmuchme[.]ru/610vnc32[.]bin

                o   hXXps://myaningmuchme[.]ru/610vnc64[.]bin

                o   hXXps://myaningmuchme[.]ru/610backsocks[.]bin

                o   hXXps://myaningmuchme[.]ru/610grabber[.]bin

                o   hXXps://myaningmuchme[.]ru/610keylogger[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]dat

                o   hXXps://uiaoduiiej[.]chimkent[.]su/webinjects[.]dat

                o   hXXps://uiaoduiiej[.]chimkent[.]su/5fewucaopezanxenuzebu[.]exe

                o   hXXps://uiaoduiiej[.]chimkent[.]su/webinject32[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/webinject64[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/vnc32[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/vnc64[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/backsocks[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/grabber[.]bin

                o   hXXps://uiaoduiiej[.]chimkent[.]su/keylogger[.]bin

                o   hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]dat

                o   hXXps://rombutcading[.]ru/610webinjects[.]dat

                o   hXXps://rombutcading[.]ru/1toziimufuzutotsaguel[.]exe

                o   hXXps://rombutcading[.]ru/610webinject32[.]bin

                o   hXXps://rombutcading[.]ru/610webinject64[.]bin

                o   hXXps://rombutcading[.]ru/610vnc32[.]bin

                o   hXXps://rombutcading[.]ru/610vnc64[.]bin

                o   hXXps://rombutcading[.]ru/610backsocks[.]bin

                o   hXXps://rombutcading[.]ru/610grabber[.]bin

                o   hXXps://rombutcading[.]ru/610keylogger[.]bin

                o   hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat

                o   hXXps://adshiepkhach[.]top/webinjects_new2[.]dat

                o   hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe

                o   hXXps://adshiepkhach[.]top/webinject32_new2[.]bin

                o   hXXps://adshiepkhach[.]top/webinject64_new2[.]bin

                o   hXXps://adshiepkhach[.]top/vnc32_new2[.]bin

                o   hXXps://adshiepkhach[.]top/vnc64_new2[.]bin

                o   hXXps://adshiepkhach[.]top/backsocks_new2[.]bin

                o   hXXps://adshiepkhach[.]top/grabber_new2[.]bin

                o   hXXps://adshiepkhach[.]top/keylogger_new2[.]bin

                o   hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]dat

                o   hXXps://adshiepkhach[.]top/webinjects_new2[.]dat

                o   hXXps://adshiepkhach[.]top/1boehzyyspokusiakziof[.]exe

                o   hXXps://adshiepkhach[.]top/webinject32_new2[.]bin

                o   hXXps://adshiepkhach[.]top/webinject64_new2[.]bin

                o   hXXps://adshiepkhach[.]top/vnc32_new2[.]bin

                o   hXXps://adshiepkhach[.]top/vnc64_new2[.]bin

                o   hXXps://adshiepkhach[.]top/backsocks_new2[.]bin

                o   hXXps://adshiepkhach[.]top/grabber_new2[.]bin

                o   hXXps://adshiepkhach[.]top/keylogger_new2[.]bin