Downloads.exe
Downloads.exe
163MB
201119-6zl3t9wvps
2e5f0d7f3b1505978fa81cf1e70d02d5
99a6086d8a23ea12aba3a8ddd7f67c427981622f
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f
Extracted
Protocol | ftp |
Host | 45.141.184.35 |
Port | 21 |
Username | alex |
Password | easypassword |
Extracted
Family | revengerat |
Botnet | YT |
C2 |
yukselofficial.duckdns.org:5552 |
Extracted
Family | revengerat |
Botnet | system |
C2 |
yj233.e1.luyouxia.net:20645 |
Extracted
Family | revengerat |
Botnet | samay |
C2 |
shnf-47787.portmap.io:47787 |
Extracted
Family | hawkeye_reborn |
Version | 10.1.2.2 |
Attributes |
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:castor123@ _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:mor440ney@yandex.com _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:245f77ec-c812-48df-870b-886d22992db6 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
|
Extracted
Family | revengerat |
Botnet | XDSDDD |
C2 |
84.91.119.105:333 |
Extracted
Family | revengerat |
Botnet | Victime |
C2 |
cocohack.dtdns.net:84 |
Extracted
Family | zloader |
Botnet | main |
Campaign | 26.02.2020 |
C2 |
https://airnaa.org/sound.php https://banog.org/sound.php https://rayonch.org/sound.php |
rc4.plain |
|
Extracted
Family | smokeloader |
Version | 2019 |
C2 |
http://advertserv25.world/logstatx77/ http://mailstatm74.club/logstatx77/ http://kxservx7zx.club/logstatx77/ http://dsmail977sx.xyz/logstatx77/ http://fdmail709.club/logstatx77/ http://servicestar751.club/logstatx77/ http://staradvert9075.club/logstatx77/ http://staradvert1883.club/logstatx77/ |
rc4.i32 |
|
rc4.i32 |
|
Extracted
Family | revengerat |
Botnet | INSERT-COIN |
C2 |
3.tcp.ngrok.io:24041 |
Extracted
Family | zloader |
Botnet | 07/04 |
C2 |
https://xyajbocpggsr.site/wp-config.php https://ooygvpxrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family | zloader |
Botnet | 09/04 |
C2 |
https://eoieowo.casa/wp-config.php https://dcgljuzrb.pw/wp-config.php |
rc4.plain |
|
Extracted
Family | zloader |
Botnet | 25/03 |
C2 |
https://wgyvjbse.pw/milagrecf.php https://botiq.xyz/milagrecf.php |
rc4.plain |
|
Extracted
Family | formbook |
C2 |
http://www.worstig.com/w9z/ http://www.joomlas123.com/i0qi/ http://www.norjax.com/app/ |
Decoy |
crazzysex.com hanferd.com gteesrd.com bayfrontbabyplace.com jicuiquan.net relationshiplink.net ohchacyberphoto.com kauegimenes.com powerful-seldom.com ketotoken.com make-money-online-success.com redgoldcollection.com hannan-football.com hamptondc.com vllii.com aa8520.com platform35markethall.com larozeimmo.com oligopoly.net llhak.info fisioservice.com tesla-magnumopus.com cocodrilodigital.com pinegrovesg.com traveladventureswithme.com hebitaixin.com golphysi.com gayjeans.com quickhire.expert randomviews1.com eatatnobu.com topmabati.com mediaupside.com spillerakademi.com thebowtie.store sensomaticloadcell.com turismodemadrid.net yuhe89.com wernerkrug.com cdpogo.net dannynhois.com realestatestructureddata.com matewhereareyou.net laimeibei.ltd sw328.com lmwworks.net xtremefish.com tonerias.com dsooneclinicianexpert.com 281clara.com |
Extracted
Family | emotet |
Botnet | Epoch3 |
C2 |
71.57.180.213:80 185.86.148.68:443 168.235.82.183:8080 181.113.229.139:443 181.134.9.162:80 217.199.160.224:8080 105.209.235.113:8080 216.75.37.196:8080 97.104.107.190:80 203.153.216.182:7080 107.161.30.122:8080 41.106.96.12:80 202.5.47.71:80 201.235.10.215:80 105.213.67.88:80 115.79.195.246:80 179.5.118.12:80 212.112.113.235:80 139.59.12.63:8080 177.37.81.212:443 81.17.93.134:80 46.32.229.152:8080 66.61.94.36:80 172.96.190.154:8080 176.9.93.82:7080 5.79.70.250:8080 190.212.140.6:80 37.46.129.215:8080 115.165.3.213:80 201.213.177.139:80 187.64.128.197:80 92.24.51.238:80 185.208.226.142:8080 50.116.78.109:8080 46.105.131.68:8080 181.114.114.203:80 190.190.15.20:80 198.57.203.63:8080 188.251.213.180:443 185.142.236.163:443 182.176.95.147:80 143.95.101.72:8080 181.164.110.7:80 113.161.148.81:80 51.38.201.19:7080 31.146.61.34:80 75.139.38.211:80 157.7.164.178:8081 203.153.216.178:7080 212.156.133.218:80 |
rsa_pubkey.plain |
|
Extracted
Family | danabot |
C2 |
92.204.160.54 2.56.213.179 45.153.186.47 93.115.21.29 185.45.193.50 193.34.166.247 |
rsa_pubkey.plain |
|
Extracted
Path | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta |
Ransom Note |
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email Bit_decrypt@protonmail.com YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail: Bit_decrypt@protonmail.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
|
Emails |
Bit_decrypt@protonmail.com |
Extracted
Family | smokeloader |
Version | 2017 |
C2 |
http://92.53.105.14/ |
Extracted
Family | qakbot |
Botnet | spx129 |
Campaign | 1590734339 |
C2 |
94.10.81.239:443 94.52.160.116:443 67.0.74.119:443 175.137.136.79:443 73.232.165.200:995 79.119.67.149:443 62.38.111.70:2222 108.58.9.238:993 216.110.249.252:2222 67.209.195.198:3389 84.247.55.190:443 96.37.137.42:443 94.176.220.76:2222 173.245.152.231:443 96.227.122.123:443 188.192.75.8:995 24.229.245.124:995 71.163.225.75:443 75.71.77.59:443 104.36.135.227:443 173.173.77.164:443 207.255.161.8:2222 68.39.177.147:995 178.193.33.121:2222 72.209.191.27:443 67.165.206.193:995 64.19.74.29:995 117.199.195.112:443 75.87.161.32:995 188.173.214.88:443 173.22.120.11:2222 96.41.93.96:443 86.125.210.26:443 24.10.42.174:443 47.201.1.210:443 69.92.54.95:995 24.202.42.48:2222 47.205.231.60:443 66.26.160.37:443 65.131.44.40:995 24.110.96.149:443 108.58.9.238:443 77.159.149.74:443 74.56.167.31:443 75.137.239.211:443 47.153.115.154:995 173.172.205.216:443 184.98.104.7:995 24.46.40.189:2222 98.115.138.61:443 |
Extracted
Path | C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt |
Family | hakbit |
Ransom Note |
To recover your data contact the email below
potentialenergy@mail.ru
Key Identifier:
m2+qbmmit2gzlBWked07GUMNyQb4IWjB8ob54TDT0j1bpIfCHkKjTTk4SVeqaLJ3LTfRzQJz6HdZ6XyLgzNMyIEkIma23+3xLrl4zFI50EO+RuB9Ame/JRs7wlc0jxe8FvCaAa6OvS9mrbX04cV0rYSoOWgdYe2Jrxc0ZLyL9ZC5ei1i4Vx+IzQk4SWsUbSIh7iCj9VjyiPcgrVAs/8UWDBiQX0Zzfk3Caocpaphm10iFDcbVGT2MC1zydDiIa70fZEX+OWQIb6t0tCM1NwRi8UXz2RxU2QUnqqPn/lHVmPQkD8MGmEPUogj61DwaeueG33rxa3Lz0gGlEwZ3rXiAGMVxcQWZW4mu7JfhjEr4MLZb1QYd/i6GKyvv23KNeUEpc5CWjHoENkUD2AmpM55BpBE1PGxVaK1QRFVTw32VpR3d3YHXTuPayEY8n7wY+l6bb6CticRCgChEhu3LwBrM3dfZcOOgsgb2YVPog2b3FHDMqNNV0CMBP4exnpSvRx5Zp8cRNGMaU0ITinIjkZ0efyAU6QhF41upDP/THIohfE7K2C+EbeghW+P3xqL7aOC3G4pZUCVXNTU4PRDBnuf6viJweV5rTM3jeyzNz437yHQ8+e0bPxc7Uec7ernJBXGvTzYqL1T8+Zs/wqz4SZCJ7Q77Yy+TCI0frbXf8CxTak=
Number of files that were processed is: 712
|
Emails |
potentialenergy@mail.ru |
Extracted
Family | azorult |
C2 |
http://195.245.112.115/index.php |
Extracted
Family | asyncrat |
Version | 0.5.7B |
C2 |
agentttt.ac.ug:6970 agentpurple.ac.ug:6970 |
Attributes |
aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B
|
aes.plain |
|
Extracted
Family | zloader |
Botnet | CanadaLoads |
Campaign | Nerino |
C2 |
https://monanuslanus.com/bFnF0y1r/7QKpXmV3Pz.php https://lericastrongs.com/bFnF0y1r/7QKpXmV3Pz.php https://hyllionsudks.com/bFnF0y1r/7QKpXmV3Pz.php https://crimewasddef.com/bFnF0y1r/7QKpXmV3Pz.php https://derekdsingel.com/bFnF0y1r/7QKpXmV3Pz.php https://simplereffiret.com/bFnF0y1r/7QKpXmV3Pz.php https://regeerscomba.com/bFnF0y1r/7QKpXmV3Pz.php |
rc4.plain |
|
rsa_pubkey.plain |
|
Downloads.exe
2e5f0d7f3b1505978fa81cf1e70d02d5
163MB
99a6086d8a23ea12aba3a8ddd7f67c427981622f
8701918235296129f184663d445f30d9235911a79a5aa8d0999c6467190bae51
9239b684c9d2a0583a01c7f27d9fa76a271bc729645e3b222f02d6dffdec347cfef706c5a79aafb97f251bb2c92fde25583f004dd583640e8d9eb8d1b2e7441f