Skip to main content

TrickBot C2i and Configs March 2019


There are some new additions in the latest target list.
These are the targeted URIs extracted from the complete configs. Some of the regex'd URIs are very interesting and highly effective.


Article by Vishal Thakur


C2:

http://103.119.144.250:8082
http://75.183.130.158:8082
http://96.36.253.146:8082
http://75.183.130.158:8082
http://96.36.253.146:8082
http://14.102.107.114:8082
http://181.115.156.218:80
http://200.21.51.30:80
http://36.91.93.114:80
http://97.87.127.198:80
http://190.152.125.162:80
http://192.210.152.173:443
http://212.80.216.228:443
http://185.68.93.59:443
http://31.202.132.5:443
http://107.175.132.141:443
http://185.86.148.195:443



Target list:

<lm>https://us.etrade.com/webapiagg/aggregator</lm>
<lm>https://us.etrade.com/etx/hw/0/accountshome.json</lm>
<lm>https://www.nwolb.com/*.aspx*</lm>
<lm>https://www.rbsdigital.com/*.aspx*</lm>
<lm>https://www.ulsterbankanytimebanking.co.uk/*.aspx*</lm>
<lm>https://www.bankline.*/CWSLogon/scripts/common.js*</lm>
<lm>*netteller.com/login2008/Authentication*</lm>
<lm>https://*.netteller.com/favicon.ico?*</lm>
<lm>*favicon.ico=2dd2038048c763fc5f9174ae466cdb9c*</lm>
<lm>*.com/SPF/Login/Auth.aspx*</lm>
<lm>*.com/SPF/Login/favicon.ico?*</lm>
<lm>*favicon.ico=f7caf50483938302d86aa228d161e435*</lm>
<lm>*/Authentication/Login*</lm>
<lm>*/Accounts/AccountOverview.asp*</lm>
<lm>*favicon.ico=250717644273414e5c73a3c8997564da*</lm>
<lm>*.onlinebank.com/*/AOP/*.aspx*</lm>
<lm>*.onlinebank.com/*/AOP/favicon.ico?*</lm>
<lm>*partnersfcu.org/OnlineBanking/*aspx*</lm>
<lm>*partnersfcu.org/OnlineBanking/AOP/favicon.ico?*</lm>
<lm>*favicon.ico=ff358d7f67bc0f7e81b014655e34d0a5*</lm>
<lm>*.com/pub/html/login.html*</lm>
<lm>*.com/pub/html/favicon.ico*</lm>
<lm>*favicon.ico=843729ac35951a040681c469b4a89c0b*</lm>
<lm>*/EBC_EBC1961/*</lm>
<lm>*favicon.ico=8735fa9cc59a7353f49756e81c2b3908*</lm>
<lm>*.com/fi*/bb/*</lm>
<lm>*.com/fi*/pb/*</lm>
<lm>*.com/fi*/retail/*</lm>
<lm>*.com/fnfg/retail/*</lm>
<lm>*.com/fi*/bb/favicon.ico?*</lm>
<lm>*.com/fi*/pb/favicon.ico?*</lm>
<lm>*.com/fi*/retail/favicon.ico?*</lm>
<lm>*.com/fnfg/retail/favicon.ico?*</lm>
<lm>*favicon.ico=be7cd95e4b5e89eb1f1d895abab1ee71*</lm>
<lm>*/bbw/cmserver/welcome*</lm>
<lm>*favicon.ico=99f2a20d3dd8a354fbc8ed3a239f199f*</lm>
<lm>*pib*.secure-banking.com/*</lm>
<lm>*favicon.ico=f7205f82fdf9559db38d202eb9459348*</lm>
<lm>*.blilk.com/Core/Authentication/MFA*</lm>
<lm>*favicon.ico=a857aaab644de080328d45292893e479*</lm>
<lm>*secure.fundsxpress.com/piles/fxweb.pile/*</lm>
<lm>https://*secure.fundsxpress.com/*/fx?*</lm>
<lm>https://*secure.fundsxpress.com/*/favicon.ico?*</lm>
<lm>https://*secure.fundsxpress.com/start/*</lm>
<lm>https://*secure.fundsxpress.com/favicon.ico?</lm>
<lm>*favicon.ico=a6009ccf2264af7978f45f2a332eb392*</lm>
<lm>*/onlineserv/CM*</lm>
<lm>*favicon.ico=5326bab1f1f827912468392860f6eb14*</lm>
<lm>*cey-ebanking.com/CLKCCM/*</lm>
<lm>*favicon.ico=70e9ac7e38a9df5092783b632c859cc7*</lm>
<lm>*engine/login/businesslogin*</lm>
<lm>*favicon.ico=01390a8c1c3cfb9918d799ad2a73dd84*</lm>
<lm>*/business/j_security_check*</lm>
<lm>*/business/login/Login.jsp*</lm>
<lm>*/business/cts_security_precheck*</lm>
<lm>https://secure.*/LookAndFeel/Common/images/common/share.png?favicon.ico*</lm>
<lm>*favicon.ico=74536be4f9c2db6ca8c01a8054e1338a*</lm>
<lm>*corporatebankingweb/core/*</lm>
<lm>*favicon.ico=d73a726d92acc898bbbb175d3ab3337e*</lm>
<lm>*.ebanking-services.com/*.asp*</lm>
<lm>*.ebanking-services.com/*/*favicon.ico*</lm>
<lm>*favicon.ico=ce2bb103af1a10241de273caa885dbdd*</lm>
<lm>*secure.myvirtualbranch.com*</lm>
<lm>*favicon.ico=c8d027c1b29ac0def84ddfac56e682c8*</lm>
<lm>*/wcmfd/wcmpw/CustomerLogin*</lm>
<lm>*/wcmfd/wcmpw/favicon.ico*</lm>
<lm>*favicon.ico=9d0cf5e88c1fbcc637b90b76128d6bb9*</lm>
<lm>*/rcrd/1527170714082509*</lm>
<lm>https://*banking.sparda-*</lm>
<hl>https://92.223.105.109:446/response.php?s=1527170714082509&id=9F4zhb743OplmZmRHzxa</hl>
<lm>https://*banking.sparda.de/wps/loggedout.jsp</lm>
<lm>*banking.sparda*.de/spm/?institut=*</lm>
<lm>*banking.sparda*.de/spm/login/*</lm>
<lm>https://*banking.sparda.de*</lm>
<lm>*/rcrd/1550484331776021*</lm>
<lm>https://securentrycorp.vectrabank.com/Authentication/zbf/k/_c*</lm>
<lm>*/rcrd/1528137865954561*</lm>
<lm>https://bank.bbt.com/mfapp/web/myfi/home*</lm>
<lm>https://bank.bbt.com/auth/kba_reg_update.tb*</lm>
<lm>https://bank.bbt.com/mfapp/web/myfi/profile*</lm>
<lm>https://bank.bbt.com/auth/pwd.tb*</lm>
<lm>https://bank.bbt.com/auth/kba_reg_update.tb?action=ZmV0Y2g=</lm>
<lm>*/rcrd/1530558791571849*</lm>
<lm>https://online.citi.com/US/JSO/signoff/*</lm>
<lm>https://accountonline.citi.com/cards/svc/Login*</lm>
<lm>https://online.citi.com/US/JSO/loginpage/retarget*</lm>
<lm>https://online.citi.com/US/NCAO/cli/flow*</lm>
<lm>https://online.citi.com/US/JPS/portal/*</lm>
<lm>https://online.citi.com/US/JRS/login*</lm>
<lm>https://online.citi.com/US/JRS/portal/*</lm>
<lm>https://online.citi.com/US/JSO/signon/ProcessUsernameSignon.do</lm>
<lm>https://online.citi.com/US/login*</lm>
<lm>https://online.citi.com/US/CBOL/ain/car*</lm>
<lm>https://online.citi.com/US/NCMF/csq/flow.action*</lm>
<lm>https://online.citi.com/US/JRS/contactinfo/initialiseContactInfo*</lm>
<lm>https://online.citi.com/US/banking/citi*</lm>
<lm>https://online.citi.com/US/ag/ContactInfo*</lm>
<lm>https://online.citi.com/US/JSO/signon/uname/*</lm>
<lm>https://online.citi.com/US/ag/mrc/*</lm>
<lm>https://online.citi.com/US/NCMF/csq/ResetQuestions.do*</lm>
<lm>https://online.citi.com/US/NCAO/cli/flow*</lm>
<lm>https://www.citi.com/credit-cards/*</lm>
<lm>https://online.citi.com/US/JRS/pands/*</lm>
<lm>https://businessaccess.citibank.citigroup.com/cbusol/signon/signonOptions.action</lm>
<lm>*/rcrd/1527171026496719*</lm>
<lm>https://*kunde.comdirect.de*</lm>
<lm>https://*comdirect.de/lp/wt/login*</lm>
<lm>*kunde.comdirect.de/itx/*?execution=*</lm>
<lm>*/rcrd/1550484422643704*</lm>
<lm>https://securentrycorp.zionsbank.com/Authentication/zbf/k/_c*</lm>
<lm>*/rcrd/1543518475901885*</lm>
<lm>*banking.netbank.de/nbm/login/*</lm>
<lm>*banking.netbank.de/banking/session*</lm>
<lm>*/rcrd/1527164097084304*</lm>
<lm>https://www.cibc.com/??/small-business*</lm>
<lm>https://www.cibc.com/??/personal-banking*</lm>
<lm>https://www.cibconline.cibc.com/ebm-resources/public/banking/cibc/client/web/*</lm>
<lm>https://www.cibconline.cibc.com/olbtxn/*</lm>
<lm>https://*cibc.com/*</lm>
<lm>*/rcrd/1527164294934631*</lm>
<lm>*commerzbank.de/*.html*</lm>
<lm>*kunden.commerzbank.de/banking/landingpage*</lm>
<lm>*kunden.commerzbank.de/banking/*payments?*</lm>
<lm>*kunden.commerzbank.de/banking/*financeoverview?*</lm>
<lm>https://*commerzbank.de*</lm>
<lm>*commerzbank.de/</lm>
<lm>*kunden.commerzbank.de/banking/*transactions?*</lm>
<lm>*kunden.commerzbank.de/lp/login*</lm>
<lm>*/rcrd/1527164275923785*</lm>
<lm>*bvi.bnc.ca*</lm>
<lm>*/rcrd/1550481775969129*</lm>
<lm>https://intellix.capitalonebank.com/treasury-management-portal-web/appmanager/TresMgmtPortal/TreasuryManagement</lm>
<lm>*/rcrd/1550482343625533*</lm>
<lm>https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx</lm>
<lm>*/rcrd/1550479971917479*</lm>
<lm>https://www.lexisnexis.com/start/signin*</lm>
<lm>*/rcrd/1527162575196753*</lm>
<lm>https://*ebanking.bawagpsk.com/InternetBanking*</lm>
<lm>*/rcrd/1527164985687384*</lm>
<lm>https://www*.scotiaonline.scotiabank.com/*</lm>
<lm>*/rcrd/1550484138478750*</lm>
<lm>https://securentrycorp.calbanktrust.com/Authentication/zbf/k/_c*</lm>
<lm>*/rcrd/1536176590679564*</lm>
<lm>https://onlinebanking.mtb.com/Login/MTBSignOn</lm>
<lm>https://onlinebanking.mtb.com/</lm>
<lm>https://onlinebanking.mtb.com/Accounts/AccountSummary</lm>
<lm>https://onlinebanking.mtb.com/CustomerService/MyProfile</lm>
<lm>https://onlinebanking.mtb.com/CustomerService/MyProfileEdit</lm>
<lm>*/rcrd/1534870214732286*</lm>
<lm>https://online.lloydsbank.co.uk/personal/primarylogin</lm>
<lm>https://secure.lloydsbank.co.uk/personal/a/logon/entermemorableinformation.jsp*</lm>
<lm>*/rcrd/1549887949529075*</lm>
<lm>*iconnectdata.com/*</lm>
<lm>*/rcrd/1543518759414830*</lm>
<lm>*banking.fidor.de/smart-account</lm>
<lm>*/rcrd/1538496844367198*</lm>
<lm>https://myapps.paychex.com/*_remote/*</lm>
<lm>*/rcrd/1549888200260006*</lm>
<lm>*fleetone.com*</lm>
<lm>*/rcrd/1551276554703372*</lm>
<lm>https://portal.discover.com/customersvcs/universalLogin/signin</lm>
<lm>*/rcrd/1537463849851121*</lm>
<lm>https://www.binance.com/userCenter/balances.html</lm>
<lm>https://www.binance.com/login.html</lm>
<hl>https://92.223.105.109:446/response.php?s=1537463849851121&id=8WCy0CTJXuQBelmFaRkT</hl>
<lm>https://www.binance.com/userCenter/myAccount.html</lm>
<lm>*/rcrd/1527164640571442*</lm>
<lm>*banking-private/portal*</lm>
<lm>https://*.de/banking-*/portal?*</lm>
<lm>*wpevent=loauto&timeout=*</lm>
<lm>https://*.de/banking-*/portal;*</lm>
<lm>*banking-business/portal*</lm>
<lm>*portal/*portal*</lm>
<lm>https://*.de/*/entry*</lm>
<lm>*ortal?bankid=*</lm>
<lm>https://*.de/privatkunden/*</lm>
<lm>https://*.de/portal/portal*</lm>
<lm>*/banking-private/portal*</lm>
<lm>*timeout=*token*</lm>
<lm>*/banking-private/entry*</lm>
<lm>*/rcrd/1543522441996439*</lm>
<lm>*lzo.com/de/home/*.html*</lm>
<lm>*lzo.com/de/home.html</lm>
<lm>*/rcrd/1550482741307281*</lm>
<lm>https://*.netteller.com/login2008/Authentication/Views/Login.aspx*</lm>
<lm>*/rcrd/1528138508409624*</lm>
<lm>https://onlinebanking.usbank.com/*/MyProfile/AuthenticationPreferencesView*</lm>
<lm>https://onlinebanking.usbank.com/*/SCIDShieldQA/IDShieldQA</lm>
<lm>https://*.usbank.com/Auth/Login/LoginWidget</lm>
<lm>https://onlinebanking.usbank.com/*/IDShieldQAReview</lm>
<lm>https://onlinebanking.usbank.com/*/IDShieldQAConfirm</lm>
<lm>https://onlinebanking.usbank.com/API/Auth/v1/IDShield/UpdateUserQuestions*</lm>
<lm>https://*.usbank.com/access/oblix/apps/webgate/bin/webgate.dll*</lm>
<lm>https://onlinebanking.usbank.com/*/MyProfileDashboard/MyProfileDashboardIndex*</lm>
<lm>https://onlinebanking.usbank.com/*/CustomerDashboard/Index*</lm>
<lm>https://singlepoint.usbank.com/cs70_banking/logon/sbuser*</lm>
<lm>https://*/uux.aspx</lm>
<lm>*/rcrd/1527171294563071*</lm>
<lm>*meine.deutsche-bank.de/trxm/db/invoke/*</lm>
<lm>*meine.deutsche-bank.de/trxm/db/*</lm>
<lm>*meine.deutsche-bank.de/trxm/db/?lang=*</lm>
<lm>*meine.deutsche-bank.de/trxm/db/init.do*</lm>
<lm>*meine.deutsche-bank.de/trxm/db/</lm>
<lm>*meine.deutsche-bank.de*</lm>
<lm>*/rcrd/1527164442360306*</lm>
<lm>https://*ptlweb/WebPortal*</lm>
<lm>*/rcrd/1550482445763158*</lm>
<lm>https://access.jpmorgan.com/jpmalogon*</lm>
<lm>*/rcrd/1527161983056830*</lm>
<lm>https://*tangerine.ca/app/*</lm>
<lm>*/rcrd/1549888110656100*</lm>
<lm>*efsllc.com/*</lm>
<lm>*/rcrd/1535723065134935*</lm>
<lm>https://signon.navyfederal.org/siteminderagent/forms/nfcu.fcc</lm>
<lm>https://myaccounts.navyfederal.org/NFCU/accounts/accountsummary*</lm>
<lm>https://www.navyfederal.org/</lm>
<lm>https://my.navyfederal.org/NFOAA_Auth/login.jsp*</lm>
<lm>*/rcrd/1543510882809493*</lm>
<lm>*ksk-koeln.de/*aspx*</lm>
<lm>*/rcrd/1527784817476992*</lm>
<lm>https://chaseonline.chase.com/secure/CustomerCenter*</lm>
<lm>https://espanol.chase.com/sdchaseonline/Logon*</lm>
<lm>https://chaseonline.chase.com/MyAccount*</lm>
<lm>https://espanol.chase.com/sdchaseonline/MyAccounts*</lm>
<lm>https://chaseonline.chase.com/secure/Profile/*</lm>
<lm>https://espanol.chase.com/sdchaseonline/secure/Profile/*</lm>
<lm>https://secure*.chase.com/web/auth*</lm>
<lm>https://espanol.chase.com/sdchaseonline/secure/CustomerCenter*</lm>
<lm>https://chaseonline.chase.com/Logon.aspx*</lm>
<lm>https://m.chase.com/*</lm>
<lm>https://www.chase.com/espanol</lm>
<lm>https://www.chase.com/</lm>
<lm>https://secure*.chase.com/web/auth/?fromOrigin=*</lm>
<lm>https://espanol.chase.com/sdchaseonline/Logon*</lm>
<lm>https://espanol.chase.com/sdchaseonline/secure/CustomerCenter*</lm>
<lm>https://espanol.chase.com/sdchaseonline/secure/Profile/*</lm>
<lm>https://espanol.chase.com/sdchaseonline/MyAccounts*</lm>
<lm>*/rcrd/1550482073370297*</lm>
<lm>https://web*.secureinternetbank.com/ebc_ebc1961/EBC1961.ashx*</lm>
<lm>*/rcrd/1543511555715803*</lm>
<lm>*banking.haspa.de/*OF</lm>
<lm>*haspa.de/*/login</lm>
<lm>*haspa.de/*/welcome</lm>
<lm>*/rcrd/1529299416322016*</lm>
<lm>https://olb.bbvacompass.com/secure-auth/login*</lm>
<lm>https://olb.bbvacompass.com/secure/accountsummary*</lm>
<lm>https://olb.bbvacompass.com/secure-il/api/auth/public/signon*</lm>
<lm>https://www.bbvacompass.com/</lm>
<lm>*/rcrd/1545235830343997*</lm>
<lm>https://www.usaa.com/inet/ent_accounts/EntManageAccounts*</lm>
<lm>https://www.usaa.com/inet/ent_home/CpHome*</lm>
<lm>https://www.usaa.com/inet/ent_memberprofile3/MemberProfileLandingPage*</lm>
<lm>https://www.usaa.com/inet/ent_logon/Logon*</lm>
<lm>https://www.usaa.com/inet/ent_auth_pin/page/PinEntryPage*</lm>
<lm>https://www.usaa.com/inet/ent_auth_secques/answer*</lm>
<lm>*/rcrd/1547738007155673*</lm>
<lm>*/iytdr56ygc567ygtyhgyukiu654efgh/*</lm>
<lm>*/rcrd/1538497062765600*</lm>
<lm>https://*runpayroll.adp.com/*</lm>
<lm>*/rcrd/1543516849861476*</lm>
<lm>*consorsbank.de/ev/Mein-Konto-und-Depot*</lm>
<lm>*/rcrd/1549968469842314*</lm>
<lm>https*ebay.com*</lm>
<lm>*/rcrd/1543519166768558*</lm>
<lm>*www.dkb.de/banking*</lm>
<lm>*www.dkb.de/-*</lm>
<lm>*/rcrd/1535730754439313*</lm>
<lm>*easyweb.td.com*</lm>
<hl>https://92.223.105.109:446/response.php?s=1535730754439313&id=flYwbwFSlmA71rMyHuGw</hl>
<lm>*authmaint.td.com*index.html*</lm>
<lm>*authentication.td.com*</lm>
<lm>*/rcrd/1529423905024754*</lm>
<lm>https://connect.secure.wellsfargo.com/auth/login/present*</lm>
<lm>https://connect.secure.wellsfargo.com/accounts/start*</lm>
<lm>https*wellsfargo.com*</lm>
<lm>https://www.wellsfargo.com/</lm>
<lm>*/rcrd/1550484235517088*</lm>
<lm>https://securentrycorp.nbarizona.com/Authentication/zbf/k/_c*</lm>
<lm>*/rcrd/1548766537307202*</lm>
<lm>https://invest.ameritrade.com/grid/p/site</lm>
<lm>https://invest.ameritrade.com/cgi-bin/apps/u/SecurityChange?pagehandler=PHSecurityQuestionChange</lm>
<lm>https://invest.ameritrade.com/grid/m/securityChallengeSetup</lm>
<lm>https://invest.ameritrade.com/grid/?/login</lm>
<lm>https://invest.ameritrade.com/cgi-bin/apps/u/SecurityChange</lm>
<hl>https://92.223.105.109:446/response.php?s=1548766537307202&id=XvSLNsROLpHSHivZzlm5</hl>
<lm>*/rcrd/1539874619588916*</lm>
<lm>*/getq/1539874619588916/fSPp2Yhx0G*</lm>
<lm>https://global.americanexpress.com/login/*</lm>
<lm>https://www.americanexpress.com/</lm>
<lm>https://online.americanexpress.com/myca/logon/us/action/LogLogonHandler*</lm>
<lm>https://global.americanexpress.com/api/servicing/v1/financials/balances*</lm>
<lm>https://global.americanexpress.com/myca/logon/us/action/login*</lm>
<lm>https://www.americanexpress.com/??/</lm>
<lm>https://global.americanexpress.com/myca/logon/emea/action*</lm>
<lm>https://global.americanexpress.com/dashboard*</lm>
<lm>https://global.americanexpress.com/api/servicing/v1/loyalty*</lm>
<lm>*/rcrd/1542815273992904*</lm>
<lm>*meine.postbank.de*</lm>
<lm>*banking.postbank.de/rai/crypt/login*</lm>
<lm>*banking.postbank.de/rai/crypt/*-*</lm>
<lm>*/rcrd/1551278232078488*</lm>
<lm>https://www.choicehotels.com/webapi/user-account/login</lm>
<lm>*/rcrd/1548836629102091*</lm>
<lm>*cibng.ibanking-services.com*</lm>
<lm>*/rcrd/1550482874762402*</lm>
<lm>https://onepass.regions.com/oaam_server/oamLoginPage.jsp*</lm>
<lm>*/rcrd/1533809766692683*</lm>
<lm>https://www.onlinebanking.pnc.com/alservlet/MyAccountsServlet</lm>
<lm>https://www.onlinebanking.pnc.com/alservlet/ValidateUserIdPasswordServlet</lm>
<lm>https://www.onlinebanking.pnc.com/alservlet/PNCOnlineBankingServlet</lm>
<lm>https://www.onlinebanking.pnc.com/alservlet/ModifySecurityQuestionsServlet*</lm>
<lm>https://www.onlinebanking.pnc.com/alservlet/ModifySecurityQuestionsConfirmationServlet</lm>
<lm>*/rcrd/1536081411070630*</lm>
<lm>https://www.capitalone.com/</lm>
<lm>https://verified.capitalone.com/sic-ui/*</lm>
<lm>*/rcrd/1543512054283274*</lm>
<lm>*banking.ing-diba.de/app/obligo?x*</lm>
<lm>*banking.ing-diba.de/app/login*</lm>
<lm>*/rcrd/1527162060949058*</lm>
<lm>http*://*acc*desjardins.com*</lm>
<lm>https://accweb.mouv.desjardins.com/identifiantunique/identification*</lm>
<lm>https://accesd.mouv.desjardins.com/sommaire-perso/sommaire/detention*</lm>
<lm>https://accweb.mouv.desjardins.com/identifiantunique/securite*</lm>
<lm>https://accweb.mouv.desjardins.com/identifiantunique/authentification*</lm>
<lm>*/rcrd/1550477972471512*</lm>
<lm>https://secure.ally.com/</lm>
<lm>https://www.ally.com/</lm>
<lm>https://www.ally.ccservicing.com/CCServicing/Login.do*</lm>
<lm>https://www.ally.ccservicing.com/CCServicing/ProcessLogin.do*</lm>
<lm>*/rcrd/1550477535863381*</lm>
<lm>https://secure.accurint.com/app/bps/main*</lm>
<lm>*/rcrd/1538078076441901*</lm>
<lm>https://secure.halifax-online.co.uk/personal/a/logon/entermemorableinformation.jsp*</lm>
<lm>https://www.halifax-online.co.uk/personal/primarylogin</lm>
<lm>*/rcrd/1527162620975004*</lm>
<lm>*targobank.de/*/identification/*.cgi*</lm>
<lm>https://*targobank.de*</lm>
<lm>*targobank.de/*/banque/*.aspx</lm>
<lm>*/rcrd/1527162502077171*</lm>
<lm>https://*raiffeisen*.at/logincenter*</lm>
<lm>https://*raiffeisen*.at/group/private*</lm>
<lm>https://*raiffeisen*.at/group/club*</lm>
<lm>*/rcrd/1536679059633197*</lm>
<lm>https://*.suntrust.com*</lm>
<lm>https://onlinebanking.suntrust.com/UI/ajax/clientservice/changeSecurityQA</lm>
<lm>*/rcrd/1531737415491610*</lm>
<lm>https://onlinebanking.tdbank.com/</lm>
<lm>*123tdbank.com123*</lm>
<lm>https://onlinebanking.tdbank.com/ngp_api/v1/security/user/session*</lm>
<lm>*/rcrd/1527163537124692*</lm>
<lm>*/getq/1527163537124692/qZaiUryN1C*</lm>
<lm>https://www.amazon.co.uk/gp/yourstore/home*</lm>
<lm>https://www.amazon.co.uk/*</lm>
<lm>https://sellercentral.amazon.com/gp/notifications/notification-widget-internals.html*</lm>
<lm>*amazon.*</lm>
<lm>https://www.amazon.co.uk/ap/signin</lm>
<lm>https://sellercentral.amazon.com/ap/signin*</lm>
<lm>*/rcrd/1543519607339755*</lm>
<lm>*securebank.santander*.de/IRALOG*/BtoChannelDriver*</lm>
<lm>Replace = *securebank.santander*.de/EBANDE*/BtoChannelDriver*</lm>
<lm>*/rcrd/1530801754727167*</lm>
<lm>https://client.schwab.com/api/profile*</lm>
<lm>https://*lms.schwab.com/Login*</lm>
<lm>https://client.schwab.com/api/summary/account*</lm>
<lm>https://*client.schwab.com/*</lm>
<lm>https://client.schwab.com/clientapps/accounts/summary/*</lm>
<lm>https://client.schwab.com/Accounts/Summary/Summary.aspx*</lm>
<lm>https://lms.schwab.com/Login*</lm>
<lm>*/rcrd/1527612058812310*</lm>
<lm>*/getq/1527612058812310/iNmHc4XOcV*</lm>
<lm>https://www.bankofamerica.com/homepage/overview*</lm>
<lm>https://www.bankofamerica.com/smallbusiness/</lm>
<lm>https://www.bankofamerica.com/smallbusiness/?*</lm>
<lm>https://secure.bankofamerica.com/myaccounts/brain/redirect.go?source*</lm>
<lm>https://secure.bankofamerica.com/myaccounts/brain/redirect.go?target=acc*</lm>
<lm>https://www.bankofamerica.com/onlinebanking/online-banking.go</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/signOnV2Screen.go*</lm>
<lm>https://secure.bankofamerica.com/mycommunications/statements/statement.go*</lm>
<lm>https://secure.bankofamerica.com/login/edit/sm/redirectSecurityCenter.go*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/incoming/sitekeyWidgetScript.go*</lm>
<lm>https://www.bankofamerica.com/homepage/smallbusiness*</lm>
<lm>https://*.bankofamerica.com*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/validateChallengeAnswer*</lm>
<lm>https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces</lm>
<lm>https://www.bankofamerica.com/index.jsp*</lm>
<lm>https://secure.bankofamerica.com/login/sitekey/skmaint.go*</lm>
<lm>https://www.bankofamerica.com/sitemap/hub/signin.go</lm>
<lm>https://secure.bankofamerica.com/myaccounts/signin/signIn.go*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/entry/signOnV2.go*</lm>
<lm>https://secure.bankofamerica.com/transfers/*</lm>
<lm>https://secure.bankofamerica.com/myaccounts/details/deposit/information-services.go*</lm>
<lm>https://secure.bankofamerica.com/myaccounts/signoff/signoff-default.go</lm>
<lm>https://secure.bankofamerica.com/myaccounts/details/deposit/account-details.go*</lm>
<lm>https://secure.bankofamerica.com/customer/manageContacts*</lm>
<lm>https://www.bankofamerica.com/?*</lm>
<lm>https://www.bankofamerica.com/smallbusiness/online-banking.go</lm>
<lm>https://secure.bankofamerica.com/myaccounts/ao/accounts-overview.go*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/internal/entry/signOnV2.go*</lm>
<lm>https://www.bankofamerica.com/</lm>
<lm>https://secure.bankofamerica.com/myaccounts/details/deposit/account-balance-history.go*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/signOnV2Screen*</lm>
<lm>https://secure.bankofamerica.com/login/sign-in/signOnScreen*</lm>
<lm>https://www.bankofamerica.com/Control.do*</lm>
<lm>https://secure.bankofamerica.com/login/languageToggle.go</lm>
<lm>https://allmyaccounts.bankofamerica.com/apps/*</lm>
<lm>https://finapp.allmyaccounts.bankofamerica.com/finapp/*</lm>
<lm>https://secure.bankofamerica.com/myaccounts/details/card*</lm>
<lm>*/rcrd/1527171438710910*</lm>
<lm>https://*banking.berliner-bank.de/trxm*</lm>
<lm>*/rcrd/1538579395193257*</lm>
<lm>https://*.my.commbank.com.au/netbank/PaymentHub/*</lm>
<lm>https://*.my.commbank.com.au/netbank/Logon/Logon.aspx*</lm>
<lm>*/rcrd/1527173297891530*</lm>
<lm>https://*geb.bankaustria.at/ga-gif-war/*</lm>
<lm>https://*online.bankaustria.at/wps/*</lm>
<lm>https://*resize/resize_helper.html*</lm>
<lm>*/rcrd/1527164139852253*</lm>
<lm>*meine.norisbank.de/trxm/noris/invoke/*</lm>
<lm>*norisbank.de*</lm>
<lm>https://*meine.norisbank.de/trxm/noris*</lm>
<lm>*meine.norisbank.de/trxm/noris/init.do</lm>
<lm>*/rcrd/1543519778460207*</lm>
<lm>*my.hypovereinsbank.de/login?view=/de/login.jsp*</lm>
<lm>*/rcrd/1549888496965530*</lm>
<lm>*53.com*</lm>
<lm>https://express.53.com/portal/auth/login/Login*</lm>
<lm>*/rcrd/1532632040841589*</lm>
<lm>https://www.key.com/personal/index.jsp</lm>
<lm>https://ibx.key.com/mbl/api/auth/v1/users/stepup/challenge/SECURITY_QUESTIONS/users.securityquestions</lm>
<lm>https://*.key.com/ibxolb/olb/index.html</lm>
<lm>https://ibx.key.com/mbl/api/auth/v1/users/securityquestions*</lm>
<lm>https://keynavigator.key.com/ktt/cmd/logon*</lm>
<lm>https://ibx.key.com/mbl/api/unauth/v1/users/login/password</lm>
<lm>*key.com123123*</lm>
<lm>*/rcrd/1550483473369256*</lm>
<lm>https://securentrycorp.amegybank.com/Authentication/zbf/k/_c*</lm>
<lm>*/rcrd/1527165088325262*</lm>
<lm>https://*.de/en/home*</lm>
<lm>*/home/onlinebanking/*.html*</lm>
<lm>*/de/home/online-filiale/*.html*</lm>
<lm>*.de/de/home/*.html*</lm>
<lm>https://*.de/de/home*</lm>
<lm>*/de/home/aktionen/*.html*</lm>
<lm>*/de/home123123123*</lm>
<lm>*/de/home/firmenkunden/*.html*</lm>
<lm>*.de/de/home.html</lm>
<lm>https://*.de*abmelden*</lm>
<lm>*/de/home/service/*.html*</lm>
<lm>*.de/de/home.html*</lm>
<lm>*/de/home/login-online-banking.html*</lm>
<lm>*/de/home/misc/*.html*</lm>
<lm>*/rcrd/1527162953804588*</lm>
<lm>https://www*.royalbank.com/wps/myportal/OLB/*</lm>
<lm>https://*royalbank.com/*</lm>
<lm>https://www*.royalbank.com/cgi-bin/rbaccess/*</lm>
<lm>*/rcrd/1527162392678761*</lm>
<lm>https://www*.bmo.com/onlinebanking/*</lm>
<hl>https://92.223.105.109:446/response.php?s=1527162392678761&id=lmTkqQiUCKZ1O6tcTRTq</hl>
<lm>*/rcrd/1527163053741552*</lm>
<lm>https://*.sparkasse.at/sPortal/sportal*</lm>
<lm>https://*.sparkasse.at/*.js</lm>
<lm>https://*login.sparkasse.at/sts/oauth*</lm>
<nh>aosdpgdalmotnqiubyerfshvwcxj.org</nh>
<nh>qosathwvxbcykafzrlmqipuneods.net</nh>


Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also