ORDER-63019.exe shit.exe nwheilcopters.com Malware Trojan Downloader Dropper PCAP File Download Traffic Sample

SHA256: 98bdbffa8d88d541f578597f218b3e2f2439ee736c0413cbe654b007d152a4bc
File name: ORDER-63019.exe
Detection ratio: 46 / 60
Analysis date: 2017-06-06 01:24:16 UTC ( 0 minutes ago )
Arcabit Trojan.Coantor.47 20170606
Avast Win32:Malware-gen 20170606
AVG Generic_vb.PMG 20170605
Avira (no cloud) TR/Dropper.VB.arvtb 20170605
AVware Trojan.Win32.Generic!BT 20170606
BitDefender Gen:Variant.Coantor.47 20170606
CAT-QuickHeal Trojan.Dynamer 20170605
Cyren W32/VBInject.JS.gen!Eldorado 20170606
DrWeb Trojan.PWS.Stealer.1932 20170606
Emsisoft Gen:Variant.Coantor.47 (B) 20170606
Endgame malicious (high confidence) 20170515
ESET-NOD32 a variant of Win32/Injector.DOVE 20170606
F-Prot W32/VBInject.JS.gen!Eldorado 20170606
F-Secure Gen:Variant.Coantor.47 20170606
Fortinet W32/Injector.DOVR!tr 20170606
GData Gen:Variant.Coantor.47 20170606

 

2017-06-05 17:41:53.468218 IP 192.168.1.102.63854 > 108.170.51.58.80: Flags [P.], seq 0:411, ack 1, win 256, length 411: HTTP: GET /pdff/ORDER-63019.exe HTTP/1.1
E…=’@…Z….fl.3:.n.P..-b….P…….GET /pdff/ORDER-63019.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: nwheilcopters.com
Connection: Keep-Alive

 

2017-06-05 17:42:51.810573 IP 192.168.1.102.59081 > 75.75.75.75.53: 17942+ A? nwheilcopters.com. (35)
E..?…….M…fKKKK…5.+W F…………nwheilcopters.com…..
2017-06-05 17:42:51.986243 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [S], seq 842477748, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4=t@…[]…fl.3:.p.P270……. ..q…………..
2017-06-05 17:42:52.082609 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [.], ack 1465304046, win 256, length 0
E..(=u@…[h…fl.3:.p.P270.WV..P………….
2017-06-05 17:42:52.089724 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [P.], seq 0:188, ack 1, win 256, length 188: HTTP: GET /chuksjamil/shit.exe HTTP/1.0
E…=v@…Z….fl.3:.p.P270.WV..P…B0..GET /chuksjamil/shit.exe HTTP/1.0
Host: nwheilcopters.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

2017-06-05 17:45:26.663212 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [P.], seq 234:351, ack 299, win 258, length 117
E…..@……..f(M.K.I..n…j.9.P…B…….p.8.ELb.M….b|W+….@………e~\…]..(……`…c.a..!.k…..G..C\……t…$..o..:..M.h{.&……|.%.a]…ms..
2017-06-05 17:45:26.809857 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [.], ack 448, win 257, length 0
E..(..@….,…f(M.K.I..n…j.9.P………….

Fareit Symmi Malware Trojan Download Document PDF.exe PCAP file download traffic sample nwheilcopters.com

 

SHA256: f32608f94f3701e153e769645ff6525e241cedbc5e27f6d1553d386dde0a048c
File name: DUCUMENT-3839274322-pdf.exe
Detection ratio: 45 / 58
Analysis date: 2017-06-06 01:11:22 UTC ( 1 minute ago )
Ad-Aware Gen:Variant.Symmi.68723 20170605
AegisLab Troj.Psw.W32.Fareit!c 20170605
AhnLab-V3 Win-Trojan/VBKrypt.RP 20170605
ALYac Gen:Variant.Symmi.68723 20170605
Antiy-AVL Trojan[PSW]/Win32.Fareit 20170605
Arcabit Trojan.Symmi.D10C73 20170605
Avast Win32:Malware-gen 20170606
AVG Generic_vb.PMG 20170605
Avira (no cloud) TR/Dropper.VB.spuhf 20170605
AVware Trojan.Win32.Generic!BT 20170606
BitDefender Gen:Variant.Symmi.68723 20170606
CAT-QuickHeal Trojan.Dynamer 20170605
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/VBInject.JS.gen!Eldorado 20170606
Emsisoft Gen:Variant.Symmi.68723 (B) 20170606
Endgame malicious (high confidence) 20170515
ESET-NOD32 a variant of Win32/Injector.DOVE 20170606
F-Prot W32/VBInject.JS.gen!Eldorado 20170606
F-Secure Gen:Variant.Symmi.68723 20170606

2017-06-05 17:47:35.334150 IP 192.168.1.102.63867 > 108.170.51.58.80: Flags [P.], seq 0:423, ack 1, win 256, length 423: HTTP: GET /pdff/DUCUMENT-3839274322-pdf.exe HTTP/1.1
E…={@…Y….fl.3:.{.P.._P.   wfP…D…GET /pdff/DUCUMENT-3839274322-pdf.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: nwheilcopters.com
Connection: Keep-Alive

2017-06-05 17:49:01.682221 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [P.], seq 1854863488:1854863605, ack 1794521671, win 257, length 117
E…..@……..f(M.K.I..n…j.:GP….Q……p….%q..*..e.]..(…..J…….j.g$……0:[..y9.\{0.@9…..T..QQY.%…:p%..a5
(8.e.4{.tV…g.;……n….cW>\.).
2017-06-05 17:49:01.836809 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [.], ack 150, win 256, length 0
E..(..@….(…f(M.K.I..n…j.:.P………….

Sage Ransomware 2lm5xNQU.exe 211.114.4.45 UDP/13655 PCAP file download Malware Traffic Analysis

SHA256: 01fd9a6245c93f25ec2202d06bb40dbdcb5a3c1a0e5fb3db54c4d6253f9f7f4c
File name: 2lm5xNQU.exe
Detection ratio: 52 / 61
Analysis date: 2017-05-21 21:29:52 UTC ( 0 minutes ago )
Ad-Aware Gen:Variant.Ransom.Sage.110 20170521
AegisLab Gen.Variant.Ransom!c 20170521
AhnLab-V3 Trojan/Win32.SageCrypt.R196517 20170521
ALYac Trojan.Ransom.Sage 20170520
Antiy-AVL Trojan/Win32.TSGeneric 20170521
Arcabit Trojan.Ransom.Sage.110 20170521
Avast Win32:Malware-gen 20170521
AVG Ransom_r.BRQ 20170521
Avira (no cloud) TR/Agent.bkkbc 20170521
AVware Trojan.Win32.Generic!BT 20170521
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170503
BitDefender Gen:Variant.Ransom.Sage.110 20170521

2017-05-21 15:59:43.097424 IP 192.168.1.102.55377 > 104.24.122.74.80: Flags [P.], seq 0:404, ack 1, win 256, length 404: HTTP: GET /upload/2lm5xNQU.exe HTTP/1.1
E…J(@…
….fh.zJ.Q.Pmj..z..    P…/…GET /upload/2lm5xNQU.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: rigpriv.com
Connection: Keep-Alive

2017-05-21 15:59:51.493214 IP 192.168.1.102.62487 > 75.75.75.75.53: 11787+ A? mbfce24rgn65bx3g.2kzm0f.com. (45)
E..I”……J…fKKKK…5.53…………..mbfce24rgn65bx3g.2kzm0f.com…..
2017-05-21 15:59:51.534744 IP 192.168.1.102.62488 > 75.75.75.75.53: 12566+ A? mbfce24rgn65bx3g.6t4u2p.net. (45)
E..I”……I…fKKKK…5.5z.1…………mbfce24rgn65bx3g.6t4u2p.net…..

2017-05-21 15:59:51.607060 IP 192.168.1.102.62489 > 211.114.4.45.13655: UDP, length 168
2017-05-21 15:59:51.607141 IP 192.168.1.102.62489 > 138.197.53.223.13655: UDP, length 168
2017-05-21 15:59:51.607195 IP 192.168.1.102.62489 > 211.114.186.119.13655: UDP, length 168
2017-05-21 15:59:51.607248 IP 192.168.1.102.62489 > 211.114.35.219.13655: UDP, length 168
2017-05-21 15:59:51.607300 IP 192.168.1.102.62489 > 211.114.128.4.13655: UDP, length 168
2017-05-21 15:59:51.607353 IP 192.168.1.102.62489 > 5.45.86.15.13655: UDP, length 168
2017-05-21 15:59:51.607403 IP 192.168.1.102.62489 > 5.45.111.91.13655: UDP, length 168
2017-05-21 15:59:51.607442 IP 192.168.1.102.62489 > 138.197.92.93.13655: UDP, length 168
2017-05-21 15:59:51.607503 IP 192.168.1.102.62489 > 5.45.173.171.13655: UDP, length 168
2017-05-21 15:59:51.607555 IP 192.168.1.102.62489 > 138.197.50.41.13655: UDP, length 168
2017-05-21 15:59:51.607606 IP 192.168.1.102.62489 > 5.45.27.108.13655: UDP, length 168
2017-05-21 15:59:51.607656 IP 192.168.1.102.62489 > 211.114.88.146.13655: UDP, length 168
2017-05-21 15:59:51.607707 IP 192.168.1.102.62489 > 138.197.249.221.13655: UDP, length 168
2017-05-21 15:59:51.607757 IP 192.168.1.102.62489 > 139.59.46.106.13655: UDP, length 168
2017-05-21 15:59:51.607809 IP 192.168.1.102.62489 > 5.45.199.75.13655: UDP, length 168
2017-05-21 15:59:51.607859 IP 192.168.1.102.62489 > 138.197.148.95.13655: UDP, length 168
2017-05-21 15:59:51.607934 IP 192.168.1.102.62489 > 138.197.69.39.13655: UDP, length 168
2017-05-21 15:59:51.607985 IP 192.168.1.102.62489 > 5.45.138.5.13655: UDP, length 168
2017-05-21 15:59:51.608035 IP 192.168.1.102.62489 > 138.197.243.44.13655: UDP, length 168
2017-05-21 15:59:51.608085 IP 192.168.1.102.62489 > 138.197.16.154.13655: UDP, length 168
2017-05-21 15:59:51.608136 IP 192.168.1.102.62489 > 5.45.17.36.13655: UDP, length 168
2017-05-21 15:59:51.608185 IP 192.168.1.102.62489 > 211.114.38.24.13655: UDP, length 168
2017-05-21 15:59:51.608237 IP 192.168.1.102.62489 > 139.59.63.179.13655: UDP, length 168
2017-05-21 15:59:51.608288 IP 192.168.1.102.62489 > 139.59.172.69.13655: UDP, length 168
2017-05-21 15:59:51.608338 IP 192.168.1.102.62489 > 5.45.2.69.13655: UDP, length 168
2017-05-21 15:59:51.608388 IP 192.168.1.102.62489 > 138.197.171.187.13655: UDP, length 168
2017-05-21 15:59:51.608438 IP 192.168.1.102.62489 > 5.45.168.29.13655: UDP, length 168
2017-05-21 15:59:51.608488 IP 192.168.1.102.62489 > 138.197.9.146.13655: UDP, length 168
2017-05-21 15:59:51.608538 IP 192.168.1.102.62489 > 5.45.62.33.13655: UDP, length 168
2017-05-21 15:59:51.608588 IP 192.168.1.102.62489 > 5.45.151.81.13655: UDP, length 168
2017-05-21 15:59:51.608638 IP 192.168.1.102.62489 > 139.59.228.94.13655: UDP, length 168
2017-05-21 15:59:51.608689 IP 192.168.1.102.62489 > 138.197.149.178.13655: UDP, length 168
2017-05-21 15:59:51.608746 IP 192.168.1.102.62489 > 5.45.154.15.13655: UDP, length 168
2017-05-21 15:59:51.608805 IP 192.168.1.102.62489 > 211.114.131.201.13655: UDP, length 168
2017-05-21 15:59:51.608855 IP 192.168.1.102.62489 > 138.197.96.60.13655: UDP, length 168
2017-05-21 15:59:51.608905 IP 192.168.1.102.62489 > 5.45.33.223.13655: UDP, length 168
2017-05-21 15:59:51.608958 IP 192.168.1.102.62489 > 139.59.54.221.13655: UDP, length 168
2017-05-21 15:59:51.609008 IP 192.168.1.102.62489 > 139.59.207.207.13655: UDP, length 168
2017-05-21 15:59:51.609058 IP 192.168.1.102.62489 > 5.45.60.130.13655: UDP, length 168
2017-05-21 15:59:51.609111 IP 192.168.1.102.62489 > 139.59.13.3.13655: UDP, length 168
2017-05-21 15:59:51.609161 IP 192.168.1.102.62489 > 5.45.18.85.13655: UDP, length 168
2017-05-21 15:59:51.609211 IP 192.168.1.102.62489 > 138.197.123.231.13655: UDP, length 168
2017-05-21 15:59:51.609261 IP 192.168.1.102.62489 > 211.114.56.29.13655: UDP, length 168
2017-05-21 15:59:51.609311 IP 192.168.1.102.62489 > 211.114.89.107.13655: UDP, length 168
2017-05-21 15:59:51.609313 IP 192.168.1.102.62489 > 139.59.14.44.13655: UDP, length 168
2017-05-21 15:59:51.609412 IP 192.168.1.102.62489 > 139.59.39.156.13655: UDP, length 168
2017-05-21 15:59:51.609461 IP 192.168.1.102.62489 > 211.114.116.17.13655: UDP, length 168
2017-05-21 15:59:51.609511 IP 192.168.1.102.62489 > 211.114.165.130.13655: UDP, length 168
2017-05-21 15:59:51.609561 IP 192.168.1.102.62489 > 138.197.106.102.13655: UDP, length 168

2017-05-21 16:02:08.958333 IP 192.168.1.102.57831 > 75.75.75.75.53: 3648+ A? 7gie6ffnkrjykggd.2kzm0f.com. (45)
2017-05-21 16:02:16.440909 IP 192.168.1.102.57832 > 75.75.75.75.53: 19803+ A? 7gie6ffnkrjykggd.6t4u2p.net. (45)
2017-05-21 16:02:16.443659 IP 192.168.1.102.57833 > 75.75.75.75.53: 15121+ A? 7gie6ffnkrjykggd.6t4u2p.net. (45)
2017-05-21 16:02:22.417162 IP 192.168.1.102.57834 > 75.75.75.75.53: 31003+ A? btc.blockr.io. (31)
2017-05-21 16:02:54.976371 IP 192.168.1.102.57835 > 75.75.75.75.53: 35937+ A? 7gie6ffnkrjykggd.xcvkjet.net. (46)
2017-05-21 16:02:59.001852 IP 192.168.1.102.57836 > 75.75.75.75.53: 17942+ A? 7gie6ffnkrjykggd.onion. (40)

2017-05-21 16:02:22.575024 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 3986130788:3986131109, ack 3679392996, win 256, length 321: HTTP: GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396820544 HTTP/1.1
E..i`.@……..fh……P…d.O..P…….GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396820544 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive

2017-05-21 16:02:26.753866 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 321:730, ack 994, win 252, length 409: HTTP: GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396824927 HTTP/1.1
E…`.@……..fh……P…..O..P…….GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396824927 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

2017-05-21 16:02:52.524435 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 730:1113, ack 1978, win 256, length 383: HTTP: GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396850683 HTTP/1.1
E…`.@……..fh……P…>.O..P…J<..GET /api/v1/address/txs/1783wBGsr1zkxenfEELXA25PLSkLdfJ4B7?_=1495396850683 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

2017-05-21 16:02:54.064172 IP 192.168.1.102.55449 > 104.16.150.172.80: Flags [P.], seq 1113:1522, ack 2831, win 253, length 409: HTTP: GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396852243 HTTP/1.1
E…`.@……..fh……P…..O..P…….GET /api/v1/tx/info/04a47ecab9ebfe44f3a35a5e8e6db53fa8b384569164887253d848e30eb43338?_=1495396852243 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: btc.blockr.io
Connection: Keep-Alive
Cookie: __cfduid=dd4bbc41b4b92668e8a831a116dc12fb51495396823

 

Razy/Panda Trojan Malware 9z68lXaL.exe PCAP file download traffic analysis sample

SHA256: 904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326
File name: 9z68lXaL.exe
Detection ratio: 54 / 59
Analysis date: 2017-05-21 21:23:40 UTC ( 1 minute ago )

 

 

BitDefender Gen:Variant.Razy.155999 20170521
Bkav W32.TaharaK.Trojan 20170520
CAT-QuickHeal TrojanRansom.Shade 20170520
Comodo TrojWare.Win32.Injector.~DMGM 20170521
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Trojan.TZVH-3564 20170521
DrWeb Trojan.PWS.Panda.9309 20170521
Emsisoft Gen:Variant.Razy.155999 (B) 20170521
Endgame malicious (high confidence) 20170515
ESET-NOD32 a variant of Win32/Injector.DMGM 20170521
F-Secure Gen:Variant.Razy.155999 20170521

2017-05-21 16:06:18.212574 IP 192.168.1.102.55464 > 104.24.123.74.80: Flags [P.], seq 2582031664:2582032130, ack 3928753541, win 541, length 466: HTTP: GET /upload/9z68lXaL.exe HTTP/1.1
E…..@…N….fh.{J…P…0.,..P…….GET /upload/9z68lXaL.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: rigpriv.com
Connection: Keep-Alive
Cookie: __cfduid=d478ac9f52a3801df9f32948ee4b03b4f1495397051

2017-05-21 16:07:06.744496 IP 192.168.1.102.55471 > 191.232.80.58.443: Flags [.], ack 5270, win 256, length 0
E..(..@……..f..P:….|5yp=…P….”……..
2017-05-21 16:07:06.751833 IP 192.168.1.102.55471 > 191.232.80.58.443: Flags [F.], seq 1705, ack 5270, win 256, length 0
E..(..@……..f..P:….|5yp=…P….!……..
2017-05-21 16:07:06.819164 IP 192.168.1.102.55471 > 191.232.80.58.443: Flags [.], ack 5271, win 256, length 0
E..(..@……..f..P:….|5yq=…P…. ……..
2017-05-21 16:07:09.498445 IP 192.168.1.102.55473 > 85.217.170.81.80: Flags [S], seq 2758385259, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..41.@……..fU..Q…P.i.k…… .q……………
2017-05-21 16:07:09.498449 IP 192.168.1.102.55472 > 85.217.170.81.80: Flags [S], seq 1888110957, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..41.@……..fU..Q…Pp.Im…… ……………..
2017-05-21 16:07:15.498426 IP 192.168.1.102.55473 > 85.217.170.81.80: Flags [S], seq 2758385259, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..01.@……..fU..Q…P.i.k….p. ………….
2017-05-21 16:07:15.514045 IP 192.168.1.102.55472 > 85.217.170.81.80: Flags [S], seq 1888110957, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..01.@……..fU..Q…Pp.Im….p. ………….

Kovter Trojan Spyware Malware GET /counter/?2 PCAP file download traffic analysis sample

SHA256: fbaa60f3c1fe06c4082df358914e2b9b9d0424e3ec7029d444002f7b18661af2
File name: 53b165f3d0c8ab.png
Detection ratio: 24 / 61
Analysis date: 2017-05-21 21:16:47 UTC ( 0 minutes ago )
AVware Trojan.Win32.Kovter.ab (v) 20170521
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20170503
Bkav W32.eHeur.Malware09 20170520
CrowdStrike Falcon (ML) malicious_confidence_96% (W) 20170130
Cyren W32/Kovter.T2.gen!Eldorado 20170521
DrWeb Trojan.SpyBot.702 20170521
Endgame malicious (moderate confidence) 20170515
ESET-NOD32 a variant of Generik.KFLGPVJ 20170521
F-Prot W32/Kovter.T2.gen!Eldorado 20170521
Invincea virus.win32.sality.at 20170519
Kaspersky UDS:DangerousObject.Multi.Generic 20170521
McAfee Artemis!C989202B8A87 20170521
McAfee-GW-Edition BehavesLike.Win32.Dropper.gc 20170521
Palo Alto Networks (Known Signatures) generic.ml 20170521
Rising Malware.Generic.1!tfe (cloud:SbVsRCxTH6D) 20170518
Sophos Mal/Kovter-Z 20170521

2017-05-21 15:36:29.671893 IP 192.168.1.102.55249 > 23.229.155.136.80: Flags [P.], seq 0:424, ack 1, win 256, length 424: HTTP: GET /counter/?2 HTTP/1.1
E…!.@…a….f…….P.C7=    ECoP…#k..GET /counter/?2 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bestmerchantservicesforsmallbusiness.com
Connection: Keep-Alive

2017-05-21 15:37:31.238059 IP 192.168.1.102.55251 > 185.117.72.90.80: Flags [S], seq 2837707080, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ…P.#.H…… ……………..
2017-05-21 15:37:34.224091 IP 192.168.1.102.55252 > 141.248.34.5.443: Flags [S], seq 1227616878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4zR@….f…f..”…..I+.n…… ……………..
2017-05-21 15:37:34.227248 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@….#…f.iC1….T..p…… ……………..
2017-05-21 15:37:34.230207 IP 192.168.1.102.55254 > 16.166.39.110.8080: Flags [S], seq 4223820476, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4m.@……..f..’n……b……. ……………..
2017-05-21 15:37:34.247948 IP 192.168.1.102.55251 > 185.117.72.90.80: Flags [S], seq 2837707080, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ…P.#.H…… ……………..
2017-05-21 15:37:34.780545 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@….”…f.iC1….T..p…… ……………..
2017-05-21 15:37:35.239945 IP 192.168.1.102.55255 > 29.247.203.53.80: Flags [S], seq 3355099844, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@……..f…5…P………. .@……………
2017-05-21 15:37:35.335213 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..06.@….%…f.iC1….T..p….p. ………….
2017-05-21 15:37:36.254690 IP 192.168.1.102.55256 > 16.130.105.167.8080: Flags [S], seq 1058759659, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4vO@…H=…f..i…..?.c……. .xi…………..
2017-05-21 15:37:36.254903 IP 192.168.1.102.55257 > 128.160.248.217.443: Flags [S], seq 2094384569, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4w.@…G….f……..|……… ..c…………..
2017-05-21 15:37:36.255195 IP 192.168.1.102.55258 > 28.91.165.166.443: Flags [S], seq 2719160934, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…a….f.[………f…… .4……………
2017-05-21 15:37:37.224536 IP 192.168.1.102.55254 > 16.166.39.110.8080: Flags [S], seq 4223820476, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4m.@……..f..’n……b……. ……………..
2017-05-21 15:37:37.224540 IP 192.168.1.102.55252 > 141.248.34.5.443: Flags [S], seq 1227616878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4zS@….e…f..”…..I+.n…… ……………..
2017-05-21 15:37:37.275478 IP 192.168.1.102.55259 > 16.204.83.197.80: Flags [S], seq 3289887950, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@….1…f..S….P………. ..^…………..
2017-05-21 15:37:38.242770 IP 192.168.1.102.55255 > 29.247.203.53.80: Flags [S], seq 3355099844, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@……..f…5…P………. .@……………
2017-05-21 15:37:38.291401 IP 192.168.1.102.55260 > 22.97.216.31.80: Flags [S], seq 3048081186, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4/.@….6…f.a…..P…”…… .    ……………
2017-05-21 15:37:38.291563 IP 192.168.1.102.55261 > 145.18.62.158.80: Flags [S], seq 426492113, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4y.@….b…f..>….P.k…….. .
……………

017-05-21 15:38:12.272610 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 0:104, ack 1, win 259, length 104
E…..@….N…f……….\i …P………..c…_..Y!.-……5.f.ooA..Js…XX………./.5…
…..   .
.2.8…………………..
…………..
2017-05-21 15:38:12.414263 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 104:430, ack 1139, win 254, length 326
E..n..@….o…f……….\. …P…N…………..1    .g3.Zz……!I..6x……J…-EM.s…..5 .\…..Q..x…j..B 7…G..j^…RA…..i._……1~.C……..2………7l…..)`…p..K..t.]..0b..!K..’…….b.M..F=.g.gH…z.G….F………%…..mfa…..v4….,…^
F.:w…..!………g)…Q.q……}.ik(.^..M..@.p……….0″….].g.@j.@<e.l..!…….@^..Gs..5…bh…W…
2017-05-21 15:38:12.700944 IP 192.168.1.102.55308 > 28.10.200.47.443: Flags [S], seq 3893142143, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0XA@….>…f.
./…………p. .X………..
2017-05-21 15:38:12.779069 IP 192.168.1.102.55318 > 166.63.215.234.80: Flags [S], seq 1675985573, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4″f@….%…f.?…..Pc……… .O……………
2017-05-21 15:38:12.818964 IP 192.168.1.102.55324 > 167.115.254.152.443: Flags [S], seq 3753361591, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Bb@…PG…f.s……………. .l……………
2017-05-21 15:38:13.005762 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 430:1235, ack 1198, win 254, length 805
E..M..@……..f……….^. …P…o……. ..&?..Au/Cv..dCl………)6..Lz….Oi.>s\Q…$t .=….8y\…Y-.i….`|.l.n…..<*.Z%.1l..Ch.`……!..M…\ld.Z.o…w..j.U]…R.qv..0…/N….>67LlX.}.u……..).H..P………\&5..9.     D…F.0g..J……c..GlJJe.#…P…      iV,…f.>.!………R..=….~\b.j..6…\..%.n.  ..<b>.. ..;….8k..o…@….n…. ……….O..*m…..bx..      ..\D2Y*.F{….O…X……vt.#   [.. ..e._=.’x[.\.s.^.L.O…..Nj.I.q7..B.<……sY….3…
._…..b79v..i….H%..W.’..].b.>…….H.[5.BZ…2&…….*.~…….!.#.V..;…..#….t.g.8.a…..E.R…n..vl….,      .j…y..XUM..C.
i.y……….?G).a.I.f{……….[../.b.|…Z…..      .W….].&2…tc.4…..>.].      G#..0……[..H/t….)l.<.O0.).Y.SI.uIb..h.^……`…i.`..g..2……..n|p.-D.~W..iT.f…..
…_^.F……..[.?….T….b..7.,.rZ…*..&.z..QW.e..X……………ql.;.Q………..(
2017-05-21 15:38:13.103055 IP 192.168.1.102.55325 > 198.120.50.214.443: Flags [S], seq 409341821, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45.@…      ….f.x2……f.}…… ……………..
2017-05-21 15:38:13.144853 IP 192.168.1.102.55326 > 189.234.189.135.80: Flags [S], seq 2611961602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f…….P.._……. .>o…………..
2017-05-21 15:38:13.202263 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [.], ack 1539, win 259, length 0
E..(..@……..f……….a< …P………….
2017-05-21 15:38:13.703584 IP 192.168.1.102.55311 > 190.179.116.119.443: Flags [S], seq 129923969, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0Wm@….!…f..tw……{…..p. ………….
2017-05-21 15:38:13.703588 IP 192.168.1.102.55310 > 15.156.160.65.443: Flags [S], seq 450044293, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0Y.@……..f…A……!…..p. ………….
2017-05-21 15:38:13.703590 IP 192.168.1.102.55309 > 28.96.166.183.443: Flags [S], seq 3646307926, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0z.@……..f.`…….V>V….p. ………….
2017-05-21 15:38:13.803820 IP 192.168.1.102.55320 > 116.37.169.233.80: Flags [S], seq 1321981924, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..ft%…..PN……… .o……………