Citadel/Kazy Malware Sample Loaded from us.exe qawsf1gy.bget.ru file.php PCAP file download

https://www.virustotal.com/cs/file/00f9c0fd7b6ab235bf07a4f1e235940e3e40938c5932a7283568f36d76df673b/analysis/ https://www.virustotal.com/cs/domain/qawsf1gy.bget.ru/information/ http://cybercrime-tracker.net/ccamdetail.php?hash=8a76acba63abcdb9cfc0a71e8c1358c74e8db83b   SPYWARE.CITADEL.ATMOS Sample: 8a76acba63abcdb9cfc0a71e8c1358c74e8db83b SHA256: 7331a96dbd2bec70027e259f1cbdaf5c7733b318da39812b22111f85ae730860 Request: Tayuya [2016/09/20 – 23:09:39] Callback: qawsf1gy.bget.ru Gate: http://qawsf1gy.bget.ru/file.php|file=us.xml 2016-09-20 10:29:07.228008 IP 192.168.1.102.59912 > 192.168.1.100.80: Flags [P.], seq 1:333, ack 1, win 256, length 332: HTTP: GET /captured/us.exe HTTP/1.1 E..t.d………f…d…P..9..G..P…N<..GET /captured/us.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Referer: http://192.168.1.100/captured/ Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Encoding: gzip, deflate Host: 192.168.1.100 Connection: Keep-Alive 2016-09-20 10:29:07.228032 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], ack 333, win 237, length 0 E..(f.@.@.P&…d…f.P…G….;.P….5.. 2016-09-20 10:29:07.228202 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], seq 1:2921, ack 333, win 237, length 2920: HTTP: HTTP/1.1 […]

Sunnyday.exe prof.youandmeandmeandyouhihi.com sun21-SunnyDay21 Adware/PUP PCAP file download

https://www.virustotal.com/cs/file/735d2f25819f9fac7d227df01dc76fc851f5719befdf05cec6cb3d4f3dedea16/analysis/   2016-09-20 10:18:21.400542 IP 192.168.1.102.59888 > 192.168.1.100.80: Flags [P.], seq 1:339, ack 1, win 256, length 338: HTTP: GET /captured/sunnyday.exe HTTP/1.1 E..z…….T…f…d…P.N…..yP…….GET /captured/sunnyday.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Referer: http://192.168.1.100/captured/ Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Encoding: gzip, deflate Host: 192.168.1.100 Connection: Keep-Alive 2016-09-20 10:18:21.400562 IP 192.168.1.100.80 > 192.168.1.102.59888: Flags [.], ack 339, win 237, length 0 — /GROUP=”folder name” Overrides the default folder name. /NOICONS Instructs Setup to initially check the Don’t create a Start Menu folder check box. /TYPE=type name Overrides the default setup type. /COMPONENTS=”comma separated list of component […]

stub.exe Adware Loads Search Protect Adware PUP NSIS_Inetc PCAP file download

2016-09-20 07:16:07.938958 IP 192.168.1.102.59262 > 192.168.1.100.80: Flags [P.], seq 1:339, ack 1, win 256, length 338: HTTP: GET /captured/Stub.exe HTTP/1.1 E..zn…..Fh…f…d.~.P..%.`.^jP…….GET /captured/Stub.exe HTTP/1.1 Host: 192.168.1.100 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.100/captured/ Connection: keep-alive 2016-09-20 07:16:07.938976 IP 192.168.1.100.80 > 192.168.1.102.59262: Flags [.], ack 339, win 237, length 0 E..(..@.@……d…f.P.~`.^j..’.P….5.. 2016-09-20 07:16:07.939147 IP 192.168.1.100.80 > 192.168.1.102.59262: Flags [.], seq 1:5841, ack 339, win 237, length 5840: HTTP: HTTP/1.1 200 OK E…..@.@……d…f.P.~`.^j..’.P…….HTTP/1.1 200 OK Date: Tue, 20 Sep 2016 11:16:07 GMT Server: Apache/2.4.18 (Debian) Last-Modified: Tue, 20 Sep 2016 09:31:34 GMT ETag: […]

Melonia.exe Loads Unknown Malware PUP Adware PCAP file download

2016-09-20 03:03:53.070426 IP 192.168.1.102.58496 > 192.168.1.100.80: Flags [P.], seq 1:340, ack 1, win 256, length 339: HTTP: GET /malware/melonia.exe HTTP/1.1 E..{e…..Og…f…d…P…. .M.P…….GET /malware/melonia.exe HTTP/1.1 Host: 192.168.1.100 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.100/malware/ Connection: keep-alive 2016-09-20 03:06:01.770587 IP 192.168.1.102.58520 > 177.158.22.159.80: Flags [P.], seq 0:161, ack 1, win 260, length 161: HTTP: GET /start.htm HTTP/1.1 E…%……B…f…….P.o…r.’P…^…GET /start.htm HTTP/1.1 Host: 177.158.22.159 Content-Length: 164 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0 Please follow and like us:

Inst1.exe Trojan Downloader Loads 90.exe Unknown Malware PCAP file download

Inst1.exe Trojan Downloader Loads 90.exe Unknown Malware PCAP file download   2016-09-20 09:02:11.821468 IP 192.168.1.102.59656 > 192.168.1.100.80: Flags [P.], seq 1:336, ack 1, win 256, length 335: HTTP: GET /captured/inst1.exe HTTP/1.1 E..w.[………f…d…P#7….U.P…….GET /captured/inst1.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Referer: http://192.168.1.100/captured/ Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Encoding: gzip, deflate Host: 192.168.1.100 Connection: Keep-Alive 2016-09-20 09:02:11.821487 IP 192.168.1.100.80 > 192.168.1.102.59656: Flags [.], ack 336, win 237, length 0 — E..(.,….LH…f]….&..z..*/..;P… ……… 2016-09-20 09:03:55.606661 IP 192.168.1.102.59686 > 93.171.202.162.443: Flags [.], ack 549660, win 2268, length 0 E..(.-….LG…f]….&..z..*/..EP…………. 2016-09-20 09:03:55.886564 IP 192.168.1.102.62247 > 75.75.75.75.53: 40557+ A? […]