PCAP Malware Traffic Sample Download Snort Rule Win.Trojan.Gamarue variant POST /panel1/gate.php

  51 engines detected this file SHA-256 3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e File name AU.EXE File size 572.5 KB Last analysis 2017-11-29 21:23:27 UTC Ad-Aware Trojan.Crypt.Agent.BF AegisLab Gen.Variant.Razy!c AhnLab-V3 Trojan/Win32.Locky.C2242537 ALYac Trojan.Crypt.Agent.BF Antiy-AVL Trojan/Win32.TSGeneric Arcabit Trojan.Crypt.Agent.BF Avast Win32:Malware-gen AVG Win32:Malware-gen Avira TR/Crypt.Xpack.binkq AVware Trojan.Win32.Generic!BT Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 BitDefender Trojan.Crypt.Agent.BF CAT-QuickHeal TrojanSpy.SpyEyes Comodo Backdoor.Win32.Poison.FYRG   References: https://www.hybrid-analysis.com/sample/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e?environmentId=100 https://www.virustotal.com/#/file/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e/detection Snort Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC Win.Trojan.Gamarue variant outbound connection”; flow:to_server,established; content:“POST”; http_method; content:“panel1/gate.php”; content:” HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|”; fast_pattern:only; content:“+”; depth:15; http_client_body; metadata:impact_flag red, policy security–ips drop, ruleset community, service http; sid:1234; rev:1😉 2017-11-29 19:34:59.673041 IP 192.168.1.102.50951 > 198.54.116.113.80: Flags [P.], seq 3095874245:3095874726, […]

BETONLINE.AG poker betonline.ag PCAP file download Traffic Analysis Sample

Betonline.ag poker site pcap traffic sample   2017-09-25 15:49:10.187283 IP 192.168.1.102.57820 > 75.75.75.75.53: 27634+ A? poker.betonline.ag. (36) E..@.-………fKKKK…5.,[‘k…………poker betonline.ag….. 2017-09-25 15:49:12.457700 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 1454268158:1454268182, ack 2127766518, win 32458, length 24 E..@T.@…)….f2..h…2V.^.~.#.P.~..F…0…………………. 2017-09-25 15:49:12.589103 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 25, win 32452, length 0 E..(T.@…)….f2..h…2V._.~.$.P.~……….. 2017-09-25 15:49:47.366759 IP 192.168.1.102.49487 > 75.75.75.75.53: 8606+ A? www.google-analytics.com. (42) E..F………..fKKKK.O.5.2.;!…………www.google-analytics.com….. 2017-09-25 15:49:49.584408 IP 192.168.1.102.52369 > 75.75.75.75.53: 10203+ A? poker.tigergaming.com. (39) E..C./………fKKKK…5./D.’…………poker.tigergaming.com….. 2017-09-25 15:49:49.615175 IP 192.168.1.102.52369 > 75.75.76.76.53: 10203+ A? poker.tigergaming.com. (39) E..C<……….fKKLL…5./C.’…………poker.tigergaming.com….. 2017-09-25 15:50:07.611927 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 24:48, ack 25, win 32452, length 24 […]

Malware Trojan Downloader Dropper cubeupload.com PCAP file download traffic analysis

    43 engines detected this file SHA-256 b069e7d29889bcdcc61e7936ad4800d2563c8618135f40c50e4dbcdc9314f505 File name gfD4vo.jpg File size 522.61 KB Last analysis 2017-09-25 22:14:16 UTC   FILE 2 – Dropper   23 engines detected this file SHA-256 214325a508b6354286f0ba47afdf998ea8c5b87012d6fac08ec0e7a996ac1999 File name 2602033098198832.exe File size 266.49 KB Last analysis 2017-09-25 22:34:21 UTC Community score -11   2017-09-25 16:39:29.774994 IP 192.168.1.102.61160 > 75.75.75.75.53: 16676+ A? i.cubeupload.com. (34) E..>…….2…fKKKK…5.*z.A$………..i cubeupload.com….. 2017-09-25 16:39:29.812702 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [S], seq 1274466961, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@….|…f..sl…PK……… …………….. 2017-09-25 16:39:29.934339 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [.], ack 217614345, win 256, length 0 E..(..@……..f..sl…PK…… P….b…….. 2017-09-25 16:39:30.010343 […]

Bor.uz Locky Ransomware Malware NO C2 Traffic Analysis PCAP file download

24 engines detected this file SHA-256 8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158 File name YTkjdJH7w1.exe File size 591 KB Last analysis 2017-09-25 15:50:03 UTC AegisLab Ransom.Cerber.Smaly0!c Avast FileRepMalware AVG FileRepMalware Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 CrowdStrike Falcon malicious_confidence_100% (W) Cylance Unsafe 2017-09-25 16:50:29.002420 IP 192.168.1.102.57680 > 75.75.75.75.53: 45408+ A? bor.uz. (24) E..4…….”…fKKKK.P.5. #..`………..bor.uz….. 2017-09-25 16:50:29.529203 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [S], seq 2670765003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4\.@….I…f>….=.P.0…….. …………….. 2017-09-25 16:50:29.719862 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [.], ack 1966844122, win 256, length 0 E..(\.@….T…f>….=.P.0..u;..P….A…….. 2017-09-25 16:50:29.731330 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [P.], seq 0:479, ack 1, win 256, length 479: HTTP: GET /YTkjdJH7w1 HTTP/1.1 […]

NEW LOCKY RANSOMWARE VARIANT g46mbrrzpfszonuk.onion NO C2 PCAP file download traffic analysis

49 engines detected this file SHA-256 ce48b278f8b823c25b222a33027248299bff3cdc2a6bdb0fdceecb0922dd790a File name jhdsgvc74 File size 653 KB Last analysis 2017-09-25 08:23:44 UTC Community score -78 ESET-NOD32 Win32/Filecoder.Locky.L F-Secure Trojan.RanSerKD.12397146 Fortinet W32/Locky.FWSD!tr.ransom GData Trojan.RanSerKD.12397146 Ikarus Trojan.Win32.Filecoder K7AntiVirus Trojan ( 0051497b1 ) K7GW Trojan ( 0051497b1 ) Kaspersky Trojan-Ransom.Win32.Locky.ztt 2017-09-25 17:50:32.217002 IP 192.168.1.102.58790 > 75.75.75.75.53: 46557+ A? ar-inversiones.com. (36) E..@…….:…fKKKK…5.,……………ar-inversiones.com….. 2017-09-25 17:50:32.397644 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [S], seq 2979498304, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4M5@…KU…f%.z4.’.P…@…… …………….. 2017-09-25 17:50:32.546454 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [.], ack 2169675136, win 256, length 0 E..(M6@…K`…f%.z4.’.P…A.R..P….w…….. 2017-09-25 17:50:32.556435 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [P.], seq 0:490, […]