Zenpak Trojan Malware PCAP File Download Traffic Sample myehterwallet.top

Dateadded (UTC) Malware URL Status Tags Reporter 2020-02-08 16:42:22 http://45.141.86.18/files/dzjitNh.exe Online exe @abuse_ch 2020-02-08 16:42:18 http://45.141.86.18/files/QWwiylX.exe Offline exe @abuse_ch 2020-02-08 16:42:12 http://45.141.86.18/files/KplagwO.exe Offline exe @abuse_ch 2020-02-08 16:42:03 http://45.141.86.18/files/IDRHHqr.exe Online exe @abuse_ch What Trojan.Win32.Zenpak.usq virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory Expresses interest in specific running processes A process created a hidden window HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests Unconventionial language used in binary resources: Sindhi The binary likely contains encrypted or compressed data. Uses Windows utilities for basic functionality […]

Themida Malware Trojan PCAP File Download Traffic Sample

Acronis Suspicious Ad-Aware Trojan.GenericKD.33042201 AegisLab Trojan.Win32.Stralo.a!c Alibaba Packed:Win32/Themida.9b7a1eb0 ALYac Trojan.GenericKD.33042201 SecureAge APEX Malicious Arcabit Trojan.Generic.D1F82F19 Avast Win32:Trojan-gen AVG Win32:Trojan-gen Avira (no cloud) HEUR/AGEN.1038489 BitDefender Trojan.GenericKD.33042201 CAT-QuickHeal Trojandownloader.Stralo CrowdStrike Falcon Win/malicious_confidence_100% (W) Cybereason Malicious.45a019 Cylance Unsafe Cyren W32/Trojan.KCYB-5076 2020-02-08 20:29:34.973179 IP 192.168.86.25.56270 > 47.74.39.61.80: Flags [P.], seq 926682144:926682556, ack 616271298, win 16425, length 412: HTTP: GET /download.php?file=marg.exe HTTP/1.1 E…..@…….V./J’=…P7<. $…P.@).<..GET /download.php?file=marg.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: load003.info Connection: Keep-Alive 2020-02-08 20:29:35.825646 IP […]

HawkEye AgentTesla Ransomware Keylogger Trojan Malware PCAP File Download Traffic Sample

AgentTesla/HawkEye Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. 2020-02-08 21:06:37.358933 IP 192.168.86.25.56314 > 103.21.59.28.80: Flags [P.], seq 943967658:943968182, ack 1690180958, win 16514, length 524: HTTP: GET /docs/document.exe HTTP/1.1 E..4.p@…7a..V.g.;….P8C..d..^P.@…..GET /docs/document.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Range: bytes=91939- Unless-Modified-Since: Thu, 06 […]

Remcos RAT Trojan Malware PCAP file download Traffic Sample

Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.  TypeTrojan  Originex-USSR territory  First seen1 June, 2016  Last seen9 February, 2020 2020-02-08 21:12:20.981585 IP 192.168.86.25.56271 > 46.4.22.188.80: Flags [P.], seq 2260857165:2260857557, ack 24046668, win 16425, length 392: HTTP: GET /a/a.exe HTTP/1.1 E…..@…….V……..P…M.n.LP.@)*…GET /a/a.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: […]