Malware Dropper tldrbox.top Loads Crypto Currency Miner PCAP Download Traffic Sample

2020-04-13 00:28:49.420813 IP 192.168.86.25.52831 > 93.126.60.109.80: Flags [P.], seq 1:391, ack 1, win 16500, length 390: HTTP: GET /2.exe HTTP/1.1E…]R@….J..V.]~<m._.P+…80..P.@t….GET /2.exe HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)Accept-Encoding: gzip, deflateHost: tldrbox.topConnection: Keep-Alive 2020-04-13 00:28:49.623505 IP 93.126.60.109.80 > 192.168.86.25.52831: Flags [.], ack 391, win 237, length 0E..(..@.-..A]~ 192.168.86.25.52831: Flags [.], seq 1:1201, ack 391, win 237, length 1200: HTTP: HTTP/1.1 200 OKE…..@.-…]~<m..V..P._80..+…P… T..HTTP/1.1 200 OKServer: nginx/1.16.1Date: Mon, 13 Apr 2020 04:29:15 GMTContent-Type: application/octet-streamContent-Length: 556032Last-Modified: Wed, 08 Apr 2020 02:44:48 GMTConnection: keep-aliveETag: […]

Fallout Exploit Kit Raccoon Stealer CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 Raccoon Stealer Malware PCAP Download Traffic Sample

Fallout Exploit Kit is back and targeting the following CVE’s as of 4-8-2020: Vulnerabilities CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 Fallout has been observed in the wild delivering the following malware payloads: Ransomware Stop – Ransomware GandCrab 5 – Ransomware Kraken Cryptor – Ransomware GandCrab – Ransomware Maze – Ransomware Fake Globe – Ransomware Minotaur – Ransomware Matrix – Ransomware Sodinokibi – Ransomware Raccoon Stealer – This sample (also known as Legion, Mohazo, and Racealer) is high-risk trojan-type application that stealthily infiltrates the system and collects personal information. Having this trojan installed on your computer might lead to various issues. 2020-02-24 19:34:02.651895 IP […]

Spelevo Exploit Kit EK Serves up Gozi Malware PCAP file download traffic sample

2020-02-19 19:23:32.510874 IP 192.168.4.239.49481 > 3.226.77.126.80: Flags [P.], seq 1:259, ack 1, win 258, length 258: HTTP: GET /go/141657/437555 HTTP/1.1E..*”.@………..M~.I.P….U.$.P….e..GET /go/141657/437555 HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-Alive 2020-02-19 19:23:32.511531 IP 192.168.4.239.49482 > 3.226.77.126.80: Flags [.], ack 1, win 258, length 0E..(“.@………..M~.J.P]L.$CG..P………….2020-02-19 19:23:32.754783 IP 3.226.77.126.80 > 192.168.4.239.49481: Flags [.], ack 259, win 237, length 0E..(..@.?.…M~…..P.IU.$…..P….%.. 2020-02-19 19:23:33.299047 IP 3.226.77.126.80 > 192.168.4.239.49481: Flags [P.], seq 1:485, ack 259, win 237, length 484: HTTP: HTTP/1.1 200 OK E…..@.?.(..M~…..P.IU.$…..P…….HTTP/1.1 200 OKDate: Wed, 19 Feb 2020 23:23:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveServer: nginxVary: Accept-EncodingContent-Encoding: gzip […]

Underminer Exploit Kit EK Delivers Unknown shorico.club Malware Drop PCAP file Download Traffic Analysis

MALICIOUS SUSPICIOUS INFO Changes settings of System certificates rundll32.exe (PID: 2164) Connects to CnC server rundll32.exe (PID: 2164) Loads dropped or rewritten executable regsvr32.exe (PID: 2852) regsvr32.exe (PID: 3052) regsvr32.exe (PID: 1660 2020-02-16 10:55:07.432210 IP 192.168.4.88.49367 > 35.168.149.183.80: Flags [P.], seq 1:259, ack 1, win 258, length 258: HTTP: GET /go/255951/527805 HTTP/1.1E..*..@…k….X#……P..hzS.;tP……GET /go/255951/527805 HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-Alive 2020-02-16 10:55:07.432941 IP 192.168.4.88.49368 > 35.168.149.183.80: Flags [.], ack 1, win 258, length 0E..(..@…l….X#……P.SY8..u.P………….2020-02-16 10:55:07.632809 IP 35.168.149.183.80 > 192.168.4.88.49367: Flags [.], ack 259, win 237, length 0E..(..@.?.7.#……X.P..S.;t..i|P…H…2020-02-16 10:55:07.933694 IP 35.168.149.183.80 […]

Purple Fox Exploit Kit EK Fileless Malware PCAP Download Traffic Sample

2019-12-05 15:20:54.943651 IP 192.168.1.145.56441 > 18.214.175.230.80: Flags [P.], seq 1:328, ack 1, win 258, length 327: HTTP: GET /go/230299/477450 HTTP/1.1E..o..@…b4………y.PbgP.JC:.P….e..GET /go/230299/477450 HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-AliveCookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653 2019-12-05 15:20:54.944386 IP 192.168.1.145.56442 > 18.214.175.230.80: Flags [.], ack 1, win 258, length 0E..(..@…cz………z.P.T….”.P…C………2019-12-05 15:20:55.250974 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [.], ack 328, win 237, length 0E..(^.@.?.U……….P.yJC:.bgR5P…….2019-12-05 15:20:55.763441 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [P.], seq 1:479, ack 328, win 237, length 478: HTTP: HTTP/1.1 200 OKE…^.@.?.S4………P.yJC:.bgR5P…….HTTP/1.1 200 OKDate: Thu, 05 Dec 2019 19:20:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveServer: nginxVary: Accept-EncodingContent-Encoding: gzip […]