Raccoon Stealer infection Malware svchost.exe

This is the latest sample of Raccoon which is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. This malware uses base64 encoding for each infected host as you can see below in the packets and here is what it looks like decoded: echo “Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=” | base64 -d bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null 2020-05-09 02:34:34.532063 IP > Flags [P.], seq 1:398, ack 1, win 16425, […]

Purple Fox Exploit Kit EK Fileless Malware PCAP Download Traffic Sample

2019-12-05 15:20:54.943651 IP > Flags [P.], seq 1:328, ack 1, win 258, length 327: HTTP: GET /go/230299/477450 HTTP/1.1E..o..@…b4………y.PbgP.JC:.P….e..GET /go/230299/477450 HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-AliveCookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653 2019-12-05 15:20:54.944386 IP > Flags [.], ack 1, win 258, length 0E..(..@…cz………z.P.T….”.P…C………2019-12-05 15:20:55.250974 IP > Flags [.], ack 328, win 237, length 0E..(^.@.?.U……….P.yJC:.bgR5P…….2019-12-05 15:20:55.763441 IP > Flags [P.], seq 1:479, ack 328, win 237, length 478: HTTP: HTTP/1.1 200 OKE…^.@.?.S4………P.yJC:.bgR5P…….HTTP/1.1 200 OKDate: Thu, 05 Dec 2019 19:20:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveServer: nginxVary: Accept-EncodingContent-Encoding: gzip […]

Penetration Testing Red Team Reverse Shell Cheat Sheet

If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems.  Some of the examples below should also work on Windows if you use […]

Lokibot IOC Feed InfoStealer Trojan malware PCAP file download traffic sample

Latest indicators of compromise from our our Lokibot IOC feed. Lokibot is an information stealing (infostealer) trojan targeting users worldwide. It’s was designed for the primary purpose of perpetrating fraud and identity theft. Lokibot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.  TypeStealer  Originex-USSR territory  First seen3 May, 2015  Last seen11 February, 2020 Also known as LokiLokiPWS 2020-02-11 00:44:29.440705 IP > Flags [P.], seq 1:517, ack 1, win 16450, length 516: HTTP: GET /E/3609779.exe HTTP/1.1 E..,+.@…@…V.k. ..’.P…./.”.P.@BlZ..GET /E/3609779.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, […]

Zenpak Trojan Malware PCAP File Download Traffic Sample myehterwallet.top

Dateadded (UTC) Malware URL Status Tags Reporter 2020-02-08 16:42:22 Online exe @abuse_ch 2020-02-08 16:42:18 Offline exe @abuse_ch 2020-02-08 16:42:12 Offline exe @abuse_ch 2020-02-08 16:42:03 Online exe @abuse_ch What Trojan.Win32.Zenpak.usq virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory Expresses interest in specific running processes A process created a hidden window HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests Unconventionial language used in binary resources: Sindhi The binary likely contains encrypted or compressed data. Uses Windows utilities for basic functionality […]