Purple Fox Exploit Kit EK Fileless Malware PCAP Download Traffic Sample

2019-12-05 15:20:54.943651 IP 192.168.1.145.56441 > 18.214.175.230.80: Flags [P.], seq 1:328, ack 1, win 258, length 327: HTTP: GET /go/230299/477450 HTTP/1.1E..o..@…b4………y.PbgP.JC:.P….e..GET /go/230299/477450 HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ps.popcash.netConnection: Keep-AliveCookie: __cfduid=d41395b56de571502f14a5704988a2fdb1575573653 2019-12-05 15:20:54.944386 IP 192.168.1.145.56442 > 18.214.175.230.80: Flags [.], ack 1, win 258, length 0E..(..@…cz………z.P.T….”.P…C………2019-12-05 15:20:55.250974 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [.], ack 328, win 237, length 0E..(^.@.?.U……….P.yJC:.bgR5P…….2019-12-05 15:20:55.763441 IP 18.214.175.230.80 > 192.168.1.145.56441: Flags [P.], seq 1:479, ack 328, win 237, length 478: HTTP: HTTP/1.1 200 OKE…^.@.?.S4………P.yJC:.bgR5P…….HTTP/1.1 200 OKDate: Thu, 05 Dec 2019 19:20:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveServer: nginxVary: Accept-EncodingContent-Encoding: gzip […]

Penetration Testing Red Team Reverse Shell Cheat Sheet

If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems.  Some of the examples below should also work on Windows if you use […]

Lokibot IOC Feed InfoStealer Trojan malware PCAP file download traffic sample

Latest indicators of compromise from our our Lokibot IOC feed. Lokibot is an information stealing (infostealer) trojan targeting users worldwide. It’s was designed for the primary purpose of perpetrating fraud and identity theft. Lokibot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.  TypeStealer  Originex-USSR territory  First seen3 May, 2015  Last seen11 February, 2020 Also known as LokiLokiPWS 2020-02-11 00:44:29.440705 IP 192.168.86.25.57639 > 107.189.10.150.80: Flags [P.], seq 1:517, ack 1, win 16450, length 516: HTTP: GET /E/3609779.exe HTTP/1.1 E..,+.@…@…V.k. ..’.P…./.”.P.@BlZ..GET /E/3609779.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, […]

Zenpak Trojan Malware PCAP File Download Traffic Sample myehterwallet.top

Dateadded (UTC) Malware URL Status Tags Reporter 2020-02-08 16:42:22 http://45.141.86.18/files/dzjitNh.exe Online exe @abuse_ch 2020-02-08 16:42:18 http://45.141.86.18/files/QWwiylX.exe Offline exe @abuse_ch 2020-02-08 16:42:12 http://45.141.86.18/files/KplagwO.exe Offline exe @abuse_ch 2020-02-08 16:42:03 http://45.141.86.18/files/IDRHHqr.exe Online exe @abuse_ch What Trojan.Win32.Zenpak.usq virus can do? Executable code extraction Attempts to connect to a dead IP:Port (1 unique times) Creates RWX memory Expresses interest in specific running processes A process created a hidden window HTTP traffic contains suspicious features which may be indicative of malware related traffic Performs some HTTP requests Unconventionial language used in binary resources: Sindhi The binary likely contains encrypted or compressed data. Uses Windows utilities for basic functionality […]

Themida Malware Trojan PCAP File Download Traffic Sample

Acronis Suspicious Ad-Aware Trojan.GenericKD.33042201 AegisLab Trojan.Win32.Stralo.a!c Alibaba Packed:Win32/Themida.9b7a1eb0 ALYac Trojan.GenericKD.33042201 SecureAge APEX Malicious Arcabit Trojan.Generic.D1F82F19 Avast Win32:Trojan-gen AVG Win32:Trojan-gen Avira (no cloud) HEUR/AGEN.1038489 BitDefender Trojan.GenericKD.33042201 CAT-QuickHeal Trojandownloader.Stralo CrowdStrike Falcon Win/malicious_confidence_100% (W) Cybereason Malicious.45a019 Cylance Unsafe Cyren W32/Trojan.KCYB-5076 2020-02-08 20:29:34.973179 IP 192.168.86.25.56270 > 47.74.39.61.80: Flags [P.], seq 926682144:926682556, ack 616271298, win 16425, length 412: HTTP: GET /download.php?file=marg.exe HTTP/1.1 E…..@…….V./J’=…P7<. $…P.@).<..GET /download.php?file=marg.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: load003.info Connection: Keep-Alive 2020-02-08 20:29:35.825646 IP […]