RuKometa/LoadMoney/Mupad Browser Hijacker Trojan Malware PCAP File download traffic sample start_page.exe

SHA256: 2030f0f9fa95e6e824d12664b48344c6e4fd58e607c96e6300c88a8292d1f743
File name: start_page.exe
Detection ratio: 44 / 56
Antivirus Result Update
ALYac Trojan.GenericKD.3282138 20170116
AVG Generic38.TUP 20170116
AVware Trojan.Win32.Generic!BT 20170116
Ad-Aware Trojan.GenericKD.3282138 20170116
AegisLab Adware.W32.Extbro!c 20170114
AhnLab-V3 Trojan/Win32.Mupad.C1469490 20170115
Arcabit Trojan.Generic.D3214DA 20170116
Avast Win32:Adware-gen [Adw] 20170116
Avira (no cloud) PUA/LoadMoney.fgl 20170115
BitDefender Trojan.GenericKD.3282138 20170116
CAT-QuickHeal Trojan.Mupad 20170114
ClamAV Win.Adware.Extbro-1 20170116
Comodo ApplicUnwnt.Win32.RuKometa.A 20170116
Cyren W32/S-6a0e4df5!Eldorado 20170116
DrWeb Trojan.LoadMoney.1452 20170116
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20170115

 

2017-01-16 00:10:18.346622 IP 192.168.1.102.63320 > 193.238.152.147.80: Flags [P.], seq 0:308, ack 1, win 256, length 308: HTTP: GET /start_page.exe HTTP/1.1
E..\`.@…|….f…..X.P…..U..P…….GET /start_page.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: hldklshzunakfbm.airportcome.top
Connection: Keep-Alive

2017-01-16 00:11:03.997483 IP 192.168.1.102.64417 > 75.75.75.75.53: 63876+ A? g.azmagis.ru. (30)
E..:…….R…fKKKK…5.&……………g.azmagis.ru…..
2017-01-16 00:11:04.168379 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [S], seq 1745079406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4A.@……..f…4.Z.Ph..n…… ……………..
2017-01-16 00:11:04.273747 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [.], ack 3445242612, win 256, length 0
E..(A.@……..f…4.Z.Ph..o.Z:.P…E………
2017-01-16 00:11:04.274405 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [P.], seq 0:500, ack 1, win 256, length 500: HTTP: GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%23%93%13%56%83%56%26%33%33%83%03%33%43%03%23%03%26%43%83%73%63%46%03%13%36%46%63%16%73%63%73%13%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…A.@……..f…4.Z.Ph..o.Z:.P…H…GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%23%93%13%56%83%56%26%33%33%83%03%33%43%03%23%03%26%43%83%73%63%46%03%13%36%46%63%16%73%63%73%13%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: start_page 3.35
Host: g.azmagis.ru
Cache-Control: no-cache

users.conduit.com Adware Conduit Toolbar PCAP file download traffic analysis Dont_Tread_On_Me.exe

SHA256: abb930035034aa9550ca2b16673592b8a0605907084997e869f4f61f6cc9d9f9
File name: Dont_Tread_On_Me.exe
Detection ratio: 20 / 57
Analysis date: 2016-11-16 03:13:42 UTC ( 0 minutes ago )
AegisLab W32.Adware.Conduit!c 20161116
Antiy-AVL RiskWare[WebToolbar]/Win32.Conduit.b 20161116
Arcabit PUP.Adware.WebToolbar.Conduit 20161116
Bkav W32.HfsAdware.C534 20161112
CAT-QuickHeal PUA.Conduitltd1.Gen 20161115
Cyren W32/Conduit.A.gen!Eldorado 20161116
DrWeb Adware.Conduit.37 20161116
ESET-NOD32 a variant of Win32/Toolbar.Conduit.AR potentially unwanted 20161116
F-Prot W32/Conduit.A.gen!Eldorado 20161116
Fortinet Riskware/Conduit 20161116
GData Win32.Adware.Conduit.B 20161116
Invincea virus.win32.sality.at 20161018
McAfee Artemis!C96E1F758391 20161116
McAfee-GW-Edition Artemis 20161116
NANO-Antivirus Riskware.Win32.Conduit.duufey 20161115
Panda PUP/Conduit.A 20161115
SUPERAntiSpyware PUP.ConduitToolbar/Variant 20161116
VIPRE Conduit (fs) 20161116
Yandex PUA.Toolbar.Conduit! 20161115
ALYac

2016-11-15 19:06:24.283075 IP 192.168.1.102.53369 > 67.195.61.46.80: Flags [P.], seq 0:334, ack 1, win 256, length 334: HTTP: GET /toolbar/Dont_Tread_On_Me.exe HTTP/1.1
E..v..@……..fC.=..y.P..^j….P…….GET /toolbar/Dont_Tread_On_Me.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dtom.com
Connection: Keep-Alive
Cookie: BX=bvfel3lc2n4h6&b=3&s=t4

2016-11-15 19:06:24.396794 IP 192.168.1.102.53369 > 67.195.61.46.80: Flags [.], ack 2921, win 256, length 0

E..({^@……..f.4…z.P.;.:.r..P….^……..
2016-11-15 19:06:29.801659 IP 192.168.1.102.53370 > 23.52.149.163.80: Flags [P.], seq 0:194, ack 1, win 256, length 194: HTTP: GET /CSC3-2004.crl HTTP/1.1
E…{_@……..f.4…z.P.;.:.r..P…3…GET /CSC3-2004.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: CSC3-2004-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-11-15 19:06:29.835350 IP 192.168.1.102.53370 > 23.52.149.163.80: Flags [.], ack 2921, win 256, length 0
E..({`@……..f.4…z.P.;…r.DP….4……..

{9…FP…}………
2016-11-15 19:07:00.260034 IP 192.168.1.102.53371 > 195.78.120.93.80: Flags [P.], seq 0:235, ack 1, win 64240, length 235: HTTP: GET /SetupFinish HTTP/1.1
E…l`@……..f.Nx].{.P.
{9…FP….R..GET /SetupFinish HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: donttreadonme.ourtoolbar.com
Connection: Keep-Alive

2016-11-15 19:07:00.269287 IP 192.168.1.102.53372 > 199.101.115.202.80: Flags [.], ack 693226368, win 64240, length 0
E..(ZA@….P…f.es..|.P.R..)Q..P…n………
2016-11-15 19:07:00.270030 IP 192.168.1.102.53372 > 199.101.115.202.80: Flags [P.], seq 0:341, ack 1, win 64240, length 341: HTTP: POST /iis2ebs.asp HTTP/1.1
E..}ZB@……..f.es..|.P.R..)Q..P…….POST /iis2ebs.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; CT1621844_4.5.185.3)
Accept: */*
Accept-Encoding: gzip, deflate
Host: users.conduit.com
Content-Length: 319
Connection: Keep-Alive
Cache-Control: no-cache

 

 

RAMNIT RAT Trojan Backdoor 66.198.24.243.443 world.taobao.com fget-career.com hhbqxgq.exe PCAP file download traffic C2

SHA256: 654295d26a5f030914a5342624d44358e822b9bfbabd188b602c506724d6e4f6
File name: hhbqxgq.exe
Detection ratio: 51 / 55
Analysis date: 2016-10-28 01:17:33 UTC ( 0 minutes ago )
ALYac Win32.Ramnit 20161028
AVG Agent_r.AJA 20161028
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Win32.Ramnit 20161028
AegisLab W32.Nimnul.a!c 20161027
AhnLab-V3 Win32/Ramnit.B 20161027
Antiy-AVL Virus/Win32.Nimnul.a 20161027
Arcabit Win32.Ramnit 20161028
Avast Win32:RmnDrp 20161027
Avira (no cloud) W32/Ramnit.A 20161027
Baidu Win32.Virus.Nimnul.a 20161027
BitDefender Win32.Ramnit 20161028
Bkav W32.RammitNNA.PE 20161027
CAT-QuickHeal W32.Ramnit.A 20161027
ClamAV Win.Trojan.Ramnit-1847 20161027
Comodo Virus.Win32.Ramnit.A 20161028
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024

2016-10-27 19:54:31.458114 IP 192.168.1.102.55840 > 175.6.5.125.80: Flags [P.], seq 0:289, ack 1, win 256, length 289: HTTP: GET /hhbqxgq.exe HTTP/1.1
E..Im.@…. …f…}. .P…     E       l1P….?..GET /hhbqxgq.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: wt8.52zsoft.com
Connection: Keep-Alive

2016-10-27 19:55:06.095117 IP 192.168.1.102.51598 > 75.75.75.75.53: 15147+ A? world.taobao.com. (34)
E..>(%………fKKKK…5.*..;+………..world.taobao.com…..
2016-10-27 19:55:06.141276 IP 192.168.1.102.55856 > 66.198.24.243.443: Flags [.], ack 4848, win 256, length 0
E..(*.@….@…fB….0….f
..O.P………….
2016-10-27 19:55:06.188302 IP 192.168.1.102.55856 > 66.198.24.243.443: Flags [.], ack 4848, win 256, options [nop,nop,sack 1 {4846:4847}], length 0
E..4*.@….3…fB….0….f
..O……W…..
..O…O.
2016-10-27 19:55:06.239455 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [S], seq 1404369026, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4*.@….2…fB….1..S……… .    %…………..
2016-10-27 19:55:06.879911 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 1349710297, win 256, length 0
E..(*.@….=…fB….1..S…Pr..P…&………
2016-10-27 19:55:07.202952 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [P.], seq 0:77, ack 1, win 256, length 77
E..u*.@……..fB….1..S…Pr..P…O[……H…D..X…..(.7…..6…>0…U .Q3{..t……..
.       .d.b………c………
2016-10-27 19:55:07.360973 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {4198:4199}], length 0
E..4*.@…./…fB….1..S…Pr……J……
Ps.>Ps.?
2016-10-27 19:55:07.513544 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 1, win 256, options [nop,nop,sack 2 {4198:4199}{4197:4199}], length 0
E..<*.@….&…fB….1..S…Pr…….a……Ps.>Ps.?Ps.=Ps.?
2016-10-27 19:55:07.564129 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 1461, win 256, options [nop,nop,sack 1 {4197:4199}], length 0
E..4*.@….-…fB….1..S…Pr……E!…..
Ps.=Ps.?
2016-10-27 19:55:07.623980 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 1461, win 256, options [nop,nop,sack 2 {4197:4199}{2921:4200}], length 0
E..<*.@….$…fB….1..S…Pr…………..Ps.=Ps.?Pr.APs.@
2016-10-27 19:55:07.723051 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 4200, win 256, length 0
E..(*.@….7…fB….1..S…Ps.@P………….
2016-10-27 19:55:07.724548 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [P.], seq 77:395, ack 4200, win 256, length 318
E..f*.@……..fB….1..S…Ps.@P………………,….Z;…-a…..!.y…      .Ii.c+.!’..f<.d.xcU……….   .2.w..RNU6;.n..C}I..”……._..s.5…\.i.;.>.   .<…#.Y.a.Y…%B.|0…….5…_.u.X+B…G…RD…m
.{+.9b?.;..A}.L..E.,n.       .)…..5..JY…….._.K-.”..)……]………….(..^.2Z.WvLY…*./Z…..%.R{.Q..j……….(…Q………Y..#.d..]D.A….K.^p.c../zP
2016-10-27 19:55:07.854706 IP 192.168.1.102.55850 > 205.204.101.182.443: Flags [.], ack 4678, win 64760, length 0
E..(..@….|…f..e..*……….P…1X……..
2016-10-27 19:55:08.033477 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [P.], seq 395:640, ack 4251, win 256, length 245
E…*.@….@…fB….1..S…Ps.sP…;C…….UP.K…..P_..m…F.^t.”..(I4.}7%…:…n).@……..U.u..68<:.!.Y….D^.q.$….D._I…..T:..M.g.Q….*..ay.#…;3.L..j.g…..9j*.(.f.Gs.3..U….L….@.:.9G.U0..O…H./
..A.+….Y}n.=…..8..^K….^……hiV….vF.%..*.=…%…{..%.TQ………
2016-10-27 19:55:08.092131 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 5680, win 256, options [nop,nop,sack 1 {7140:8600}], length 0
E..4*.@….(…fB….1..S…Ps………….
Ps..Ps.p
2016-10-27 19:55:08.121216 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [F.], seq 640, ack 5680, win 256, length 0
E..(*.@….3…fB….1..S…Ps..P………….
2016-10-27 19:55:08.170573 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 5680, win 256, options [nop,nop,sack 1 {7140:10060}], length 0
E..4*.@….&…fB….1..S…Ps………….
Ps..Ps.$
2016-10-27 19:55:08.171022 IP 192.168.1.102.55857 > 66.198.24.243.443: Flags [.], ack 5680, win 256, options [nop,nop,sack 1 {7140:11520}], length 0
E..4*.@….%…fB….1..S…Ps……
Z…..
Ps..Ps..

2016-10-27 19:55:10.755309 IP 192.168.1.102.51599 > 75.75.75.75.53: 15716+ A? fget-career.com. (33)
E..=(&………fKKKK…5.)..=d………..fget-career.com…..
2016-10-27 19:55:10.863607 IP 192.168.1.102.55858 > 89.185.44.

54.214.246.97 advance_pc_care_1.exe Malware Zusy Trojan Downloader PCAP file download Traffic Sample

2016-10-23 01:14:54.600825 IP 192.168.1.102.58864 > 193.238.153.90.80: Flags [P.], seq 0:307, ack 1, win 256, length 307: HTTP: GET /advance_pc_care_1.exe HTTP/1.1
E..[P.@……..f…Z…P …….P….e..GET /advance_pc_care_1.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: ehoshapha.48wwuved42.ru
Connection: Keep-Alive


E..(s.@……..f6..a…P….^.9.P…[………
2016-10-23 01:15:01.535263 IP 192.168.1.102.58867 > 54.214.246.97.80: Flags [P.], seq 0:189, ack 1, win 256, length 189: HTTP: POST /log/AdvancedPCCare_IC/install HTTP/1.1
E…t.@……..f6..a…P….^.9.P…+…POST /log/AdvancedPCCare_IC/install HTTP/1.1
Content-Length: 80
Content-Type: application/x-www-form-urlencoded
User-Agent: WinHttpClient
Host: 54.214.246.97
Connection: Keep-Alive

BetOnline.ag Online Internet Poker PCAP Traffic Sample Analysis Snort Rule

How to tell if your employees are spending time at work playing one of the most popular online poker sites for US citizens? Simple:

 

alert tcp $HOME_NET any -> [161.22.49.0/24] any (msg:”BetOnline Poker Detected”; content:”poker.betonline.ag”; tag: session, 60, seconds; sid:20161019; rev:1;)

 

2016-10-19 17:59:40.731904 IP 192.168.1.102.61567 > 161.22.49.233.443: Flags [R.], seq 1, ack 1, win 0, length 0
E..(4.@…1….f..1………..I.P…<………
2016-10-19 17:59:40.732414 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [S], seq 1713469354, win 65535, options [mss 1460,nop,wscale 3,nop,nop,sackO
K], length 0
E..44.@…1….f..1…..f!w………
……………
2016-10-19 17:59:40.824057 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 1826761741, win 32768, length 0
E..(4.@…1….f..1…..f!w.l.,.P…1………
2016-10-19 17:59:40.824462 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 0:387, ack 1, win 32768, length 387
E…4.@…/….f..1…..f!w.l.,.P….3……~…z..X……f…9.U..z”.No.h…9…?…8.,.+.0./…..$.#.(.’.
.       …..9.3…..=.<.5./.
.j.@.8.2……………poker.betonline.ag……….
…………………………………#…8….z.%u.+S..{      ..nZ………..?.C.E.{3..[…6…M..j.$.J.&.=..C…..A.i….i……gWH…}…r.]W…..c…\<EG.c.\2″.L…….~..@…?…(..BYV.=…..   z…..j…4.%…..B…z..`.N….=..X..}………..
2016-10-19 17:59:40.904881 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 110, win 32754, length 0
E..(4.@…1….f..1…..f!y.l.,zP…/………
2016-10-19 17:59:40.905663 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 387:438, ack 110, win 32754, length 51
E..[4.@…0….f..1…..f!y.l.,zP….i…………(………/……..Z.!.ZiS..A.<…v..c.=.
2016-10-19 17:59:40.906039 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [P.], seq 438:1225, ack 110, win 32754, length 787
E..;4.@……..f..1…..f!yal.,zP…t………………..c..&…..O…….1{…_ .h^t.Z.4o.V……….&~.$J…~.JK\.).Y.3bf..35O9y.$…….. ….D>a>y.^;5.Q……|……L….Q#..!.E..5Mx.q{RH….V..m..=;.U..~….Nm……|5#t.kt……&G
33@E.m…`….W`….nY.D….s..R.t…:|.7.f…W62…(…………..z
{……yM.N..@x.)A.T..B..$e………Y. ….i.G..K}v…o……oS…..j……..A…..koF”,…3..s.Z….4X.m2…1…..nD…ry|L.b…………….K…QX.w…V.
.DV/#^.^..8.\..Q.Q.,..Ded..!……….x..k….l…n..d………..M..}….q.c.]]…~+6..i..@./V;…@.{…3Z .4n…..|..l…^/.WbdFTY……iP”r……….J.K.C..a..0.7……..H?……g…e….6..R@……`….&-.$.9.-B?..f?….@….R,….#…. …;.b.c..Y. ..w…..).|…iM/..I.MpA.=S`.vE\…..8P’T.Y……….L.97′.MV=.~..q…}……..Q.;@2..1.MLm.x.%.P…..q…..A.o..
2016-10-19 17:59:40.983329 IP 192.168.1.102.61568 > 161.22.49.233.443: Flags [.], ack 501, win 32705, length 0
E..(4.@…1….f..1…..f!|tl…P…+P……..
2016-10-19 17:59:41.829436 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [P.], seq 273:311, ack 13185, win 257, length 38
E..N..@…e….f..1….I……..P………..!7_…KxR..]P…….1.a)… ….a.
2016-10-19 17:59:41.877901 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13343, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:41.994327 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13385, win 256, length 0
E..(..@…e….f..1….I……..P………….
2016-10-19 17:59:42.875535 IP 192.168.1.102.61368 > 161.22.49.234.3401: Flags [.], ack 13575, win 255, length 0
E..(..@…e….f..1….I…….uP………….
2016-10-19 17:59:44.136712 IP 192.168.1.102.61379 > 161.22.49.234.3401: Flags [.], ack 3116, win 252, length 0
: