Remcos RAT Trojan Malware PCAP file download Traffic Sample

Remcos is a RAT type malware which means that attackers use it to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.  TypeTrojan  Originex-USSR territory  First seen1 June, 2016  Last seen9 February, 2020 2020-02-08 21:12:20.981585 IP 192.168.86.25.56271 > 46.4.22.188.80: Flags [P.], seq 2260857165:2260857557, ack 24046668, win 16425, length 392: HTTP: GET /a/a.exe HTTP/1.1 E…..@…….V……..P…M.n.LP.@)*…GET /a/a.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: […]

Updated List of Emotet Banking Malware Trojan IP C2 Servers and Port Numbers

Emotet Peers: 104.131.58132:8080 104.236.13772:8080 109.169.8613:8080 110.170.65146:80 111.125.7122:8080 112.218.134227:80 113.61.76239:80 116.48.138115:80 116.48.14832:80 118.36.70245:80 119.59.124163:8080 125.99.61162:7080 130.204.247253:80 138.68.1064:7080 139.162.11888:8080 14.160.93230:80 142.127.5763:8080 142.93.114137:8080 144.139.56105:80 144.217.117207:8080 149.62.173247:8080 151.237.36220:80 152.170.10899:443 159.203.204126:8080 163.172.40218:7080 165.228.19593:80 175.114.17883:443 178.79.163131:8080 181.198.20345:443 181.36.42205:443 181.61.143177:80 183.99.239141:80 185.160.2123:80 185.160.22926:80 185.86.148222:8080 186.15.8352:8080 186.68.48204:443 187.188.166192:8080 188.135.1549:80 188.216.24204:80 189.19.81181:443 190.100.153162:443 190.146.131105:8080 190.186.16423:80 190.195.129227:8090 190.210.184138:995 190.6.193152:8080 190.97.30167:990 191.103.7634:443 191.183.21190:80 192.241.14684:8080 2.139.158136:443 2.42.173240:80 2.44.16752:80 2.45.112134:80 200.119.11118:443 200.124.22532:80 200.58.83179:80 201.213.3259:80 203.130.069:80 203.25.1593:8080 207.154.20440:8080 212.237.5061:8080 212.71.237140:8080 217.199.160224:8080 219.75.66103:80 223.255.148134:80 37.120.185153:443 37.183.12132:80 37.187.663:8080 37.211.49127:80 45.50.177164:80 45.79.95107:443 45.8.136201:80 46.101.212195:8080 46.28.111142:7080 5.196.35138:7080 5.32.41106:80 5.88.2767:8080 50.28.51143:8080 51.255.165160:8080 58.171.3826:80 62.75.143100:7080 62.75.160178:8080 63.246.252234:80 63.248.1988:80 68.129.203162:443 68.174.15223:80 68.183.170114:8080 68.183.190199:8080 68.187.16028:443 69.163.3384:8080 72.29.55174:80 73.60.8210:80 74.59.18794:80 74.79.10355:80 77.27.22124:443 77.55.21177:8080 […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

RED3.exe bhvaticanskeys.com 181.129.104.139.449 Trickbot Malware Banking Trojan PCAP download traffic sample

JA3 Fingerprint: f735bbc6b69723b9df7b0e7ef27872af First seen: 2018-10-02 18:04:16 UTC Last seen: 2020-01-15 05:53:57 UTC Status: Blacklisted Malware samples: 1’816 Destination IPs: 193 Malware: TrickBot Listing date: 2020-01-09 14:17:18 2020-01-16 06:18:01.857421 IP 192.168.86.25.56294 > 94.23.64.40.80: Flags [P.], seq 1:444, ack 1, win 64240, length 443: HTTP: GET /RED3.exe HTTP/1.1 E…..@…;…V.^.@(…P-C.>.ca.P…ch..GET /RED3.exe HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, / Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) Accept-Encoding: gzip, deflate Host: bbvaticanskeys.com Connection: Keep-Alive Cookie: SERVERID104280=112034|XiBGX|XiBGX 2020-01-16 06:18:01.968837 IP 94.23.64.40.80 > 192.168.86.25.56294: Flags [.], seq 1:1461, ack 444, […]

Trojan Malware BDaim-A is c000.exe vbc.exe Malicious X.509 SSL Certificate PCAP File Download Traffic Sample

Troj/BDaim-A is a backdoor trojan. The Trojan installs itself as uvwxyz.exe in system folder of Windows and creates the following files, also in the system folder: mswinsck.ocx (This is clean microsoft socket control) raim.ocx Troj/BDaim-A creates the following registry entry so that it automatically starts up with Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\uvwxyz = C:\WINDOWS\System32\uvwxyz.exe In addition, Troj/BDaim-A creates the following registry entries: HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\ HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Host = “localhost” HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Server\Port = dword:0000103f HKCU\Software\Microsoft\Visual Basic\ HKCU\Software\Microsoft\Visual Basic\6.0\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) (default) = “Microsoft WinSock Control, version 6.0” HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Control\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) \Implemented Categories(0DE86A52-2BAA-11CF-A229-00AA003D7352)\ HKCR\CLSID(248DD896-BB45-11CF-9ABC-0080C7E7B78D) […]





Dashlane 5 - New and Improved!