Text Example

Emotet Banker Banking Trojan r.exe Malware Traffic Sample PCAP file download 109.74.204.70 81.88.24.211 TCP/443

Download Attachments

  • 1 pcap r
    Date added: May 9, 2017 2:18 am Added by: admin File size: 36 KB Downloads: 103
SHA256: cb9e0ee153c8cedef0b41d7f1621b8579bc4836250be4615a4bef1508d576b88
File name: r.exe
Detection ratio: 42 / 61
Analysis date: 2017-05-09 02:13:00 UTC ( 0 minutes ago )
Jiangmin Trojan.Banker.Emotet.u 20170508
K7AntiVirus Trojan ( 0050cfc91 ) 20170508
K7GW Trojan ( 0050cfc91 ) 20170508
Kaspersky Trojan-Banker.Win32.Emotet.vmf 20170508
Malwarebytes Trojan.Sharik 20170509
McAfee RDN/PWS-Banker 20170509
McAfee-GW-Edition BehavesLike.Win32.Backdoor.dc 20170508
Microsoft Trojan:Win32/Emotet.K 20170509

BRO:

1494288151.035042       CmMK822szD4rN5qKFa      192.168.1.102   54585   184.154.247.69  80      1       GET     faciusa.com     /zap1fts-a367-bjmb/     –       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)      0       0       –       –       –       –       –       (empty) –       –       –       –       –       –       –

1494288151.147053       CVPIlC4nICikKOe6G5      76.111.8.85     54585   184.154.247.69  80      1       –       –       –       –       –       0       1056    200     OK      –       –       –       (empty) –
–       –       –       –       F9NOWw1UIpW6BrZiQd      application/x-dosexec

1494288118.631033       FausPl26VuCViboyj6      184.154.247.69  192.168.1.100   Ct1hZV18jdKfmTBkwi      HTTP    0       SHA1,PE,MD5     application/x-dosexec   r.exe   0.172049        F       F       208896  –
0       0       F       –       0723aa82e5df8b220cbcb48b17eb38ae        e4908e4dfb4d3ac8bb25228e5cbc598b4bfa7b84

 

2017-05-08 20:02:31.031501 IP 192.168.1.102.54585 > 184.154.247.69.80: Flags [P.], seq 0:403, ack 1, win 256, length 403: HTTP: GET /zap1fts-a367-bjmb/ HTTP/1.1
E…F.@…A9…f…E.9.P…Rz…P….,..GET /zap1fts-a367-bjmb/ HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: faciusa.com
Connection: Keep-Alive

 

2017-05-08 20:02:57.749052 IP 192.168.1.102.54582 > 93.184.216.146.443: Flags [F.], seq 2210259979, ack 1676689716, win 254, length 0
E..(We@……..f]….6……c.A4P………….
2017-05-08 20:02:57.787358 IP 192.168.1.102.54582 > 93.184.216.146.443: Flags [.], ack 2, win 254, length 0
E..(Wf@……..f]….6……c.A5P………….
2017-05-08 20:03:25.714927 IP 192.168.1.102.54586 > 81.88.24.211.443: Flags [S], seq 3861825650, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..fQX…:…..r…… ..?…………..
2017-05-08 20:03:25.859455 IP 192.168.1.102.54586 > 81.88.24.211.443: Flags [.], ack 1593795941, win 256, length 0
E..(..@……..fQX…:…..s^.eeP…8………
2017-05-08 20:03:25.868387 IP 192.168.1.102.54586 > 81.88.24.211.443: Flags [P.], seq 0:908, ack 1, win 256, length 908
E…..@….j…fQX…:…..s^.eeP…….GET / HTTP/1.1
Cookie: AEAC=kIDP5xhGPeXQCWkCwSELSzwB2Vuzb5QScolg4DzgbfEuUspAaRl9PP2XEoUjpbLy9FtlTQrEfCIBcWIbP5zEgcK2tI+GkBt6P0HSU+lEX+zWCcIlb9q56Utsky3La7whIDmnihM2+yoVbaqNtTkwfvxuDVrpiEkDYJmpYsz+8E5IBa8in4ocPGlhQBxUbVqTdq6qCTLeWocFXyTwxekPxNDUrIRLQBu1nkgyTUhqe8Rz4vFzStolDjbxUhGpTWf0QYEJyJIYkZ3ZlQfCTb7v/M2PzIUAB1ypw4un7xGsy5w+Cctmua8H32W29wAlTVGCghEiuUrp7iIlqF5Fj/odUMUM5cmisvAcjb6NgsPplu8hXQtdD34MwmftWnbMyRVdJHXvGl1pM+p1SvlmkEPkAjPZj9aLVwp9eXQ9HEUq47oU7t9ZcJWMwbl0bRnigBcWrQuMC4/kLOtCuMJ3TY9oDAVdvdB8Y5wvMZ3YD2hpulBDx3k4OOa3n7eUXMAY/LIFI4AO9FMIhR59pxBcRZYuQ6xutF3VwqYcARQ6lyvLpIVz+ZYi2Hxwk5PHFz9PACaZcKKNQNbZRTxHB0GNBkLCLloKgFOahG5pSE8FhUzM17ppdpNY4x+FXyY8qI41nK31ZRrrIiizVIuWvcFDQ1mdJoI3gRzMcHuKChlI/6SeO+L7qwZHSWqbU7YUFziMwRv8ANNx+g==
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 81.88.24.211:443
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-05-08 20:03:56.111932 IP 192.168.1.102.54591 > 109.74.204.70.443: Flags [P.], seq 0:417, ack 1, win 256, length 417
E…W.@……..fmJ.F.?…6?.X3..P…a…GET / HTTP/1.1
Cookie: 2542=GoUsd9wNu/roH/lfnGUOZlrQzr05GAVSphe9wKuOld/dVkUwU8eemmyQV5gaok2RR0UYiOF/s2TEQNhMiGS9oUR3sLqXpnmyN2ZC4Id5vITSDalAR0L6wlTQ5TH1AiCR405RHGeiU+4JWdfT18UWjVr58FH5vDuhcv/tEsbv1pAskvVXVJkTvNElmrk4tMA9G9tMZcdDHRJ1C7aVqpIUVnAqxOw=
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 109.74.204.70:443
Connection: Keep-Alive
Cache-Control: no-cache

 

2017-05-08 20:03:58.649593 IP 192.168.1.102.54551 > 5.12.153.81.80: Flags [F.], seq 0, ack 1, win 64710, length 0
E..(L.@…M….f…Q…P#..+.FL|P………….
2017-05-08 20:03:59.348208 IP 192.168.1.102.54591 > 109.74.204.70.443: Flags [.], ack 297, win 255, length 0
E..(W.@….k…fmJ.F.?…6@.X3..P…qV……..
2017-05-08 20:04:00.227727 IP 192.168.1.102.54551 > 5.12.153.81.80: Flags [F.], seq 0, ack 1, win 64710, length 0
E..(L.@…M….f…Q…P#..+.FL|P………….
2017-05-08 20:04:01.994813 IP 192.168.1.102.54589 > 151.236.10.111.443: Flags [S], seq 3907399248, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0a.@…4p…f..
o.=…..P….p. ………….
2017-05-08 20:04:03.382915 IP 192.168.1.102.54551 > 5.12.153.81.80: Flags [F.], seq 0, ack 1, win 64710, length 0
E..(L.@…M….f…Q…P#..+.FL|P………….
2017-05-08 20:04:04.536955 IP 192.168.1.102.54590 > 151.236.10.111.443: Flags [S], seq 3469209268, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0a.@…4o…f..
o.>……….p. .j?……….
2017-05-08 20:04:09.696275 IP 192.168.1.102.54551 > 5.12.153.81.80: Flags [F.], seq 0, ack 1, win 64710, length 0
E..(L.@…M….f…Q…P#..+.FL|P………….
2017-05-08 20:04:14.002801 IP 192.168.1.102.54591 > 109.74.204.70.443: Flags [F.], seq 417, ack 297, win 255, length 0
E..(W.@….j…fmJ.F.?…6@.X3..P…qU……..
2017-05-08 20:04:17.045833 IP 192.168.1.102.54592 > 109.74.204.70.443: Flags [S], seq 4219975708, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4W.@….]…fmJ.F.@………… ……………..
2017-05-08 20:04:17.145459 IP 192.168.1.102.54592 > 109.74.204.70.443: Flags [.], ack 727116152, win 256, length 0
E..(W.@….h…fmJ.F.@……+V.xP………….
2017-05-08 20:04:17.185464 IP 192.168.1.102.54592 > 109.74.204.70.443: Flags [P.], seq 0:417, ack 1, win 256, length 417
E…W.@……..fmJ.F.@……+V.xP….{..GET / HTTP/1.1
Cookie: 7767=JMBh94ilf2bDQINBQOAmSg50sl5JLd+xnehsLh49f4ScawNCoK4Kpg/VZinNNiF8mFMRMXHukpPlUl9eyjRvqnk33OHCZWWx3Kk8zrQgxPiXGJmtDNjkaJj/5EaOxb89pbEZsIIEoCaQ/NMHNqMtVCa4N53mhvH9kay4xFpPhmihHtpVt89ppJFgfWKDDjbsVCAZPu0ulsFGDbBo5MuMAXP8FOQ=
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 109.74.204.70:443
Connection: Keep-Alive
Cache-Control: no-cache

2017-05-08 20:04:17.443743 IP 192.168.1.102.54592 > 109.74.204.70.443: Flags [.], ack 296, win 255, length 0
E..(W.@….f…fmJ.F.@……+V..P………….
2017-05-08 20:04:19.603605 IP 192.168.1.102.54592 > 109.74.204.70.443: Flags [P.], seq 417:982, ack 296, win 255, length 565
E..]W.@….0…fmJ.F.@……+V..P….i..GET / HTTP/1.1
Cookie: 8175=ad5SOrDDvLzzyYqgbFd3GkfMqkty2f3qAsBuqPTA0HdX9V3FjRNIY1i/cc4kYWSI9ElrehODm0N0o9X7tuxVeuJI2wz3Jyi6g2jaFBiR2rm3U4Afwovw/KMAHbQ/3E1s/3GNVXIHPi6aYmKsXgg/URwSwCXBtr4RA1jCo+5bjsx+3Zr2MsgJedYwnIenaKbFZqepb3Epyh2PuAscKVKhLMvY+unQnZCZRelg3kp7DZOfebxiVOIygAh2AayfW+FXXasv4QupH2iEsitDpHMzP+7id96SSJW8KDryb95ZQcegVzVf2DOglr0BF+aKCoQZUNlAfC4hqqW4wsniE+drgkfF8gaZdk0ncNmiz96i74vIu0u7
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)
Host: 109.74.204.70:443
Connection: Keep-Alive
Cache-Control: no-cache

Leave a Reply