Malspam Malware VAWTRAK ZBOT Banking Trojan Traffic Sample PCAP File Download inst.exe owwihuldu.com weralsemog.com

Download Attachments

  • 1 pcap inst
    Date added: January 16, 2017 6:47 am Added by: admin File size: 35 KB Downloads: 48

https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Zbot-LPH/detailed-analysis.aspx

SHA256: cb7d41bdd0fb3309dc4562be0db482c631d2249775299cd06ee25342fc322b2c
File name: inst.exe
Detection ratio: 38 / 56
Analysis date: 2017-01-16 06:43:20 UTC ( 1 minute ago )
Avira (no cloud) TR/AD.Vawtrak.sxucc 20170115
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9964 20170113
BitDefender Trojan.GenericKD.4171617 20170116
ClamAV Win.Trojan.Generic-5585310-0 20170116
Comodo TrojWare.Win32.UMal.vkksq 20170116
CrowdStrike Falcon (ML) malicious_confidence_68% (W) 20161024
Cyren W32/Trojan.QDXF-4923 20170116
ESET-NOD32 Win32/PSW.Papras.EJ 20170116
Emsisoft Trojan.GenericKD.4171617 (B) 20170116
F-Secure Trojan.GenericKD.4171617 20170116
Fortinet W32/Malicious_Behavior.VEX 20170116
GData Trojan.GenericKD.4171617 20170116
Ikarus Trojan.Win32.PSW 20170115
Jiangmin Trojan.Banker.Neverquest2.fe 20170116
K7AntiVirus Password-Stealer ( 004cfc431 ) 20170115

 

2017-01-15 23:28:56.011878 IP 192.168.1.102.62755 > 185.58.41.77.80: Flags [P.], seq 0:302, ack 1, win 256, length 302: HTTP: GET /wp-includes/inst.exe HTTP/1.1
E..V..@…;j…f.:)M.#.P0.7.b.y.P…25..GET /wp-includes/inst.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: vins-guadeloupe.net
Connection: Keep-Alive

2017-01-15 23:28:55.540149 IP 192.168.1.102.55910 > 75.75.75.75.53: 49611+ A? vins-guadeloupe.net. (37)
2017-01-15 23:29:26.933220 IP 192.168.1.102.55911 > 75.75.75.75.53: 8298+ A? google.com. (28)
2017-01-15 23:29:26.963070 IP 192.168.1.102.55912 > 75.75.75.75.53: 13821+ A? geholso.com. (29)
2017-01-15 23:29:26.992605 IP 192.168.1.102.58128 > 75.75.75.75.53: 36153+ A? geholso.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:27.013851 IP 192.168.1.102.58128 > 75.75.76.76.53: 36153+ A? geholso.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:28.035671 IP 192.168.1.102.58129 > 75.75.75.75.53: 56874+ A? eddimewwa.com. (31)
2017-01-15 23:29:28.078359 IP 192.168.1.102.62803 > 75.75.75.75.53: 16628+ A? eddimewwa.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:28.101011 IP 192.168.1.102.62803 > 75.75.76.76.53: 16628+ A? eddimewwa.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:29.106663 IP 192.168.1.102.62804 > 75.75.75.75.53: 819+ A? ewwurudl.com. (30)
2017-01-15 23:29:29.135677 IP 192.168.1.102.50241 > 75.75.75.75.53: 15828+ A? ewwurudl.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:30.179271 IP 192.168.1.102.50242 > 75.75.75.75.53: 11813+ A? wecassetiwg.com. (33)
2017-01-15 23:29:30.214625 IP 192.168.1.102.58329 > 75.75.75.75.53: 16451+ A? wecassetiwg.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:30.246058 IP 192.168.1.102.58329 > 75.75.76.76.53: 16451+ A? wecassetiwg.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:31.243361 IP 192.168.1.102.58330 > 75.75.75.75.53: 18253+ A? demuwgihu.com. (31)
2017-01-15 23:29:31.273100 IP 192.168.1.102.50596 > 75.75.75.75.53: 8597+ A? demuwgihu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:31.293202 IP 192.168.1.102.50596 > 75.75.76.76.53: 8597+ A? demuwgihu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:32.314176 IP 192.168.1.102.50597 > 75.75.75.75.53: 60424+ A? weralsemog.com. (32)
2017-01-15 23:29:32.343236 IP 192.168.1.102.51117 > 75.75.75.75.53: 26300+ A? weralsemog.com.hsd1.md.comcast.net. (52)
2017-01-15 23:29:33.385860 IP 192.168.1.102.51118 > 75.75.75.75.53: 60303+ A? sifugge.com. (29)
2017-01-15 23:29:33.417576 IP 192.168.1.102.50547 > 75.75.75.75.53: 43551+ A? sifugge.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:34.452429 IP 192.168.1.102.50548 > 75.75.75.75.53: 57843+ A? iwnocolsi.com. (31)
2017-01-15 23:29:34.483019 IP 192.168.1.102.63934 > 75.75.75.75.53: 32930+ A? iwnocolsi.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:34.501524 IP 192.168.1.102.63934 > 75.75.76.76.53: 32930+ A? iwnocolsi.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:35.522516 IP 192.168.1.102.63935 > 75.75.75.75.53: 30950+ A? uldeteggoc.com. (32)
2017-01-15 23:29:35.553838 IP 192.168.1.102.53345 > 75.75.75.75.53: 51663+ A? uldeteggoc.com.hsd1.md.comcast.net. (52)
2017-01-15 23:29:35.587919 IP 192.168.1.102.53345 > 75.75.76.76.53: 51663+ A? uldeteggoc.com.hsd1.md.comcast.net. (52)
2017-01-15 23:29:36.625361 IP 192.168.1.102.53346 > 75.75.75.75.53: 23454+ A? owwihuldu.com. (31)
2017-01-15 23:29:36.655183 IP 192.168.1.102.55750 > 75.75.75.75.53: 7471+ A? owwihuldu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:37.681389 IP 192.168.1.102.55751 > 75.75.75.75.53: 42666+ A? oslufin.com. (29)
2017-01-15 23:29:37.713140 IP 192.168.1.102.64434 > 75.75.75.75.53: 45921+ A? oslufin.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:37.740341 IP 192.168.1.102.64434 > 75.75.76.76.53: 45921+ A? oslufin.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:38.746394 IP 192.168.1.102.64435 > 75.75.75.75.53: 43257+ A? demuwnurill.com. (33)
2017-01-15 23:29:38.781352 IP 192.168.1.102.60308 > 75.75.75.75.53: 35313+ A? demuwnurill.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:38.811985 IP 192.168.1.102.60308 > 75.75.76.76.53: 35313+ A? demuwnurill.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:39.817594 IP 192.168.1.102.60309 > 75.75.75.75.53: 64945+ A? nohollomegg.com. (33)
2017-01-15 23:29:39.849068 IP 192.168.1.102.60677 > 75.75.75.75.53: 3054+ A? nohollomegg.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:39.883453 IP 192.168.1.102.60677 > 75.75.76.76.53: 3054+ A? nohollomegg.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:40.888998 IP 192.168.1.102.60678 > 75.75.75.75.53: 37703+ A? sefawnur.com. (30)
2017-01-15 23:29:40.921773 IP 192.168.1.102.54739 > 75.75.75.75.53: 54490+ A? sefawnur.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:40.947956 IP 192.168.1.102.54739 > 75.75.76.76.53: 54490+ A? sefawnur.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:41.955324 IP 192.168.1.102.54740 > 75.75.75.75.53: 11999+ A? iwnacusd.com. (30)
2017-01-15 23:29:41.994676 IP 192.168.1.102.53118 > 75.75.75.75.53: 42373+ A? iwnacusd.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:42.019784 IP 192.168.1.102.53118 > 75.75.76.76.53: 42373+ A? iwnacusd.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:43.025194 IP 192.168.1.102.53119 > 75.75.75.75.53: 46061+ A? nuhoddutuw.com. (32)
2017-01-15 23:29:43.064740 IP 192.168.1.102.64140 > 75.75.75.75.53: 15264+ A? nuhoddutuw.com.hsd1.md.comcast.net. (52)
2017-01-15 23:29:43.091043 IP 192.168.1.102.64140 > 75.75.76.76.53: 15264+ A? nuhoddutuw.com.hsd1.md.comcast.net. (52)
2017-01-15 23:29:44.112534 IP 192.168.1.102.64141 > 75.75.75.75.53: 50037+ A? lafennaridl.com. (33)
2017-01-15 23:29:44.146035 IP 192.168.1.102.58788 > 75.75.75.75.53: 79+ A? lafennaridl.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:44.171782 IP 192.168.1.102.58788 > 75.75.76.76.53: 79+ A? lafennaridl.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:45.199995 IP 192.168.1.102.58789 > 75.75.75.75.53: 65081+ A? gohadsam.com. (30)
2017-01-15 23:29:45.248329 IP 192.168.1.102.64194 > 75.75.75.75.53: 42011+ A? gohadsam.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:45.279366 IP 192.168.1.102.64194 > 75.75.76.76.53: 42011+ A? gohadsam.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:46.302067 IP 192.168.1.102.64195 > 75.75.75.75.53: 42594+ A? ulsotaww.com. (30)
2017-01-15 23:29:46.334847 IP 192.168.1.102.60331 > 75.75.75.75.53: 18704+ A? ulsotaww.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:46.361246 IP 192.168.1.102.60331 > 75.75.76.76.53: 18704+ A? ulsotaww.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:47.382925 IP 192.168.1.102.60332 > 75.75.75.75.53: 61197+ A? demagwer.com. (30)
2017-01-15 23:29:47.427556 IP 192.168.1.102.63717 > 75.75.75.75.53: 35121+ A? demagwer.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:47.448416 IP 192.168.1.102.63717 > 75.75.76.76.53: 35121+ A? demagwer.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:47.859165 IP 192.168.1.102.59178 > 75.75.75.75.53: 42974+ A? www.microsoft.com. (35)
2017-01-15 23:29:47.880648 IP 192.168.1.102.59178 > 75.75.76.76.53: 42974+ A? www.microsoft.com. (35)
2017-01-15 23:29:47.957786 IP 192.168.1.102.62691 > 75.75.75.75.53: 60703+ A? crl.microsoft.com. (35)
2017-01-15 23:29:47.981089 IP 192.168.1.102.62691 > 75.75.76.76.53: 60703+ A? crl.microsoft.com. (35)
2017-01-15 23:29:48.508021 IP 192.168.1.102.62692 > 75.75.75.75.53: 40733+ A? ungiruslumi.com. (33)
2017-01-15 23:29:48.537604 IP 192.168.1.102.57570 > 75.75.75.75.53: 10940+ A? ungiruslumi.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:48.566930 IP 192.168.1.102.57570 > 75.75.76.76.53: 10940+ A? ungiruslumi.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:49.573036 IP 192.168.1.102.57571 > 75.75.75.75.53: 52845+ A? lutuwwe.com. (29)
2017-01-15 23:29:49.601759 IP 192.168.1.102.54921 > 75.75.75.75.53: 48908+ A? lutuwwe.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:49.622898 IP 192.168.1.102.54921 > 75.75.76.76.53: 48908+ A? lutuwwe.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:50.643604 IP 192.168.1.102.54922 > 75.75.75.75.53: 2264+ A? enwacollemo.com. (33)
2017-01-15 23:29:50.672047 IP 192.168.1.102.63941 > 75.75.75.75.53: 46681+ A? enwacollemo.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:51.715508 IP 192.168.1.102.63942 > 75.75.75.75.53: 43328+ A? simawwo.com. (29)
2017-01-15 23:29:51.743101 IP 192.168.1.102.58013 > 75.75.75.75.53: 37517+ A? simawwo.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:51.759027 IP 192.168.1.102.58013 > 75.75.76.76.53: 37517+ A? simawwo.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:52.780467 IP 192.168.1.102.58014 > 75.75.75.75.53: 38172+ A? owwuhadsefu.com. (33)
2017-01-15 23:29:52.808696 IP 192.168.1.102.60452 > 75.75.75.75.53: 50914+ A? owwuhadsefu.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:52.830554 IP 192.168.1.102.60452 > 75.75.76.76.53: 50914+ A? owwuhadsefu.com.hsd1.md.comcast.net. (53)
2017-01-15 23:29:53.837583 IP 192.168.1.102.60453 > 75.75.75.75.53: 45612+ A? semowgir.com. (30)
2017-01-15 23:29:53.868680 IP 192.168.1.102.54651 > 75.75.75.75.53: 26775+ A? semowgir.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:53.895657 IP 192.168.1.102.54651 > 75.75.76.76.53: 26775+ A? semowgir.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:54.901613 IP 192.168.1.102.54652 > 75.75.75.75.53: 39397+ A? anguculde.com. (31)
2017-01-15 23:29:55.113050 IP 192.168.1.102.62150 > 75.75.75.75.53: 4519+ A? anguculde.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:55.136561 IP 192.168.1.102.62150 > 75.75.76.76.53: 4519+ A? anguculde.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:56.172486 IP 192.168.1.102.62151 > 75.75.75.75.53: 52774+ A? islomann.com. (30)
2017-01-15 23:29:56.207147 IP 192.168.1.102.50915 > 75.75.75.75.53: 27399+ A? islomann.com.hsd1.md.comcast.net. (50)
2017-01-15 23:29:57.244291 IP 192.168.1.102.50916 > 75.75.75.75.53: 16656+ A? ditaggehu.com. (31)
2017-01-15 23:29:57.286445 IP 192.168.1.102.50550 > 75.75.75.75.53: 48091+ A? ditaggehu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:57.303715 IP 192.168.1.102.50550 > 75.75.76.76.53: 48091+ A? ditaggehu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:58.331604 IP 192.168.1.102.50551 > 75.75.75.75.53: 30203+ A? gacessetu.com. (31)
2017-01-15 23:29:58.371921 IP 192.168.1.102.51706 > 75.75.75.75.53: 58586+ A? gacessetu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:58.391049 IP 192.168.1.102.51706 > 75.75.76.76.53: 58586+ A? gacessetu.com.hsd1.md.comcast.net. (51)
2017-01-15 23:29:59.434282 IP 192.168.1.102.51707 > 75.75.75.75.53: 37715+ A? domenno.com. (29)
2017-01-15 23:29:59.464411 IP 192.168.1.102.51367 > 75.75.75.75.53: 3676+ A? domenno.com.hsd1.md.comcast.net. (49)
2017-01-15 23:29:59.493908 IP 192.168.1.102.51367 > 75.75.76.76.53: 3676+ A? domenno.com.hsd1.md.comcast.net. (49)
2017-01-15 23:30:00.492161 IP 192.168.1.102.51368 > 75.75.75.75.53: 21269+ A? ennahas.com. (29)
2017-01-15 23:30:00.522409 IP 192.168.1.102.52866 > 75.75.75.75.53: 22269+ A? ennahas.com.hsd1.md.comcast.net. (49)
2017-01-15 23:30:00.552884 IP 192.168.1.102.52866 > 75.75.76.76.53: 22269+ A? ennahas.com.hsd1.md.comcast.net. (49)
2017-01-15 23:30:01.570578 IP 192.168.1.102.52867 > 75.75.75.75.53: 54994+ A? waruldetugg.com. (33)
2017-01-15 23:30:01.603693 IP 192.168.1.102.60262 > 75.75.75.75.53: 14999+ A? waruldetugg.com.hsd1.md.comcast.net. (53)
2017-01-15 23:30:02.641955 IP 192.168.1.102.60263 > 75.75.75.75.53: 56013+ A? dumunnu.com. (29)
2017-01-15 23:30:02.671924 IP 192.168.1.102.55723 > 75.75.75.75.53: 42686+ A? dumunnu.com.hsd1.md.comcast.net. (49)
2017-01-15 23:30:02.701693 IP 192.168.1.102.55723 > 75.75.76.76.53: 42686+ A? dumunnu.com.hsd1.md.comcast.net. (49)
2017-01-15 23:30:03.722796 IP 192.168.1.102.55724 > 75.75.75.75.53: 15395+ A? enwicudsofi.com. (33)
2017-01-15 23:30:03.767272 IP 192.168.1.102.60107 > 75.75.75.75.53: 37021+ A? enwicudsofi.com.hsd1.md.comcast.net. (53)
2017-01-15 23:30:03.788858 IP 192.168.1.102.60107 > 75.75.76.76.53: 37021+ A? enwicudsofi.com.hsd1.md.comcast.net. (53)
2017-01-15 23:30:04.794491 IP 192.168.1.102.60108 > 75.75.75.75.53: 27236+ A? litinwac.com. (30)
2017-01-15 23:30:04.844892 IP 192.168.1.102.65308 > 75.75.75.75.53: 61802+ A? litinwac.com.hsd1.md.comcast.net. (50)
2017-01-15 23:30:04.876049 IP 192.168.1.102.65308 > 75.75.76.76.53: 61802+ A? litinwac.com.hsd1.md.comcast.net. (50)
2017-01-15 23:30:05.896740 IP 192.168.1.102.65309 > 75.75.75.75.53: 43443+ A? iwnuhidsa.com. (31)

Leave a Reply