Nymeria Trojan Malware AURVIA.exe 213.183.58.9.1981 WannaCry SMB MS17-010 EternalBlue PCAP txt File Traffic Sample Download

Download Attachments

  • 1 txt auria
    Date added: July 3, 2017 10:39 pm Added by: admin File size: 44 KB Downloads: 92
SHA256: 61a28dba92fb1dc8bebec84115c934e1eb1b7643b49cf10667a943e819c811ae
File name: AURVIA.exe
Detection ratio: 45 / 61
Analysis date: 2017-07-03 20:28:12 UTC ( 0 minutes ago )
Ad-Aware AIT:Trojan.Nymeria.109 20170703
AegisLab Troj.W32.Autoit.lZhY 20170703
AhnLab-V3 Trojan/Win32.AutoIt.C2019675 20170703
ALYac AIT:Trojan.Nymeria.109 20170703
Arcabit AIT:Trojan.Nymeria.109 20170703
Avast Win32:Malware-gen 20170703
AVG Win32:Malware-gen 20170703
Avira (no cloud) TR/Worm.ztzxx 20170703
AVware Trojan.Win32.Generic!BT 20170703
BitDefender AIT:Trojan.Nymeria.109 20170703
CMC Trojan.Win32.Generic!O 20170701
Comodo TrojWare.Spy.Autoit.~ 20170703
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/Trojan.ULQS-9254 20170703
DrWeb Trojan.MulDrop7.31019 20170703
Emsisoft AIT:Trojan.Nymeria.109 (B) 20170703

 

2017-07-03 15:42:43.109898 IP 192.168.1.102.60633 > 176.9.21.114.80: Flags [P.], seq 0:407, ack 1, win 256, length 407: HTTP: GET /morgan/AURVIA.exe HTTP/1.1
E…>.@…3$…f.    .r…P.R..o…P…….GET /morgan/AURVIA.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: wearitgroups.com
Connection: Keep-Alive

2017-07-03 15:43:02.388661 IP 192.168.1.102.64250 > 75.75.75.75.53: 1813+ A? ip-score.com. (30)
E..:cP….~….fKKKK…5.&……………ip-score.com…..
2017-07-03 15:43:02.592822 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [S], seq 4247852493, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4″.@…8….f_.}….P.1…….. ……………..
2017-07-03 15:43:02.732962 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 920389231, win 256, length 0
E..(“.@…8….f_.}….P.1..6..oP………….
2017-07-03 15:43:02.740348 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [P.], seq 0:66, ack 1, win 256, length 66: HTTP: GET /checkip/ HTTP/1.1
E..j”.@…7….f_.}….P.1..6..oP…{…GET /checkip/ HTTP/1.1
User-Agent: AutoIt
Host: ip-score.com

2017-07-03 15:43:03.150845 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 7143, win 256, length 0
E..(“.@…8….f_.}….P.1..6.”UP….h……..
2017-07-03 15:43:03.152347 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 10056, win 256, length 0
E..(“.@…8….f_.}….P.1..6.-.P………….
2017-07-03 15:43:03.699652 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [S], seq 3725019290, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@……..f..:    ……H……. .b……………
2017-07-03 15:43:06.704436 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [S], seq 3725019290, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@……..f..:    ……H……. .b……………
2017-07-03 15:43:07.063193 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 1238798603, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:07.065901 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [P.], seq 0:86, ack 1, win 260, length 86
E..~Q.@……..f..:    ……H.I…P…….United States|TTTTT3|76.111.8.85|blahhost|WIN_7|X86|No|No|1.0.1|ddd|Pr1080X21920X3|x|beta
2017-07-03 15:43:07.274722 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [P.], seq 0:86, ack 1, win 260, length 86
E..~Q.@……..f..:    ……H.I…P…….United States|TTTTT3|76.111.8.85|blahhost|WIN_7|X86|No|No|1.0.1|ddd|Pr1080X21920X3|x|beta
2017-07-03 15:43:11.664823 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 6, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:16.661934 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 11, win 260, length 0
E..(Q.@……..f..:    ……H.I…P………….
2017-07-03 15:43:21.674695 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 16, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….~……..
2017-07-03 15:43:26.686897 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 21, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….y……..
2017-07-03 15:43:30.683093 IP 192.168.1.102.137 > 192.168.1.112.137: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
E..fy…..<….f…p…..R…?………. FCFJDEFHEOCNFAEDCACACACACACACACA.. ……..`…..`…..`….f
2017-07-03 15:43:30.686265 IP 192.168.1.102.5355 > 192.168.1.112.59508: UDP, length 50
E..Ny…..<….f…p…t.:.I………….blahhost-PC……blahhost-PC…………..f
2017-07-03 15:43:30.686353 IP 192.168.1.102.5355 > 192.168.1.112.50550: UDP, length 62
E..Zy…..<….f…p…v.F|…………..blahhost-PC……blahhost-PC……………………..&
2017-07-03 15:43:30.694290 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [S.], seq 714103385, ack 3128129811, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4y.@……..f…p…S*.ZY.sy… .B……………
2017-07-03 15:43:30.701319 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1:5, ack 73, win 256, length 4 NBT Session Packet: Session Granted
E..,y.@……..f…p…S*.ZZ.sy[P…     ……..
2017-07-03 15:43:30.703165 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 5:414, ack 210, win 256, length 409 NBT Session Packet: Session Message
E…y.@….Q…f…p…S*.Z^.sy.P…kg…….SMBr…..C…………………….
………………….L4……P..%…..O…
.l!.`..<..+……..00..,..0..
+…..7….
+…..7..
……..NEGOEXTS……..`…p……..:..).4.V..n…z…P…..G….=.t{…N…$.?……..`……………\3S….M..J.xn..NEGOEXTS……..@…………:..).4.V..n\3S….M..J.xn..@…X…0V.T0R0′.%0#1!0…U….Token Signing Public Key0′.%0#1!0…U….Token Signing Public Key
2017-07-03 15:43:30.705940 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 414:744, ack 352, win 255, length 330 NBT Session Packet: Session Message
E..ry.@……..f…p…S*.[..szrP….X…..F.SMBs…………………………F……….0….
…..
+…..7..
……NTLMSSP………8…….ij.9$.H………`.`.H…
.98….R.Y.4.W.N.-.P.C…..R.Y.4.W.N.-.P.C…..R.Y.4.W.N.-.P.C…..r.y.4.w.n.-.P.C…..r.y.4.w.n.-.P.C……..L4…….W.i.n.d.o.w.s. .1.0. .H.o.m.e. .1.4.3.9.3…W.i.n.d.o.w.s. .1.0. .H.o.m.e. .6…3…
2017-07-03 15:43:30.709358 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 744:904, ack 592, win 254, length 160 NBT Session Packet: Session Message
E…y.@….H…f…p…S*.]A.s{bP…………SMBs……………………. ……….q…0…
…………d….;….W.i.n.d.o.w.s. .1.0. .H.o.m.e. .1.4.3.9.3…W.i.n.d.o.w.s. .1.0. .H.o.m.e. .6…3…
2017-07-03 15:43:30.712507 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 904:964, ack 678, win 254, length 60 NBT Session Packet: Session Message
E..dy.@……..f…p…S*.]..s{.P…H……8.SMBu…………………….0….8………….IPC….
2017-07-03 15:43:30.718820 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 964:1086, ack 800, win 253, length 122 NBT Session Packet: Session Message
E…y.@….l…f…p…S*.^..s|2P…t<…..v.SMB%…………………H…@.
..6…..8…6.@…..?……….DESKTOP-H25VU4V.
…..4…blahhost-PC……..
…..5…..
2017-07-03 15:43:30.721043 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1086:1189, ack 922, win 253, length 103 NBT Session Packet: Session Message
E…y.@….~…f…p…S*.^..s|.P……….c.SMB%…………………H…P.
..#…..8…#.@…..,……….WORKGROUP……..
……..blahhost-PC.
2017-07-03 15:43:31.699415 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 26, win 260, length 0
E..(Q.@……..f..:    ……H.I..$P….t……..
2017-07-03 15:43:36.711794 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 31, win 260, length 0
E..(Q.@……..f..:    ……H.I..)P….o……..
2017-07-03 15:43:41.376732 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1189:1228, ack 961, win 253, length 39 NBT Session Packet: Session Message
E..Oy.@……..f…p…S*.^..s|.P…s……#.SMBq…………………….`….
2017-07-03 15:43:41.378025 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [P.], seq 1228:1271, ack 1004, win 253, length 43 NBT Session Packet: Session Message
E..Sy.@……..f…p…S*._%.s|.P…Y……’.SMBt………………..-….p….’…
2017-07-03 15:43:41.381702 IP 192.168.1.102.139 > 192.168.1.112.53075: Flags [F.], seq 1271, ack 1005, win 253, length 0
E..(y.@……..f…p…S*._P.s|.P….}……..
2017-07-03 15:43:41.724493 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 36, win 260, length 0
E..(Q.@……..f..:    ……H.I…P….j……..
2017-07-03 15:43:46.736953 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 41, win 260, length 0
E..(Q.@……..f..:    ……H.I..3P….e……..
2017-07-03 15:43:51.365090 IP 192.168.1.102.55851 > 75.75.75.75.53: 55467+ A? win10.ipv6.microsoft.com. (42)
E..FcQ….~….fKKKK.+.5.2……………win10.ipv6    microsoft.com…..
2017-07-03 15:43:51.727215 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 46, win 260, length 0
E..(Q.@……..f..:    ……H.I..8P….`……..
2017-07-03 15:43:56.740004 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 51, win 260, length 0
E..(Q @……..f..:    ……H.I..=P….[……..
2017-07-03 15:44:01.752644 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 56, win 260, length 0
E..(Q!@……..f..:    ……H.I..BP….V……..
2017-07-03 15:44:06.765073 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 61, win 260, length 0
E..(Q”@……..f..:    ……H.I..GP….Q……..
2017-07-03 15:44:08.152155 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [.], ack 10057, win 256, length 0
E..(“.@…8….f_.}….P.1..6.-.P………….
2017-07-03 15:44:11.780588 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 66, win 260, length 0
E..(Q#@……..f..:    ……H.I..LP….L……..
2017-07-03 15:44:16.793072 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 71, win 260, length 0
E..(Q$@……..f..:    ……H.I..QP….G……..
2017-07-03 15:44:21.805533 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 76, win 260, length 0
E..(Q%@……..f..:    ……H.I..VP….B……..
2017-07-03 15:44:26.802501 IP 192.168.1.102.60635 > 213.183.58.9.1981: Flags [.], ack 81, win 259, length 0
E..(Q&@……..f..:    ……H.I..[P….>……..

 

Leave a Reply