Nymeria Trojan Malware ip-score.com VM aware PCAP file download traffic analysis sample

Download Attachments

  • 1 pcap pqzlqv
    Date added: July 3, 2017 9:47 pm Added by: admin File size: 13 KB Downloads: 27

 

SHA256: a771e484736b4ee8f478dfaa3d5194c10b9f983db86e02601d09a4e8c721a1e0
File name: PQZLQV.exe
Detection ratio: 46 / 61
Analysis date: 2017-07-03 21:43:32 UTC ( 0 minutes ago )
Ad-Aware AIT:Trojan.Nymeria.109 20170703
AegisLab Troj.W32.Autoit.lZhY 20170703
AhnLab-V3 Trojan/Win32.AutoIt.C2019675 20170703
ALYac AIT:Trojan.Nymeria.109 20170703
Arcabit AIT:Trojan.Nymeria.109 20170703
Avast Win32:Malware-gen 20170703
AVG Win32:Malware-gen 20170703
Avira (no cloud) TR/Worm.jjadm 20170703
AVware Trojan.Win32.Generic!BT 20170703
BitDefender AIT:Trojan.Nymeria.109 20170703
CAT-QuickHeal Trojan.Dynamer 20170703
CMC Trojan.Win32.Generic!O 20170701
Comodo UnclassifiedMalware 20170703
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Cyren W32/Trojan.RHYP-2161 20170703
DrWeb Trojan.DownLoader25.4131 20170703
Emsisoft AIT:Trojan.Nymeria.109 (B) 20170703

 

https://virustotal.com/en/file/61a28dba92fb1dc8bebec84115c934e1eb1b7643b49cf10667a943e819c811ae/analysis/1499113692/

2017-07-03 16:00:35.171719 IP 192.168.1.102.60683 > 176.9.21.114.80: Flags [P.], seq 0:407, ack 1, win 256, length 407: HTTP: GET /morgan/PQZLQV.exe HTTP/1.1
E…?/@…2….f.       .r…P\…e|k.P…….GET /morgan/PQZLQV.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: wearitgroups.com
Connection: Keep-Alive

2017-07-03 16:00:51.558618 IP 192.168.1.102.61256 > 75.75.75.75.53: 33482+ A? ip-score.com. (30)
E..:c…..~….fKKKK.H.5.&……………ip-score.com…..
2017-07-03 16:00:51.701878 IP 192.168.1.102.60634 > 95.211.125.236.80: Flags [F.], seq 4247852560, ack 920399287, win 256, length 0
E..(“.@…8….f_.}….P.1..6.-.P………….
2017-07-03 16:00:54.707769 IP 192.168.1.102.60684 > 95.211.125.236.80: Flags [S], seq 2417805376, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4”.@…8….f_.}….P…@…… .i……………
2017-07-03 16:00:54.839574 IP 192.168.1.102.60684 > 95.211.125.236.80: Flags [.], ack 2159007172, win 256, length 0
E..(“.@…8….f_.}….P…A….P…r………
2017-07-03 16:00:54.841073 IP 192.168.1.102.60684 > 95.211.125.236.80: Flags [P.], seq 0:66, ack 1, win 256, length 66: HTTP: GET /checkip/ HTTP/1.1
E..j”.@…7….f_.}….P…A….P….-..GET /checkip/ HTTP/1.1
User-Agent: AutoIt
Host: ip-score.com

2017-07-03 16:00:54.991952 IP 192.168.1.102.60684 > 95.211.125.236.80: Flags [.], ack 7143, win 256, length 0
E..(“.@…8….f_.}….P……..P…V………
2017-07-03 16:00:54.992823 IP 192.168.1.102.60684 > 95.211.125.236.80: Flags [.], ack 10062, win 256, length 0
E..(“.@…8….f_.}….P……..P…KH……..

Leave a Reply