Text Example

PCAP Malware Traffic Sample Download Snort Rule Win.Trojan.Gamarue variant POST /panel1/gate.php

 

51 engines detected this file
SHA-256 3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e
File name AU.EXE
File size 572.5 KB
Last analysis 2017-11-29 21:23:27 UTC

Ad-Aware

Trojan.Crypt.Agent.BF

AegisLab

Gen.Variant.Razy!c

AhnLab-V3

Trojan/Win32.Locky.C2242537

ALYac

Trojan.Crypt.Agent.BF

Antiy-AVL

Trojan/Win32.TSGeneric

Arcabit

Trojan.Crypt.Agent.BF

Avast

Win32:Malware-gen

AVG

Win32:Malware-gen

Avira

TR/Crypt.Xpack.binkq

AVware

Trojan.Win32.Generic!BT

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

BitDefender

Trojan.Crypt.Agent.BF

CAT-QuickHeal

TrojanSpy.SpyEyes

Comodo

Backdoor.Win32.Poison.FYRG

 

References:

https://www.hybrid-analysis.com/sample/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e?environmentId=100

https://www.virustotal.com/#/file/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e/detection

Snort Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC Win.Trojan.Gamarue variant outbound connection”; flow:to_server,established; content:“POST”; http_method; content:“panel1/gate.php”; content:” HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|”; fast_pattern:only; content:“+”; depth:15; http_client_body; metadata:impact_flag red, policy securityips drop, ruleset community, service http; sid:1234; rev:1😉

2017-11-29 19:34:59.673041 IP 192.168.1.102.50951 > 198.54.116.113.80: Flags [P.], seq 3095874245:3095874726, ack 2614075121, win 260, length 481: HTTP: GET /au.exe HTTP/1.1
E.. A.@….t…f.6tq…P..J…..P…….GET /au.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: evaroma.zone
Connection: Keep-Alive

2017-11-29 19:35:06.844873 IP 192.168.1.102.50959 > 198.54.116.113.80: Flags [P.], seq 3400751766:3400751989, ack 361817033, win 260, length 223: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P..Z…..P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 80
Accept-Language: en-US
Content-Type: image/jpeg

UR.QQ…U..U.v#..S..Sp.Tvt#..Q..^w.U.v ..”qu’..^vvC..C..C.sC..%..U.._..WtuC..C..
2017-11-29 19:35:08.535037 IP 192.168.1.102.50960 > 198.54.116.113.80: Flags [P.], seq 85791915:85793375, ack 2118066358, win 260, length 1460: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P….~? .P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 14075
Accept-Language: en-US
Content-Type: image/jpeg

@R.]E.VV.S
Z[Y.]v’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X..S..UsrC..C..$..”qrC..C..#..UsqC.s%pvC..”s.U..U..Tv.U.tC..C..C.. p.U..U.KC..C.rC…e^.VX.A.T..U..T.d.SE.WE.J.U..U.K1{yC.sC..)q.U.d3be…PbK.K.U.@.N.U.KC…..VN.U.K#NbZ.^.TX’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V.:l.G.VD’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V..IB@.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X?=ZQX.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..XST.]B.FDC.r.]X.^RC.r.]Zk8V.\O…#QX.?=.VA.@C.A^.U.TwT _:lSG…#P^.U.TwT _:lSCC.r.F@ ^VC.r.]Zk8V.EX
S.TwT _:lP^.U.TwT _:lQ.TwZ.\.TwT _:lVX.P[.Q[.Q\C.r.WCk8P ]P
W.TwT _:l[Z…#_V.@X.[[

Leave a Reply