Possible Kovter Variant exe1.exe Malware Crimeware 223.76.42.85.443 PCAP file download Traffic Analysis Sample

Download Attachments

  • pcap exe1
    Date added: May 15, 2017 2:43 am Added by: admin File size: 68 KB Downloads: 18

SHA256:     269023640945edff37e0436baf411e3e2d9bf0cec03a8163fbb3379a7d5badb1
File name:     exe1.exe
Detection ratio:     22 / 61
Analysis date:     2017-05-15 00:00:24 UTC ( 0 minutes ago )

AVware     Trojan.Win32.Kovter.ab (v)     20170515
Baidu     Win32.Trojan.WisdomEyes.16070401.9500.9999     20170503
Bkav     W32.eHeur.Virus02     20170513
CrowdStrike Falcon (ML)     malicious_confidence_94% (W)     20170130
Cyren     W32/Kovter.T2.gen!Eldorado     20170515
Endgame     malicious (high confidence)     20170503
ESET-NOD32     a variant of Win32/GenKryptik.AGAC     20170515
F-Prot     W32/Kovter.T2.gen!Eldorado     20170514
Fortinet     W32/GenKryptik.AFPN!tr     20170514
Invincea     virus.win32.sality.at     20170413
Kaspersky     UDS:DangerousObject.Multi.Generic     20170514
McAfee     Artemis!DE1F818A287B     20170515
McAfee-GW-Edition     BehavesLike.Win32.BadFile.gc     20170514
Rising     Malware.Undefined!8.C (cloud:RA3tBva6d7P)     20170514
Sophos     Mal/Kovter-Z     20170514
Symantec     Trojan.Gen.8!cloud     20170514
Tencent     Win32.Trojan.Inject.Auto     20170515
VIPRE     Trojan.Win32.Kovter.ab (v)     20170515

 

 

2017-05-14 21:32:27.399290 IP 192.168.1.102.58057 > 70.182.140.16.80: Flags [P.], seq 0:433, ack 1, win 256, length 433: HTTP: GET /wp-content/uploads/2017/03//counter/exe1.exe HTTP/1.1
E…C.@… x…fF……P]….:.1P…….GET /wp-content/uploads/2017/03//counter/exe1.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: freeartsnyc.org
Connection: Keep-Alive

2017-05-14 21:34:22.672365 IP 192.168.1.102.58209 > 35.124.29.38.443: Flags [S], seq 1366470500, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….2…f#|.&.a..Qr.d….p. .z{……….
2017-05-14 21:34:22.765870 IP 192.168.1.102.58211 > 124.93.160.218.443: Flags [S], seq 2784169855, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0#*@….W…f|]…c……….p. ..G……….
2017-05-14 21:34:22.766854 IP 192.168.1.102.58210 > 216.6.132.247.80: Flags [S], seq 2000367277, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0d.@…v….f…..b.Pw;……p. ..w……….
2017-05-14 21:34:22.792401 IP 192.168.1.102.58219 > 175.96.58.52.443: Flags [S], seq 3114385773, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4q.@….!…f.`:4.k…..m…… .C7…………..
2017-05-14 21:34:22.880564 IP 192.168.1.102.58220 > 182.178.10.102.80: Flags [S], seq 2201130109, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@…A….f..
f.l.P.2.}…… ..|…………..
2017-05-14 21:34:22.880570 IP 192.168.1.102.58221 > 146.159.74.31.80: Flags [S], seq 3130893425, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4′.@…4….f..J..m.P…q…… .mv…………..
2017-05-14 21:34:22.997439 IP 192.168.1.102.58222 > 134.190.211.158.80: Flags [S], seq 2358971813, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..49.@….G…f…..n.P………. ……………..
2017-05-14 21:34:23.889670 IP 192.168.1.102.58212 > 136.50.99.140.80: Flags [S], seq 37761678, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0′.@…%#…f.2c..d.P.@2…..p. ………….
2017-05-14 21:34:23.952480 IP 192.168.1.102.58227 > 121.244.215.34.80: Flags [S], seq 1123934977, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4;5@….i…fy..”.s.PB……… .2(…………..
2017-05-14 21:34:24.062570 IP 192.168.1.102.58228 > 223.76.42.85.443: Flags [S], seq 1119608672, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4′.@….R…f.L*U.t..B..`…… .|……………
2017-05-14 21:34:24.373379 IP 192.168.1.102.58229 > 167.27.194.239.80: Flags [S], seq 1130381728, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4-x@….2…f…..u.PC`A……. ..0…………..
2017-05-14 21:34:24.745787 IP 192.168.1.102.58213 > 210.91.221.21.80: Flags [S], seq 1557312139, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0f!@…#’…f.[…e.P\…….p. ………….
2017-05-14 21:34:24.820859 IP 192.168.1.102.58214 > 40.127.136.129.80: Flags [S], seq 2843399823, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……..f(….f.P.z……p. ..O……….
2017-05-14 21:34:24.820866 IP 192.168.1.102.58215 > 173.23.100.15.8080: Flags [S], seq 2884237608, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0v.@……..f..d..g…..(….p. ………….
2017-05-14 21:34:24.876854 IP 192.168.1.102.58223 > 120.100.12.52.443: Flags [S], seq 1043524140, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4}.@…64…fxd.4.o..>2.,…… ……………..
2017-05-14 21:34:25.030274 IP 192.168.1.102.58224 > 71.109.147.19.443: Flags [S], seq 2883965968, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4P.@….&…fGm…p………… .M_…………..
2017-05-14 21:34:25.035855 IP 192.168.1.102.58225 > 40.60.27.197.8080: Flags [S], seq 102412616, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4(.@……..f(<…q…..H…… ……………..
2017-05-14 21:34:25.079030 IP 192.168.1.102.58230 > 5.59.34.229.8080: Flags [S], seq 2711489956, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4(N@….G…f.;”..v………… ……………..
2017-05-14 21:34:25.300962 IP 192.168.1.102.58226 > 52.217.168.128.80: Flags [S], seq 2390880875, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4W+@….1…f4….r.P…k…… .J……………
2017-05-14 21:34:26.015318 IP 192.168.1.102.58231 > 159.44.212.200.80: Flags [S], seq 298475904, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..42W@….i…f.,…w.P..a……. ……………..
2017-05-14 21:34:26.089837 IP 192.168.1.102.58232 > 102.21.253.151.80: Flags [S], seq 1335047745, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@…jv…ff….x.PO.6A…… ……………..
2017-05-14 21:34:26.432280 IP 192.168.1.102.58233 > 87.140.238.28.443: Flags [S], seq 1845117245, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4=H@……..fW….y..m.A=…… ……………..

Leave a Reply