Remote Access Trojan RAT svchost.exe 163.172.160.227.4443 PCAP file download traffic sample

Download Attachments

  • 1 pcap vclean
    vclean
    Date added: January 26, 2018 5:47 am Added by: admin File size: 10 KB Downloads: 132
46 engines detected this file
SHA-256 8a100d3324a2c579fcc56203d9f14e0d6e3448b3ed65769136c8dc21376ef0e5
File name vujpdi0f2gg.exe
File size 135.5 KB
Last analysis 2018-01-25 16:06:53 UTC
Community score -192

Remote AccessContains a remote desktop related string
Tries to identify its external IP address
Uses network protocols on unusual portsPersistenceInjects into explorer
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processesFingerprintReads the active computer name
Reads the cryptographic machine GUID
Tries to identify its external IP addressEvasiveReferences security related windows services

2018-01-25 22:29:58.706000 IP 192.168.1.102.53078 > 185.5.250.1.80: Flags [P.], seq 0:491, ack 1, win 256, length 491: HTTP: GET /svhost.exe HTTP/1.1
E…yK@…
….f…..V.P73dD.f..P…0…GET /svhost.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: ih803741.myihor.ru
Connection: Keep-Alive

2018-01-25 22:30:02.831571 IP 192.168.1.102.53071 > 163.172.69.166.59001: Flags [.], ack 742995757, win 254, length 0
E..(H/@….@…f..E..O.y.T..,I7-P…n………
2018-01-25 22:30:04.486223 IP 192.168.1.102.53074 > 192.52.3.42.9001: Flags [.], ack 552839254, win 254, length 0
E..(.M@…g….f.4.*.R#)I.g. ..VP….-……..
2018-01-25 22:30:09.655519 IP 192.168.1.102.53072 > 85.195.235.156.9001: Flags [.], ack 1737552083, win 254, length 0
E..( .@……..fU….P#)..BIg…P…,`……..
2018-01-25 22:30:19.202939 IP 192.168.1.102.53078 > 185.5.250.1.80: Flags [.], ack 139197, win 256, length 0
E..(yp@….J…f…..V.P73f/.h..P………….
2018-01-25 22:30:19.485702 IP 192.168.1.102.53078 > 185.5.250.1.80: Flags [F.], seq 491, ack 139197, win 256, length 0
E..(yq@….I…f…..V.P73f/.h..P………….
2018-01-25 22:30:46.562323 IP 192.168.1.102.53056 > 193.29.187.84.443: Flags [.], ack 1439649620, win 252, length 0
E..(..@……..f…T.@…y-.U.OTP………….
2018-01-25 22:30:55.315824 IP 192.168.1.102.53016 > 212.201.68.152.9002: Flags [.], ack 1203219641, win 256, length 0
E..(..@….f…f..D…#*\…G…P………….
2018-01-25 22:30:57.358013 IP 192.168.1.102.53056 > 193.29.187.84.443: Flags [.], ack 587, win 256, length 0
E..(..@……..f…T.@…y-.U.Q.P….X……..
2018-01-25 22:30:57.743066 IP 192.168.1.102.52992 > 163.172.160.227.4443: Flags [.], ack 3560269012, win 256, length 0
E..(A.@……..f…….[…..5d.P….]……..
2018-01-25 22:31:06.765146 IP 192.168.1.102.53056 > 193.29.187.84.443: Flags [.], ack 1173, win 254, length 0
E..(..@……..f…T.@…y-.U.S.P………….
2018-01-25 22:31:08.087037 IP 192.168.1.102.53030 > 78.142.140.242.443: Flags [.], ack 2176211347, win 254, length 0
E..(YB@……..fN….&…..l..Y.P…r………
2018-01-25 22:31:10.302686 IP 192.168.1.102.53032 > 192.99.54.193.443: Flags [.], ack 857566908, win 252, length 0
E..(j.@……..f.c6..(..I-.z3.n.P….@……..
2018-01-25 22:31:10.365895 IP 192.168.1.102.53036 > 204.9.50.25.443: Flags [.], ack 1977859622, win 254, length 0
E..($K@….T…f. 2..,……u..&P………….
2018-01-25 22:31:11.010296 IP 192.168.1.102.53058 > 185.106.154.118.9001: Flags [.], ack 2473997425, win 257, length 0
E..(@.@….%…f.j.v.B#)tm%..v4qP…DZ……..
2018-01-25 22:31:12.410169 IP 192.168.1.102.53026 > 192.42.113.102.9001: Flags [.], ack 807116727, win 254, length 0
E..(YU@……..f.*qf.”#)..W.0…P….&……..
2018-01-25 22:31:12.782323 IP 192.168.1.102.53028 > 51.255.50.238.9001: Flags [.], ack 718161740, win 254, length 0
E..(}.@…T1…f3.2..$#)….*.GLP….7……..
2018-01-25 22:31:13.388288 IP 192.168.1.102.53011 > 94.23.247.42.443: Flags [.], ack 1495312634, win 258, length 0
E..(B.@….m…f^..*……..Y ..P………….
2018-01-25 22:31:14.894322 IP 192.168.1.102.53018 > 148.251.229.164.443: Flags [.], ack 33444906, win 254, length 0
E..(%.@….w…f………D.\..T*P………….
2018-01-25 22:31:16.763871 IP 192.168.1.102.53045 > 5.200.23.84.9001: Flags [.], ack 866063118, win 252, length 0

Share

Leave a Reply