RuKometa/Loadmoney Clickfraud Browser Hijacker Trojan Malware Full PCAP File Download Sample

Download Attachments

  • 1 pcap start_page
    Date added: November 3, 2016 12:40 am Added by: admin File size: 25 KB Downloads: 102
SHA256: 2030f0f9fa95e6e824d12664b48344c6e4fd58e607c96e6300c88a8292d1f743
File name: start_page.exe
Detection ratio: 44 / 56
Analysis date: 2016-11-03 00:13:49 UTC ( 0 minutes ago )
ALYac Trojan.GenericKD.3295123 20161103
AVG Generic38.TUP 20161102
AVware Trojan.Win32.Generic!BT 20161102
Ad-Aware Trojan.GenericKD.3295123 20161103
AegisLab Adware.W32.Extbro!c 20161102
AhnLab-V3 Trojan/Win32.Mupad.N2015670647 20161102
Arcabit Trojan.Generic.D324793 20161102
Avast Win32:Malware-gen 20161102
Avira (no cloud) PUA/LoadMoney.fgl 20161102
BitDefender Trojan.GenericKD.3295123 20161102
CAT-QuickHeal Trojan.Mupad 20161102
ClamAV Win.Adware.Extbro-1 20161102
Comodo ApplicUnwnt.Win32.RuKometa.A 20161102
Cyren W32/Trojan.TZEV-5241 20161102
DrWeb Trojan.LoadMoney.1452 20161102
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20161103
Emsisoft Trojan.GenericKD.3295123 (B) 20161102
F-Secure Trojan.GenericKD.3295123 20161102
Fortinet Adware/ExtBro 20161102

2016-11-02 18:45:42.302908 IP 192.168.1.102.52435 > 109.248.241.88.80: Flags [P.], seq 0:410, ack 1, win 256, length 410: HTTP: GET /start_page.exe HTTP/1.1
E….y@….]…fm..X…P…@1|.8P…….GET /start_page.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=274054-
Unless-Modified-Since: Thu, 02 Jun 2016 14:04:55 GMT
If-Range: “57503d07-e46d8”
Host: fiqaysitixjp.courtyardbang.ru
Connection: Keep-Alive


E..(Za@……..fh.\….PdL..;..wP….C……..
2016-11-02 18:45:47.553983 IP 192.168.1.102.52436 > 104.16.92.188.80: Flags [P.], seq 0:206, ack 1, win 256, length 206: HTTP: GET /COMODORSACertificationAuthority.crl HTTP/1.1
E…Zb@……..fh.\….PdL..;..wP…3…GET /COMODORSACertificationAuthority.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.comodoca.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
2016-11-02 18:45:47.577737 IP 192.168.1.102.52436 > 104.16.92.188.80: Flags [.], ack 1334, win 251, length 0
E..(Zc@……..fh.\….PdL..;…P….E……..
2016-11-02 18:45:47.881315 IP 192.168.1.102.52436 > 104.16.92.188.80: Flags [P.], seq 206:403, ack 1334, win 251, length 197: HTTP: GET /COMODORSACodeSigningCA.crl HTTP/1.1
E…Zd@……..fh.\….PdL..;…P….f..GET /COMODORSACodeSigningCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.comodoca.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
2016-11-02 18:45:47.902398 IP 192.168.1.102.52436 > 104.16.92.188.80: Flags [.], ack 4254, win 256, length 0
E..(Ze@……..fh.\….PdL.F;…P………….

E..(:.@……..f…4…P%…..}#P…pl……..
2016-11-02 18:45:54.452936 IP 192.168.1.102.52437 > 185.20.186.52.80: Flags [P.], seq 0:500, ack 1, win 256, length 500: HTTP: GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%66%46%13%03%46%93%93%26%53%66%73%03%43%53%16%53%26%43%46%56%73%93%66%46%56%23%53%63%03%23%63%03%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…:.@……..f…4…P%…..}#P…f…GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%66%46%13%03%46%93%93%26%53%66%73%03%43%53%16%53%26%43%46%56%73%93%66%46%56%23%53%63%03%23%63%03%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: start_page 3.35
Host: g.azmagis.ru
Cache-Control: no-cache

 

2016-11-02 18:45:54.452936 IP 192.168.1.102.52437 > 185.20.186.52.80: Flags [P.], seq 0:500, ack 1, win 256, length 500: HTTP: GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%66%46%13%03%46%93%93%26%53%66%73%03%43%53%16%53%26%43%46%56%73%93%66%46%56%23%53%63%03%23%63%03%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…:.@……..f…4…P%…..}#P…f…GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%66%46%13%03%46%93%93%26%53%66%73%03%43%53%16%53%26%43%46%56%73%93%66%46%56%23%53%63%03%23%63%03%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: start_page 3.35
Host: g.azmagis.ru
Cache-Control: no-cache

Leave a Reply