Text Example

Totbrick/Trickbot TrickLoader Trojan Inject Malware FULL PCAP File download Traffic Sample

SHA256: e1d2408319fd7422edceef476038d7a74f0bda73418b2b534d59d1d2e2dbd392
File name: ntskdfdsokfnt.exe
Detection ratio: 42 / 56
Analysis date: 2016-11-02 02:21:49 UTC ( 0 minutes ago )
ALYac Trojan.Injector 20161102
AVG Generic_vb.NKH 20161101
AVware Trojan.Win32.Generic!BT 20161102
Ad-Aware Trojan.GenericKD.3653307 20161102
AegisLab Uds.Dangerousobject.Multi!c 20161102
AhnLab-V3 Trojan/Win32.Inject.N2143146239 20161101
Antiy-AVL Trojan/Win32.Inject 20161102
Arcabit Trojan.Generic.D37BEBB 20161102
Avast Win32:Malware-gen 20161102
Avira (no cloud) TR/Dropper.VB.fufrv 20161101
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20161101
BitDefender Trojan.GenericKD.3653307 20161102
Bkav HW32.Packed.61C8 20161101
ClamAV Win.Trojan.Generic-3375 20161101
Comodo UnclassifiedMalware 20161102
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
DrWeb Trojan.DownLoader22.63827 20161102
ESET-NOD32 Win32/Agent.RYE 20161101
Emsisoft Trojan.GenericKD.3653307 (B) 20161102
F-Secure Trojan.GenericKD.3653307 20161102
Fortinet W32/Inject.ABUKT!tr 20161102

2016-11-01 21:18:38.096033 IP 192.168.1.102.51063 > 203.199.134.21.80: Flags [P.], seq 0:295, ack 1, win 256, length 295: HTTP: GET /pdf/ntskdfdsokfnt.exe HTTP/1.1
E..O&.@……..f…..w.Pu..[..Z9P…….GET /pdf/ntskdfdsokfnt.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: futuras.com
Connection: Keep-Alive

2016-11-01 21:18:38.388002 IP 192.168.1.102.51063 > 203.199.134.21.80: Flags [.], ack 5841, win 256, length 0
E..(&.@….>…f…..w.Pu…..q P…;………

E..(x/@……..fN/.f.x.PF…^.`.P….m……..
2016-11-01 21:18:53.344410 IP 192.168.1.102.51064 > 78.47.139.102.80: Flags [P.], seq 0:94, ack 1, win 256, length 94: HTTP: GET /raw HTTP/1.1
E…x0@……..fN/.f.x.PF…^.`.P…….GET /raw HTTP/1.1
User-Agent: TrickLoader
Host: myexternalip.com
Connection: Keep-Alive

2016-11-01 21:18:53.524983 IP 192.168.1.102.51064 > 78.47.139.102.80: Flags [.], ack 229, win 255, length 0
E..(x1@……..fN/.f.x.PF…^.a.P….,……..
2016-11-01 21:18:53.553345 IP 192.168.1.102.51065 > 91.219.28.77.443: Flags [S], seq 2494201117, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.)@….d…f[..M.y….}……. .9……………
2016-11-01 21:18:56.557424 IP 192.168.1.102.51065 > 91.219.28.77.443: Flags [S], seq 2494201117, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

 

2016-11-01 21:19:23.512574 IP 192.168.1.102.51064 > 78.47.139.102.80: Flags [F.], seq 94, ack 230, win 255, length 0
E..(x3@……..fN/.f.x.PF…^.a.P….*……..
2016-11-01 21:19:29.497740 IP 192.168.1.102.51066 > 91.219.28.77.443: Flags [S], seq 4114776277, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.,@….a…f[..M.z…B…….. ……………..
2016-11-01 21:19:32.504084 IP 192.168.1.102.51066 > 91.219.28.77.443: Flags [S], seq 4114776277, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.-@….`…f[..M.z…B…….. ……………..
2016-11-01 21:19:38.511355 IP 192.168.1.102.51066 > 91.219.28.77.443: Flags [S], seq 4114776277, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@….c…f[..M.z…B……p. ………….
2016-11-01 21:19:44.026331 IP 192.168.1.102.51063 > 203.199.134.21.80: Flags [F.], seq 295, ack 276784, win 1414, length 0
E..(‘.@……..f…..w.Pu……hP………….
2016-11-01 21:19:44.305462 IP 192.168.1.102.51063 > 203.199.134.21.80: Flags [.], ack 276785, win 1414, length 0
E..(‘.@……..f…..w.Pu……iP………….
2016-11-01 21:20:05.520585 IP 192.168.1.102.51067 > 91.219.28.77.443: Flags [S], seq 2763395530, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4./@….^…f[..M.{………… ..”…………..
2016-11-01 21:20:08.526873 IP 192.168.1.102.51067 > 91.219.28.77.443: Flags [S], seq 2763395530, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.0@….]…f[..M.{………… ..”…………..
2016-11-01 21:20:14.527645 IP 192.168.1.102.51067 > 91.219.28.77.443: Flags [S], seq 2763395530, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0.1@….`…f[..M.{……….p….1……….
2016-11-01 21:20:16.876091 IP 192.168.1.102.50732 > 75.75.75.75.53: 36224+ A? cdn.onenote.net. (33)
E..=c#….~….fKKKK.,.5.)&…………..cdn.onenote.net…..
2016-11-01 21:20:16.900676 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [S], seq 1235961050, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Rb@…#….f…..|..I.D……. .r……………
2016-11-01 21:20:16.934084 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [.], ack 1769653250, win 256, length 0
E..(Rc@…#….f…..|..I.D.iz..P………….
2016-11-01 21:20:16.934606 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [P.], seq 0:192, ack 1, win 256, length 192
E…Rd@…#….f…..|..I.D.iz..P….H………….X.?….,…b.G$._.#.t.kCA………8.,.+.0./…..$.#.(.’.
.       …..9.3…..=.<.5./.
.j.@.8.2…..V………cdn.onenote.net……….
…………………………………#………..
2016-11-01 21:20:16.958721 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [.], ack 2921, win 256, length 0
E..(Re@…#….f…..|..I.E.iz.jP………….
2016-11-01 21:20:16.959527 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [.], ack 4575, win 256, length 0
E..(Rf@…#….f…..|..I.E.iz..P….Z……..
2016-11-01 21:20:16.962831 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [P.], seq 192:318, ack 4575, win 256, length 126
E…Rg@…#J…f…..|..I.E.iz..P…vn……F…BA..i. %7.&,Y….-…..@….$F.(.ip…”.o.G…..F.5[+.S.$+.v`.<L
…………(……….<…….a…-…v..&..{.c…J.
2016-11-01 21:20:16.987242 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [P.], seq 318:468, ack 4817, win 255, length 150
E…Rh@…#1…f…..|..I.F.iz..P….}……………%[….S…J..B……\[….]..d..i……K.&./D.1.I.ZDLF.{….5.x.!…….Q~@.@.r…H………k……>….Z.iq..e.f..O….U.Jm+..K.S.X.I…
2016-11-01 21:20:17.005877 IP 192.168.1.102.51068 > 23.212.170.190.443: Flags [.], ack 6818, win 256, length 0
E..(Ri@…#….f…..|..I.F.iz..P………….
2016-11-01 21:20:41.466670 IP 192.168.1.102.51069 > 193.9.28.24.443: Flags [S], seq 3432851619, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4M.@……..f.       …}….(……. ..f…………..
2016-11-01 21:20:44.467043 IP 192.168.1.102.51069 > 193.9.28.24.443: Flags [S], seq 3432851619, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4M.@……..f.       …}….(……. ..f…………..
2016-11-01 21:20:50.474757 IP 192.168.1.102.51069 > 193.9.28.24.443: Flags [S], seq 3432851619, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0M.@……..f.       …}….(…..p…%v……….

Leave a Reply