Xrat-R Remote Access Trojan h1h1tl3r.click Off1c3v4l1dK3y2017s.exe Malware Backdoor PCAP file Download Traffic Analysis

Download Attachments

  • pcap office2017
    Date added: February 20, 2017 4:40 am Added by: admin File size: 49 KB Downloads: 51

Troj/Xrat-R exhibits the following characteristics:

File Information

Size
1.1M
SHA-1
5c533a9f95f69c98f5926810f0cf78fa7a6cf447
MD5
c6e081d416d2bde4d450f7dc34c1351c
CRC-32
f70ab7ef
File type
Windows executable
First seen
2016-12-11

Runtime Analysis

Registry Keys Created
  • HKCU\Software\zUB8dknwC
    InstalledServer
    c:\Documents and Settings\test user\Application Data\f6hjg\28dpo.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    GWlgQh
    C:\GWlgQhGWlgQh\GWlgQh.vbs
Processes Created
  • c:\Documents and Settings\test user\application data\f6hjg\28dpo.exe
  • c:\windows\microsoft.net\framework\v2.0.50727\csc.exe

2017-02-18 07:24:47.085846 IP 192.168.1.102.55839 > 108.179.232.87.80: Flags [P.], seq 0:317, ack 1, win 256, length 317: HTTP: GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1
E..e..@….y…fl..W…P….e.Q.P…….GET /Off1c3v4l1dK3y2017s.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: dryversdocumentsandcustomer.com
Connection: Keep-Alive

2017-02-18 07:26:16.924122 IP 192.168.1.102.62494 > 75.75.75.75.53: 42747+ A? sslwin.moneyhome.biz. (38)
E..B(……/…fKKKK…5…0………….sslwin moneyhome.biz…..
2017-02-18 07:26:17.036254 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@….”…f..H..(..i|
……. .5Y…………..
2017-02-18 07:26:20.036795 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@….!…f..H..(..i|
……. .5Y…………..
2017-02-18 07:26:26.037104 IP 192.168.1.102.55848 > 189.149.72.13.900: Flags [S], seq 1769736925, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0f.@….$…f..H..(..i|
…..p. .Ih……….
2017-02-18 07:26:34.553249 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    O………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:26:43.302596 IP 192.168.1.102.60917 > 75.75.75.75.53: 53811+ A? d.dropbox.com. (31)
E..;(……5…fKKKK…5.’…3………..d.dropbox.com…..
2017-02-18 07:26:48.033633 IP 192.168.1.102.60918 > 75.75.75.75.53: 26266+ A? c0pywins.is-not-certified.com. (47)
E..K(……$…fKKKK…5.7t.f…………c0pywins.is-not-certified.com…..

2017-02-18 07:27:19.096213 IP 192.168.1.102.61329 > 75.75.75.75.53: 53682+ A? h1h1tl3r.click. (32)
E..<(……….fKKKK…5.(c/………….h1h1tl3r.click…..
2017-02-18 07:27:19.231571 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@…1….f……….6……. ……………..
2017-02-18 07:27:20.699792 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Q………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:27:22.231434 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4R.@…1….f……….6……. ……………..
2017-02-18 07:27:28.231236 IP 192.168.1.102.55854 > 199.233.237.21.900: Flags [S], seq 2862954159, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0R   @…1….f……….6…..p. .-

Leave a Reply