ZBOT ZeuS Banking Trojan Malware melonia.exe PCAP file download Traffic Sample 91.195.103.14

Download Attachments

  • 1 pcap melonia
    Date added: February 20, 2017 4:31 am Added by: admin File size: 40 KB Downloads: 113
SHA256: 149fda05458720c56fe36871c2d8991a4f67ad87fb512873c6e7b481fca078c0
File name: melonia.exe
Detection ratio: 13 / 58
Analysis date: 2017-02-20 04:22:36 UTC ( 0 minutes ago )
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20170217
BitDefender Gen:Variant.Midie.35271 20170220
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170130
Endgame malicious (high confidence) 20170217
Invincea trojandropper.win32.small.pq 20170203
K7GW Hacktool ( 655367771 ) 20170220
Kaspersky UDS:DangerousObject.Multi.Generic 20170220
Malwarebytes Trojan.Xcsidl 20170220
McAfee Artemis!395315BF3E1F 20170220
McAfee-GW-Edition Artemis 20170219
Qihoo-360 HEUR/QVM07.1.0000.Malware.Gen 20170220
Symantec ML.Attribute.HighConfidence 20170219
Webroot Malicious 20170220

 

Troj/Zbot-LMH exhibits the following characteristics:

File Information

Size
124K
SHA-1
8d7bc351ed622a28d1c4db09da6ea8c156099581
MD5
a6c8dfd98f730c2d9aa33e521acf4514
CRC-32
8a762a91
File type
Windows executable
First seen
2016-07-12

 

2017-02-18 07:18:10.284472 IP 192.168.1.102.55783 > 91.195.103.14.80: Flags [P.], seq 0:287, ack 1, win 256, length 287: HTTP: GET /melonia.exe HTTP/1.1
E..G+.@…H….f[.g….P..k…m`P…….GET /melonia.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 91.195.103.14
Connection: Keep-Alive

017-02-18 07:18:26.395354 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    ;………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:18:32.281760 IP 192.168.1.102.55784 > 85.17.31.111.80: Flags [S], seq 1022274422, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….a…fU..o…P<..v…… .U……………
2017-02-18 07:18:32.282703 IP 192.168.1.102.55785 > 78.88.177.119.80: Flags [S], seq 1239151302, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@….T…fNX.w…PI……… .vV…………..
2017-02-18 07:18:32.282905 IP 192.168.1.102.55786 > 197.45.139.121.80: Flags [S], seq 1410864012, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4f.@……..f.-.y…PT……… ..{…………..
2017-02-18 07:18:32.283680 IP 192.168.1.102.55787 > 212.45.72.145.80: Flags [S], seq 3977795037, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@……..f.-H….P..U……. .S……………
2017-02-18 07:18:32.283856 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [S], seq 3145529474, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4` @….q…fI.r….P.|…….. .B……………
2017-02-18 07:18:32.355074 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [.], ack 3468195037, win 256, length 0
E..(`!@….|…fI.r….P.|….t.P…^………
2017-02-18 07:18:32.372025 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [F.], seq 0, ack 1, win 256, length 0
E..(`”@….{…fI.r….P.|….t.P…^………
2017-02-18 07:18:32.389522 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4`#@….n…fI.r….P………. ……………..
2017-02-18 07:18:32.412338 IP 192.168.1.102.55784 > 85.17.31.111.80: Flags [.], ack 3488374086, win 256, length 0
E..(..@….l…fU..o…P<..w..]FP….t……..
2017-02-18 07:18:32.463521 IP 192.168.1.102.55787 > 212.45.72.145.80: Flags [.], ack 757101935, win 256, length 0
E..(    .@……..f.-H….P..U.- uoP….E……..
2017-02-18 07:18:32.483076 IP 192.168.1.102.55786 > 197.45.139.121.80: Flags [.], ack 306858242, win 64952, length 0
E..(f.@……..f.-.y…PT….JI.P….:……..
2017-02-18 07:18:32.916124 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4`$@….m…fI.r….P………. ……………..
2017-02-18 07:18:33.150537 IP 192.168.1.102.55788 > 73.135.114.157.80: Flags [.], ack 2, win 256, length 0
E..(`%@….x…fI.r….P.|….t.P…^………
2017-02-18 07:18:33.446215 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [S], seq 25112193, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0`&@….o…fI.r….P……..p. ………….
2017-02-18 07:18:33.485592 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [.], ack 3792818486, win 64240, length 0
E..(`’@….v…fI.r….P…….6P…y)……..
2017-02-18 07:18:33.503674 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 0:164, ack 1, win 64240, length 164: HTTP
E…`(@……..fI.r….P…….6P………..lUUE..H@./.d.R;.!.1OQ…0F.A…{….Tkq……Um..}……….?)yO…………j7.K.*..v8…..PY…….n2.OI3^v..6….1O..g….k.Y.~.T+..Z?t.%…..{..1…….K|/.B
2017-02-18 07:18:33.703225 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 0:164, ack 1, win 64240, length 164: HTTP
E…`)@……..fI.r….P…….6P………..lUUE..H@./.d.R;.!.1OQ…0F.A…{….Tkq……Um..}……….?)yO…………j7.K.*..v8…..PY…….n2.OI3^v..6….1O..g….k.Y.~.T+..Z?t.%…..{..1…….K|/.B
2017-02-18 07:18:35.237008 IP 192.168.1.102.55789 > 73.135.114.157.80: Flags [P.], seq 164:1624, ack 238, win 64003, length 1460: HTTP
E…`*@……..fI.r….P../&…#P…`6…..K…….7.’..S………Mj..i
4…zq`…|…..’……%………

2017-02-18 07:18:39.928486 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4pW@…2….f[.9….Px.h……. .<……………
2017-02-18 07:18:39.928906 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4]4@…
….fs.\….P..s……. ……………..
2017-02-18 07:18:39.929119 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4cX@……..fz……P………. ..V…………..
2017-02-18 07:18:39.929297 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<.@…q,…fM.<….P.#…….. ./……………
2017-02-18 07:18:39.929473 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.O@…u….fm.T….P………. ……………..
2017-02-18 07:18:41.283703 IP 192.168.1.102.55785 > 78.88.177.119.80: Flags [S], seq 1239151302, win 65535, options [mss 1460,nop,nop,sackOK], length 0
E..0T.@….V…fNX.w…PI…….p….e……….
2017-02-18 07:18:42.928918 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4pX@…2….f[.9….Px.h……. .<……………
2017-02-18 07:18:42.928929 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.P@…u….fm.T….P………. ……………..
2017-02-18 07:18:42.929374 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4cY@……..fz……P………. ..V…………..
2017-02-18 07:18:42.929897 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4]5@…
….fs.\….P..s……. ……………..
2017-02-18 07:18:42.930440 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4<.@…q+…fM.<….P.#…….. ./……………
2017-02-18 07:18:48.929730 IP 192.168.1.102.55790 > 91.231.57.148.80: Flags [S], seq 2015127680, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0pY@…2….f[.9….Px.h…..p. .P………..
2017-02-18 07:18:48.929740 IP 192.168.1.102.55792 > 122.197.210.203.80: Flags [S], seq 517380099, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0cZ@……..fz……P……..p. ..e……….
2017-02-18 07:18:48.929743 IP 192.168.1.102.55794 > 109.162.84.248.80: Flags [S], seq 2308039312, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0.Q@…u….fm.T….P……..p. ………….
2017-02-18 07:18:48.930683 IP 192.168.1.102.55791 > 115.241.92.185.80: Flags [S], seq 3717034982, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0]6@…
….fs.\….P..s…..p. ………….
2017-02-18 07:18:48.931157 IP 192.168.1.102.55793 > 77.253.60.225.80: Flags [S], seq 119795964, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0<.@…q….fM.<….P.#……p. .C………..
2017-02-18 07:18:49.863870 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    <………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:19:00.857340 IP 192.168.1.102.55795 > 46.149.62.141.80: Flags [S], seq 2819666092, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o
@…\….f..>….P………. ……………..
2017-02-18 07:19:00.857494 IP 192.168.1.102.55796 > 86.104.197.176.80: Flags [S], seq 862654258, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    \@….A…fVh…..P3k.2…… .T……………

d

Leave a Reply