BiblePro.exe Loads Adware Downloader PCAP file download traffic sample

SHA256: 44a0daf79a0949917f8850e0a368c0611861ea53a6a302a2667412ec523d30fa
File name: BiblePro.exe
Detection ratio: 5 / 56
Analysis date: 2016-11-16 02:27:09 UTC ( 0 minutes ago )

Cyren W32/Backdoor.YFUN-4363 20161116
F-Prot W32/Backdoor2.HTPL 20161116
Ikarus Trojan.Win32.Spy2 20161115
Invincea virus.win32.neshta.a 201610182016-11-15 19:04:44.899098 IP 192.168.1.102.53335 > 23.54.181.163.80: Flags [P.], seq 0:188, ack 1, win 256, length 188: HTTP: GET /crls/secureca.crl HTTP/1.1
E….3@…]….f.6…W.P.=……P…u%..GET /crls/secureca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
2016-11-15 19:04:44.976495 IP 192.168.1.102.53335 > 23.54.181.163.80: Flags [.], ack 578, win 254, length 0
E..(.4@…^….f.6…W.P.=…..$P….U……..

E..(kR@…`….f.4U..X.P.W.Cp…P………….
2016-11-15 19:04:45.059828 IP 192.168.1.102.53336 > 23.52.85.163.80: Flags [P.], seq 0:183, ack 1, win 256, length 183: HTTP: GET /crls/gtglobal.crl HTTP/1.1
E…kS@…_….f.4U..X.P.W.Cp…P…d…GET /crls/gtglobal.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: g.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
2016-11-15 19:04:45.131000 IP 192.168.1.102.53336 > 23.52.85.163.80: Flags [.], ack 895, win 253, length 0
E..(kT@…`….f.4U..X.P.W..p…P………….

E..8q…..pX…fKKKK…5.$.a………….google.com…..
2016-11-15 19:04:46.474502 IP 192.168.1.102.53330 > 204.27.57.3.80: Flags [P.], seq 282:624, ack 3731, win 63430, length 342: HTTP: GET /products/AdProviders/BibleStudyPro/Joshua.htm HTTP/1.1
E..~.1@…#….f..9..R.P.;._….P…….GET /products/AdProviders/BibleStudyPro/Joshua.htm HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Host: bibleocean.com
Connection: Keep-Alive
Zillya Adware.BrowseFox.Win32.146344 20161115

 

2016-11-15 18:58:07.120500 IP 192.168.1.102.53061 > 108.175.7.125.80: Flags [P.], seq 0:399, ack 1, win 256, length 399: HTTP: GET /BiblePro.exe HTTP/1.1
E…T.@…n5…fl..}.E.P… …vP…”…GET /BiblePro.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=390195-
Unless-Modified-Since: Tue, 07 Jul 2009 01:04:19 GMT
If-Range: “31aca2db9efec91:0”
Host: biblestudypro.com
Connection: Keep-Alive


E..(b!@….(…f4….F.P”….6..P…rS……..
2016-11-15 18:58:32.183911 IP 192.168.1.102.53062 > 52.201.18.175.80: Flags [P.], seq 0:704, ack 1, win 256, length 704: HTTP: GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
E…b”@….g…f4….F.P”….6..P…….GET /?product=firefox-48.0.2-complete&os=win&lang=en-US HTTP/1.1
Host: download.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Range: bytes=1200000-1499999
Cookie: optimizelyEndUserId=oeu1467151488014r0.33409587144074915; optimizelySegments=%7B%22245875585%22%3A%22direct%22%2C%222427280098%22%3A%22true%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%2C%221867940538%22%3A%22true%22%7D; optimizelyBuckets=%7B%7D; _ga=GA1.2.1371564214.1467151489
Connection: keep-alive

2016-11-15 18:58:32.248603 IP 192.168.1.102.49491 > 75.75.75.75.53: 3181+ A? download.cdn.mozilla.net. (42)

E..(..@…R….f@..     .H.P20…..0P…T………
2016-11-15 18:58:38.127632 IP 192.168.1.102.53064 > 64.22.138.9.80: Flags [P.], seq 0:335, ack 1, win 256, length 335: HTTP: GET /Download/SecureDownloadRedirect.aspx?BiblePro[1].exe HTTP/1.1
E..w..@…Q….f@..     .H.P20…..0P….I..GET /Download/SecureDownloadRedirect.aspx?BiblePro[1].exe HTTP/1.1
Host: biblemaximum.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-11-15 18:58:38.213392 IP 192.168.1.102.53064 > 64.22.138.9.80: Flags [.], ack 457, win 254, length 0
E..(..@…R….f@..     .H.P20……P…Q………

E..(U.@…o….fl..}.I.P.`wh.1t}P…A………
2016-11-15 18:58:38.390008 IP 192.168.1.102.53065 > 108.175.7.125.80: Flags [P.], seq 0:301, ack 1, win 256, length 301: HTTP: GET /BibleStudyPro.exe HTTP/1.1
E..UU.@…nb…fl..}.I.P.`wh.1t}P….K..GET /BibleStudyPro.exe HTTP/1.1
Host: biblestudypro.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-11-15 19:04:44.899098 IP 192.168.1.102.53335 > 23.54.181.163.80: Flags [P.], seq 0:188, ack 1, win 256, length 188: HTTP: GET /crls/secureca.crl HTTP/1.1
E….3@…]….f.6…W.P.=……P…u%..GET /crls/secureca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-11-15 19:04:44.976495 IP 192.168.1.102.53335 > 23.54.181.163.80: Flags [.], ack 578, win 254, length 0
E..(.4@…^….f.6…W.P.=…..$P….U……..

E..(kR@…`….f.4U..X.P.W.Cp…P………….
2016-11-15 19:04:45.059828 IP 192.168.1.102.53336 > 23.52.85.163.80: Flags [P.], seq 0:183, ack 1, win 256, length 183: HTTP: GET /crls/gtglobal.crl HTTP/1.1
E…kS@…_….f.4U..X.P.W.Cp…P…d…GET /crls/gtglobal.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: g.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-11-15 19:04:45.131000 IP 192.168.1.102.53336 > 23.52.85.163.80: Flags [.], ack 895, win 253, length 0
E..(kT@…`….f.4U..X.P.W..p…P………….

E..8q…..pX…fKKKK…5.$.a………….google.com…..
2016-11-15 19:04:46.474502 IP 192.168.1.102.53330 > 204.27.57.3.80: Flags [P.], seq 282:624, ack 3731, win 63430, length 342: HTTP: GET /products/AdProviders/BibleStudyPro/Joshua.htm HTTP/1.1
E..~.1@…#….f..9..R.P.;._….P…….GET /products/AdProviders/BibleStudyPro/Joshua.htm HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Host: bibleocean.com
Connection: Keep-Alive