https://www.virustotal.com/cs/file/00f9c0fd7b6ab235bf07a4f1e235940e3e40938c5932a7283568f36d76df673b/analysis/ https://www.virustotal.com/cs/domain/qawsf1gy.bget.ru/information/ http://cybercrime-tracker.net/ccamdetail.php?hash=8a76acba63abcdb9cfc0a71e8c1358c74e8db83b   SPYWARE.CITADEL.ATMOS Sample: 8a76acba63abcdb9cfc0a71e8c1358c74e8db83b SHA256: 7331a96dbd2bec70027e259f1cbdaf5c7733b318da39812b22111f85ae730860 Request: Tayuya [2016/09/20 – 23:09:39] Callback: qawsf1gy.bget.ru Gate: http://qawsf1gy.bget.ru/file.php|file=us.xml 2016-09-20 10:29:07.228008 IP 192.168.1.102.59912 > 192.168.1.100.80: Flags [P.], seq 1:333, ack 1, win 256, length 332: HTTP: GET /captured/us.exe HTTP/1.1 E..t.d………f…d…P..9..G..P…N<..GET /captured/us.exe HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */* Referer: http://192.168.1.100/captured/ Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Encoding: gzip, deflate Host: 192.168.1.100 Connection: Keep-Alive 2016-09-20 10:29:07.228032 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], ack 333, win 237, length 0 E..(f.@.@.P&…d…f.P…G….;.P….5.. 2016-09-20 10:29:07.228202 IP 192.168.1.100.80 > 192.168.1.102.59912: Flags [.], seq 1:2921, ack 333, win 237, length 2920: HTTP: HTTP/1.1 […]