Fraser.exe Malware Trojan Downloader Dropper asril4646.hopto.org PCAP File Download Traffic Analysis

SHA256: 4ebc3b4d9517e19a2d47803cc5c68186a95019b63d8efb48d5b8a8c09e5dcd53
File name: Fraser.exe
Detection ratio: 34 / 57
Analysis date: 2017-01-16 06:54:31 UTC ( 1 minute ago )
Avast Other:Malware-gen [Trj] 20170116
Avira (no cloud) DR/Autoit.spflx 20170115
BitDefender Trojan.GenericKD.4174671 20170116
Comodo TrojWare.Win32.UMal.xmuve 20170116
CrowdStrike Falcon (ML) malicious_confidence_99% (W) 20161024
ESET-NOD32 a variant of Win32/Packed.CAB.AE 20170116
Emsisoft Trojan.GenericKD.4174671 (B) 20170116
F-Secure Trojan.GenericKD.4174671 20170116
Fortinet W32/Generic!tr 20170116
GData Trojan.GenericKD.4174671 20170116
Invincea trojan.win32.skeeyah.a!rfn 20170111
K7AntiVirus Trojan ( 700000111 ) 20170115
K7GW Trojan ( 700000111 ) 20170116
Kaspersky Trojan.Win32.Autoit.abeza 20170116
Malwarebytes Trojan.Dropper 20170116
McAfee Artemis!E6B7BCB0D774 20170108
McAfee-GW-Edition Fareit-FGW!637507265597 20170116
eScan Trojan.GenericKD.4174671 20170116
Microsoft Backdoor:Win32/NetWiredRC.C

2017-01-15 23:32:14.584440 IP 192.168.1.102.62766 > 192.0.77.17.80: Flags [P.], seq 0:306, ack 1, win 256, length 306: HTTP: GET /6yIk9wSjWP.exe?download=Fraser.exe HTTP/1.1
E..Zff@……..f..M….P..l…..P….o..GET /6yIk9wSjWP.exe?download=Fraser.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: cldup.com
Connection: Keep-Alive

2017-01-15 23:32:29.957578 IP 192.168.1.102.50135 > 75.75.75.75.53: 49661+ A? asril4646.hopto.org. (37)
E..A.!………fKKKK…5.-p………….        asril4646.hopto.org…..
2017-01-15 23:32:29.993815 IP 192.168.1.102.62782 > 185.84.181.73.3478: Flags [S], seq 318334479, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@….2…f.T.I.>….f……. ……………..
2017-01-15 23:32:30.669691 IP 192.168.1.102.62782 > 185.84.181.73.3478: Flags [S], seq 318334479, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@….1…f.T.I.>….f……. ……………..
2017-01-15 23:32:31.343371 IP 192.168.1.102.62782 > 185.84.181.73.3478: Flags [S], seq 318334479, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..00.@….4…f.T.I.>….f…..p. ………….
2017-01-15 23:32:31.945681 IP 192.168.1.102.62783 > 185.84.181.73.3478: Flags [S], seq 2125490187, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@…./…f.T.I.?..~.h……. .4……………
2017-01-15 23:32:32.615504 IP 192.168.1.102.62783 > 185.84.181.73.3478: Flags [S], seq 2125490187, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@……..f.T.I.?..~.h……. .4……………
2017-01-15 23:32:33.295177 IP 192.168.1.102.62783 > 185.84.181.73.3478: Flags [S], seq 2125490187, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..00.@….1…f.T.I.?..~.h…..p. .H………..
2017-01-15 23:32:33.919261 IP 192.168.1.102.62784 > 185.84.181.73.3478: Flags [S], seq 3001689288, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@….,…f.T.I.@….$……. .C……………
2017-01-15 23:32:34.598590 IP 192.168.1.102.62784 > 185.84.181.73.3478: Flags [S], seq 3001689288, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..40.@….+…f.T.I.@….$……. .C……………
2017-01-15 23:32:35.269234 IP 192.168.1.102.62784 > 185.84.181.73.3478: Flags [S], seq 3001689288, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..00.@……..f.T.I.@….$…..p. .W………..
2017-01-15 23:32:45.448924 IP 192.168.1.102.50136 > 75.75.75.75.53: 38377+ A? asril4646.hopto.org. (37)
E..A.”………fKKKK…5.-.,…………        asril4646.hopto.org…..