Kovter Trojan Spyware Malware GET /counter/?2 PCAP file download traffic analysis sample

SHA256: fbaa60f3c1fe06c4082df358914e2b9b9d0424e3ec7029d444002f7b18661af2
File name: 53b165f3d0c8ab.png
Detection ratio: 24 / 61
Analysis date: 2017-05-21 21:16:47 UTC ( 0 minutes ago )
AVware Trojan.Win32.Kovter.ab (v) 20170521
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9990 20170503
Bkav W32.eHeur.Malware09 20170520
CrowdStrike Falcon (ML) malicious_confidence_96% (W) 20170130
Cyren W32/Kovter.T2.gen!Eldorado 20170521
DrWeb Trojan.SpyBot.702 20170521
Endgame malicious (moderate confidence) 20170515
ESET-NOD32 a variant of Generik.KFLGPVJ 20170521
F-Prot W32/Kovter.T2.gen!Eldorado 20170521
Invincea virus.win32.sality.at 20170519
Kaspersky UDS:DangerousObject.Multi.Generic 20170521
McAfee Artemis!C989202B8A87 20170521
McAfee-GW-Edition BehavesLike.Win32.Dropper.gc 20170521
Palo Alto Networks (Known Signatures) generic.ml 20170521
Rising Malware.Generic.1!tfe (cloud:SbVsRCxTH6D) 20170518
Sophos Mal/Kovter-Z 20170521

2017-05-21 15:36:29.671893 IP 192.168.1.102.55249 > 23.229.155.136.80: Flags [P.], seq 0:424, ack 1, win 256, length 424: HTTP: GET /counter/?2 HTTP/1.1
E…!.@…a….f…….P.C7=    ECoP…#k..GET /counter/?2 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bestmerchantservicesforsmallbusiness.com
Connection: Keep-Alive

2017-05-21 15:37:31.238059 IP 192.168.1.102.55251 > 185.117.72.90.80: Flags [S], seq 2837707080, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ…P.#.H…… ……………..
2017-05-21 15:37:34.224091 IP 192.168.1.102.55252 > 141.248.34.5.443: Flags [S], seq 1227616878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4zR@….f…f..”…..I+.n…… ……………..
2017-05-21 15:37:34.227248 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@….#…f.iC1….T..p…… ……………..
2017-05-21 15:37:34.230207 IP 192.168.1.102.55254 > 16.166.39.110.8080: Flags [S], seq 4223820476, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4m.@……..f..’n……b……. ……………..
2017-05-21 15:37:34.247948 IP 192.168.1.102.55251 > 185.117.72.90.80: Flags [S], seq 2837707080, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…-….f.uHZ…P.#.H…… ……………..
2017-05-21 15:37:34.780545 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..46.@….”…f.iC1….T..p…… ……………..
2017-05-21 15:37:35.239945 IP 192.168.1.102.55255 > 29.247.203.53.80: Flags [S], seq 3355099844, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@……..f…5…P………. .@……………
2017-05-21 15:37:35.335213 IP 192.168.1.102.55253 > 159.105.67.49.443: Flags [S], seq 1419101552, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..06.@….%…f.iC1….T..p….p. ………….
2017-05-21 15:37:36.254690 IP 192.168.1.102.55256 > 16.130.105.167.8080: Flags [S], seq 1058759659, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4vO@…H=…f..i…..?.c……. .xi…………..
2017-05-21 15:37:36.254903 IP 192.168.1.102.55257 > 128.160.248.217.443: Flags [S], seq 2094384569, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4w.@…G….f……..|……… ..c…………..
2017-05-21 15:37:36.255195 IP 192.168.1.102.55258 > 28.91.165.166.443: Flags [S], seq 2719160934, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…a….f.[………f…… .4……………
2017-05-21 15:37:37.224536 IP 192.168.1.102.55254 > 16.166.39.110.8080: Flags [S], seq 4223820476, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4m.@……..f..’n……b……. ……………..
2017-05-21 15:37:37.224540 IP 192.168.1.102.55252 > 141.248.34.5.443: Flags [S], seq 1227616878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4zS@….e…f..”…..I+.n…… ……………..
2017-05-21 15:37:37.275478 IP 192.168.1.102.55259 > 16.204.83.197.80: Flags [S], seq 3289887950, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Q.@….1…f..S….P………. ..^…………..
2017-05-21 15:37:38.242770 IP 192.168.1.102.55255 > 29.247.203.53.80: Flags [S], seq 3355099844, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4T.@……..f…5…P………. .@……………
2017-05-21 15:37:38.291401 IP 192.168.1.102.55260 > 22.97.216.31.80: Flags [S], seq 3048081186, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4/.@….6…f.a…..P…”…… .    ……………
2017-05-21 15:37:38.291563 IP 192.168.1.102.55261 > 145.18.62.158.80: Flags [S], seq 426492113, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4y.@….b…f..>….P.k…….. .
……………

017-05-21 15:38:12.272610 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 0:104, ack 1, win 259, length 104
E…..@….N…f……….\i …P………..c…_..Y!.-……5.f.ooA..Js…XX………./.5…
…..   .
.2.8…………………..
…………..
2017-05-21 15:38:12.414263 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 104:430, ack 1139, win 254, length 326
E..n..@….o…f……….\. …P…N…………..1    .g3.Zz……!I..6x……J…-EM.s…..5 .\…..Q..x…j..B 7…G..j^…RA…..i._……1~.C……..2………7l…..)`…p..K..t.]..0b..!K..’…….b.M..F=.g.gH…z.G….F………%…..mfa…..v4….,…^
F.:w…..!………g)…Q.q……}.ik(.^..M..@.p……….0″….].g.@j.@<e.l..!…….@^..Gs..5…bh…W…
2017-05-21 15:38:12.700944 IP 192.168.1.102.55308 > 28.10.200.47.443: Flags [S], seq 3893142143, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0XA@….>…f.
./…………p. .X………..
2017-05-21 15:38:12.779069 IP 192.168.1.102.55318 > 166.63.215.234.80: Flags [S], seq 1675985573, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4″f@….%…f.?…..Pc……… .O……………
2017-05-21 15:38:12.818964 IP 192.168.1.102.55324 > 167.115.254.152.443: Flags [S], seq 3753361591, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Bb@…PG…f.s……………. .l……………
2017-05-21 15:38:13.005762 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [P.], seq 430:1235, ack 1198, win 254, length 805
E..M..@……..f……….^. …P…o……. ..&?..Au/Cv..dCl………)6..Lz….Oi.>s\Q…$t .=….8y\…Y-.i….`|.l.n…..<*.Z%.1l..Ch.`……!..M…\ld.Z.o…w..j.U]…R.qv..0…/N….>67LlX.}.u……..).H..P………\&5..9.     D…F.0g..J……c..GlJJe.#…P…      iV,…f.>.!………R..=….~\b.j..6…\..%.n.  ..<b>.. ..;….8k..o…@….n…. ……….O..*m…..bx..      ..\D2Y*.F{….O…X……vt.#   [.. ..e._=.’x[.\.s.^.L.O…..Nj.I.q7..B.<……sY….3…
._…..b79v..i….H%..W.’..].b.>…….H.[5.BZ…2&…….*.~…….!.#.V..;…..#….t.g.8.a…..E.R…n..vl….,      .j…y..XUM..C.
i.y……….?G).a.I.f{……….[../.b.|…Z…..      .W….].&2…tc.4…..>.].      G#..0……[..H/t….)l.<.O0.).Y.SI.uIb..h.^……`…i.`..g..2……..n|p.-D.~W..iT.f…..
…_^.F……..[.?….T….b..7.,.rZ…*..&.z..QW.e..X……………ql.;.Q………..(
2017-05-21 15:38:13.103055 IP 192.168.1.102.55325 > 198.120.50.214.443: Flags [S], seq 409341821, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45.@…      ….f.x2……f.}…… ……………..
2017-05-21 15:38:13.144853 IP 192.168.1.102.55326 > 189.234.189.135.80: Flags [S], seq 2611961602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f…….P.._……. .>o…………..
2017-05-21 15:38:13.202263 IP 192.168.1.102.55323 > 189.234.189.135.443: Flags [.], ack 1539, win 259, length 0
E..(..@……..f……….a< …P………….
2017-05-21 15:38:13.703584 IP 192.168.1.102.55311 > 190.179.116.119.443: Flags [S], seq 129923969, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0Wm@….!…f..tw……{…..p. ………….
2017-05-21 15:38:13.703588 IP 192.168.1.102.55310 > 15.156.160.65.443: Flags [S], seq 450044293, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0Y.@……..f…A……!…..p. ………….
2017-05-21 15:38:13.703590 IP 192.168.1.102.55309 > 28.96.166.183.443: Flags [S], seq 3646307926, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0z.@……..f.`…….V>V….p. ………….
2017-05-21 15:38:13.803820 IP 192.168.1.102.55320 > 116.37.169.233.80: Flags [S], seq 1321981924, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..ft%…..PN……… .o……………