https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919/ https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Zbot-LPH/detailed-analysis.aspx SHA256: cb7d41bdd0fb3309dc4562be0db482c631d2249775299cd06ee25342fc322b2c File name: inst.exe Detection ratio: 38 / 56 Analysis date: 2017-01-16 06:43:20 UTC ( 1 minute ago ) Avira (no cloud) TR/AD.Vawtrak.sxucc 20170115 Baidu Win32.Trojan.WisdomEyes.16070401.9500.9964 20170113 BitDefender Trojan.GenericKD.4171617 20170116 ClamAV Win.Trojan.Generic-5585310-0 20170116 Comodo TrojWare.Win32.UMal.vkksq 20170116 CrowdStrike Falcon (ML) malicious_confidence_68% (W) 20161024 Cyren W32/Trojan.QDXF-4923 20170116 ESET-NOD32 Win32/PSW.Papras.EJ 20170116 Emsisoft Trojan.GenericKD.4171617 (B) 20170116 F-Secure Trojan.GenericKD.4171617 20170116 Fortinet W32/Malicious_Behavior.VEX 20170116 GData Trojan.GenericKD.4171617 20170116 Ikarus Trojan.Win32.PSW 20170115 Jiangmin Trojan.Banker.Neverquest2.fe 20170116 K7AntiVirus Password-Stealer ( 004cfc431 ) 20170115   2017-01-15 23:28:56.011878 IP 192.168.1.102.62755 > 185.58.41.77.80: Flags [P.], seq 0:302, ack 1, win 256, length 302: HTTP: GET /wp-includes/inst.exe HTTP/1.1 E..V..@…;j…f.:)M.#.P0.7.b.y.P…25..GET /wp-includes/inst.exe HTTP/1.1 […]