Mupad/Zusy/LoadMoney chrome_extension.exe Malware Trojan PCAP file download Traffic sample

SHA256: 852a4c96c666b6757df68efb3ffb40ec2b4382a3aa8ebaa7b2fd118f8b225799
File name: chrome_extension.exe
Detection ratio: 47 / 56
Analysis date: 2016-10-28 00:48:00 UTC ( 0 minutes ago )
Arcabit Trojan.Zusy.D2C451 20161027
Avast Win32:Malware-gen 20161027
Avira (no cloud) TR/Agent.903248 20161027
BitDefender Gen:Variant.Zusy.181329 20161027
Bkav W32.Clod45c.Trojan.7add 20161027
CAT-QuickHeal Trojan.Mupad 20161027
Comodo ApplicUnwnt.Win32.RuKometa.~A 20161027
CrowdStrike Falcon (ML) malicious_confidence_69% (D) 20161024
Cyren W32/S-0f7f21d9!Eldorado 20161028
DrWeb Trojan.LoadMoney.1337 20161028
ESET-NOD32 a variant of Win32/RuKometa.E potentially unwanted 20161028
Emsisoft Gen:Variant.Zusy.181329 (B) 20161028
F-Prot W32/S-0f7f21d9!Eldorado 20161028
F-Secure Gen:Variant.Zusy.181329 20161027
Fortinet W32/Generic.AC.3244AF!tr 20161028
GData Gen:Variant.Zusy.181329 20161027
Ikarus Trojan.Win32.Mupad 20161027
Invincea trojan.win32.mupad.a 20161018
Jiangmin AdWare.ExtBro.b 20161027
K7AntiVirus Adware ( 004ba0921 ) 20161025

 

2016-10-27 20:04:58.598603 IP 192.168.1.102.55945 > 193.238.153.106.80: Flags [P.], seq 0:318, ack 1, win 256, length 318: HTTP: GET /chrome_extension.exe HTTP/1.1
E..f_a@…|….f…j…P..K0….P….;..GET /chrome_extension.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: rafbgktkbibutfp.filelossreporter.ru
Connection: Keep-Alive

2016-10-27 20:04:58.752775 IP 192.168.1.102.55945 > 193.238.153.106.80: Flags [.], ack 1, win 256, length 0
E..(_b@…~….f…j…P..Ln….P…20……..

E..(X.@……..f..S….P……..P…3………
2016-10-27 20:05:04.338083 IP 192.168.1.102.55947 > 178.255.83.2.80: Flags [P.], seq 0:198, ack 1, win 256, length 198: HTTP: GET /AddTrustExternalCARoot.crl HTTP/1.1
E…X.@……..f..S….P……..P…RI..GET /AddTrustExternalCARoot.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

 

2016-10-27 20:05:08.493935 IP 192.168.1.102.55949 > 185.20.186.52.80: Flags [P.], seq 0:524, ack 1, win 256, length 524: HTTP: GET /%f3%07%27%f6%46%d3%36%86%27%f6%d6%56%f5%56%87%47%56%e6%37%96%f6%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%53%43%66%56%93%36%63%73%46%83%43%73%43%03%26%66%83%46%03%36%23%33%56%73%33%93%53%33%33%63%33%93%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
E..4A-@….?…f…4…P.8….[{P…….GET /%f3%07%27%f6%46%d3%36%86%27%f6%d6%56%f5%56%87%47%56%e6%37%96%f6%e6%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%53%43%66%56%93%36%63%73%46%83%43%73%43%03%26%66%83%46%03%36%23%33%56%73%33%93%53%33%33%63%33%93%62%d6%96%46%d3%56%33%33%56%56%46%43%26%53%53%83%03%03%26%56%13%36%13%93%66%56%33%26%93%63%23%66%53%93%16%73%73%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%07%16%27%16%d6%f5%66%16%96%c6 HTTP/1.1
User-Agent: chrome_extension 3.18
Host: g.azmagis.ru
Cache-Control: no-cache

2016-10-27 20:05:08.612657 IP 192.168.1.102.55949 > 185.20.186.52.80: Flags [F.], seq 524, ack 143, win 256, length 0
E..(A.@….J…f…4…P.8….\ P………….
2016-10-27 20:05:08.662340 IP 192.168.1.102.55949 > 185.20.186.52.80: Flags [.], ack 148, win 256, length 0
E..(A/@….I…f…4…P.8….\.P………….
2016-10-27 20:05:08.710875 IP 192.168.1.102.55949 > 185.20.186.52.80: Flags [.], ack 149, win 256, length 0

E..(0!@……..fh_…..P…:….P…iW……..
2016-10-27 20:05:13.558756 IP 192.168.1.102.55951 > 104.95.25.151.80: Flags [P.], seq 0:214, ack 1, win 256, length 214: HTTP: GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…0″@……..fh_…..P…:….P…….GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com

2016-10-27 20:05:13.590507 IP 192.168.1.102.55950 > 104.95.25.151.80: Flags [.], ack 3305950887, win 256, length 0
E..(0#@……..fh_…..PLd……P….8……..
2016-10-27 20:05:13.590643 IP 192.168.1.102.55950 > 104.95.25.151.80: Flags [P.], seq 0:217, ack 1, win 256, length 217: HTTP: GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…0$@……..fh_…..PLd……P…….GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com