Symmi Slingup Dapato Malware Trojan Traffic Analysis PCAP file download sample

SHA256: 965756c5a1d67fca84a92b49fa346627a72327ebee621fd4f81f3296ddc39c74
File name: beta.exe
Detection ratio: 43 / 55
Analysis date: 2017-01-24 02:26:16 UTC ( 0 minutes ago )
AVware Trojan.Win32.Generic!BT 20170124
Ad-Aware Gen:Variant.Symmi.69617 20170124
AegisLab W32.W.Otwycal.l6ei 20170123
AhnLab-V3 Trojan/Win32.Fareit.R193567 20170123
Antiy-AVL Trojan[Dropper]/Win32.Dapato 20170124
Arcabit Trojan.Symmi.D10FF1 20170124
Avast Win32:Malware-gen 20170124
Avira (no cloud) BDS/Slingup.aptxz 20170123
BitDefender Gen:Variant.Symmi.69617 20170124
CAT-QuickHeal Backdoor.Slingup 20170123
Comodo TrojWare.Win32.UMal.zhzcf 20170124
CrowdStrike Falcon (ML) malicious_confidence_80% (W) 20161024
DrWeb Trojan.DownLoader14.15241 20170124
ESET-NOD32 a variant of Win32/Injector.DJPB 20170124
Emsisoft Gen:Variant.Symmi.69617 (B) 20170124
F-Secure Gen:Variant.Symmi.69617 20170124
Fortinet W32/Injector.DJPB!tr 20170124

2017-01-23 21:10:34.244238 IP 192.168.1.102.50519 > 46.173.219.26.80: Flags [P.], seq 0:288, ack 1, win 259, length 288: HTTP: GET /utu/beta.exe HTTP/1.1
E..H.D@……..f…..W.P.X.9…,P…….GET /utu/beta.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: gongotree.com
Connection: Keep-Alive

2017-01-23 21:18:52.669213 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [S], seq 2576574364, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4k.@……..f.:……..g……. ……………..
2017-01-23 21:18:52.705913 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 4012597881, win 256, length 0
E..(k.@……..f.:……..g..+byP………….
2017-01-23 21:18:52.707025 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 0:77, ack 1, win 256, length 77
E..uk.@….g…f.:……..g..+byP………..H…D..X..H….8.l.V…DQ#m.        .0Q…#.,………
.       .d.b………c………
2017-01-23 21:18:52.730755 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 2861, win 256, length 0
E..(k.@……..f.:……..g..+m.P………….
2017-01-23 21:18:52.732053 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 77:395, ack 4048, win 252, length 318
E..fk.@….t…f.:……..g..+rHP….n………….p…….Q…=..=.|…G.k0.i6……W^^1..s..q..uqv..@B…..1&.U…-…o$X…….q…….H.^…C~….-…      …..<…..A.a…i.*.e#rm …..-&W…f..b..{.. .J..
T…BR..B_.Crl…..Aa^_.Rs.?`#.m…>.<…”….G.Kr.^ ……H$.(.. .|8X..t..K…E….}…c.u.m…..^H:……….(.i….%…..Zi…….8…….
…c’….’
2017-01-23 21:18:52.817679 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [.], ack 4099, win 252, length 0
E..(k.@……..f.:……..i(.+r{P….|……..
2017-01-23 21:18:52.915817 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 395:1101, ack 4099, win 252, length 706
E…k.@……..f.:……..i(.+r{P………………….f3……….k……B..{. ……b….,…7jM.q……x..A…….uc..:>..qt*.tx.F……..B..=._.#P…..Q…u.@O..&……sCLN….V…….].6CKM….&..:…..y-…..l……{>&..M.8…x.P.V..C..z..H…v….iW.S….6.U.%<……-….z….}.’)*y…….w……;P.u……G.#V…;..;…..9z.o….X…….6u.K…’………….”Bl……a……….&…6.y.Z=D_.=.!……GC*Pg..p.[…^*._i._vj.09}H… ]..>……..70L.1G…..O.>,..”.8a”..u…..6..<e.K..{W)…B………x@.z.|.`..2f\,…..G@r….?..4.W.~.2.]..Js.2m..b”.k3″…C….h|..i..I.s.A.tu-./..$.j.X.[.c?..;j..5..o…XO…%7.e..Df…..2…..A……….;….=.;C..c9A.. d}.v.+….D+f………..dt….f.v`.!=.[S..lH…..m.J..P.4..(p..V.H..e…..4.f.Y….
2017-01-23 21:18:52.916417 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 1101:2561, ack 4099, win 252, length 1460
E…k.@……..f.:……..k..+r{P…{……..av.zN……p..J..eqJ……..@.X>h..-………”…….~bp…m(5.m….L..`+T.<…a..H7.&……]L…,.ZA..9w.O.(..?..{……9k..^.h..A…T…3.bM.P…O4F2..w….D.2Q..p.m.+h,.6.E.R..A;..V…$..:.qXV?.R”.U.#…b….A.Y`..3..E……..3…\Q.W….R..^.q.KT..O”..S’.V….7.<\f.+(.|..7.}…).”.”Oi.)Q..+…V..mp5…(..W.E|A{].1..
$..?Q.X.#4..d.R..l….E……….6{…h+ …..Z~.9o.+.J.u..6…’..>     …….{R .>k.%…6..S.K.Z……
…..R)z….my…(..B..q.v.._.O.H..Y….cwt1…’Qm…..z….8…..2..Q…1.k…R…P{d.m..ux…o..cy..7…..Xq  .No.3…..S…..        …a…n….DH.9..|..P.C…{.e…..(….N….’….@.19…W…B.’……..b}..X..2…..r:…@…..(].k………s.3…3…,K\.t….NP..q.M_ID…A..m:X…%..M.@..;.H8S……Lc..E….G.i&..g….H……..p!p.A).,…..-.B.\k:…vs.~^….W]+.C.M…..8&    …….\l..,….F.&..n.E.4..Z~.JV..({3o.y..?;.fm…Y…..8.Kx..Q..E.,d.;.Q.-..v..SM.”..:.U.J@t…*..Y..’A&1..i….>..[……xb”33..7..&..$…..2~T…[……..r*.u..?R…]nC*M.;………..%……..p…c….Du..`……k….'[….J…..E.%.n+y)j.1,..QH..b8..8….3.`.jN.a…..EJa…)…cW.UPc..qQ.8…I.k….4.Y.,p.5.Y..E.SC.k0′.R.Li.d.\..3.Ax…x…..^.T…D
.l…i.k.,.’…Y………….fM.        ~.’….N…….8.O……2….a.&q.E.L…pi.
x.S._U…       ….h6.5        …z..Fq,n.&..at………~_eiK%w.5g.D.\…..`.Z……_O…[.<…..”6…/.p…P……..u&#.@…. F..s.`.F+L
…..P..,.DJ..j1…..EB.n…B..U.Ea.AA)……i..|m.4l..r#.^?…/(q…..#….im|..`.|.&..`o_..y…..
2017-01-23 21:18:52.936077 IP 192.168.1.102.50694 > 216.58.218.238.443: Flags [P.], seq 2561:2735, ack 4099, win 252, length 174
E…k.@……..f.:……..q..+r{P…N…….B.-..;$…….B..v…s0     2BT..a…….D…fK..=…F.p.up.=}..*.~L.9…..@….K….RDB.Vmb.2Q…F….y>[…(….<……S…#n6%…………R……….PdI6.C……W71…….