https://www.symantec.com/security_response/writeup.jsp?docid=2016-101811-2408-99&tabid=2
| SHA256: | 069ac0b81c552fba6ab768759249691d407ad8b67a98bf82548a951f468f629b |
| File name: | safafaasfasdddd.exe |
| Detection ratio: | 33 / 56 |
| Analysis date: | 2016-11-02 03:15:50 UTC ( 0 minutes ago ) |
| Ad-Aware | Trojan.GenericKD.3660757 | 20161102 |
| AegisLab | Heur.Advml.Gen!c | 20161102 |
| AhnLab-V3 | Trojan/Win32.Kovter.N2144515957 | 20161101 |
| Arcabit | Trojan.Generic.D37DBD5 | 20161102 |
| Avast | Win32:Malware-gen | 20161102 |
| Baidu | Win32.Trojan.WisdomEyes.16070401.9500.9999 | 20161101 |
| BitDefender | Trojan.GenericKD.3660757 | 20161102 |
| CrowdStrike Falcon (ML) | malicious_confidence_100% (W) | 20161024 |
| Cyren | W32/Trojan.TLFS-2881 | 20161102 |
| DrWeb | Trojan.DownLoader22.63827 | 20161102 |
| ESET-NOD32 | Win32/Agent.RYE | 20161101 |
| Emsisoft | Trojan.GenericKD.3660757 (B) | 20161102 |
| F-Secure | Trojan.GenericKD.3660757 | 20161102 |
| Fortinet | W32/Trickster.R!tr | 20161102 |
| GData | Trojan.GenericKD.3660757 | 20161102 |
| Invincea | virus.win32.virut.bo | 20161018 |
| K7GW | Trojan ( 004f5bd31 ) | 20161102 |
| Kaspersky | Trojan.Win32.Trickster.r | 20161102 |
| Malwarebytes | Trojan.TrickBot | 20161102 |
| McAfee | Artemis!9018D65EBD6B | 20161102 |
2016-11-01 21:35:48.411099 IP 192.168.1.102.51121 > 203.199.134.21.80: Flags [P.], seq 0:297, ack 1, win 256, length 297: HTTP: GET /pdf/safafaasfasdddd.exe HTTP/1.1
E..Q’.@….$…f…….P.T..P.m.P…….GET /pdf/safafaasfasdddd.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: futuras.com
Connection: Keep-Alive
2016-11-01 21:36:39.098541 IP 192.168.1.102.58180 > 75.75.75.75.53: 48799+ A? myexternalip.com. (34)
E..>c;….~….fKKKK.D.5.*……………myexternalip.com…..
2016-11-01 21:36:39.122419 IP 192.168.1.102.51122 > 78.47.139.102.80: Flags [S], seq 1153720242, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4x:@……..fN/.f…PD._……. .F……………
2016-11-01 21:36:39.252886 IP 192.168.1.102.51122 > 78.47.139.102.80: Flags [.], ack 2606881224, win 256, length 0
E..(x;@……..fN/.f…PD._..a..P…1………
2016-11-01 21:36:39.253523 IP 192.168.1.102.51122 > 78.47.139.102.80: Flags [P.], seq 0:94, ack 1, win 256, length 94: HTTP: GET /raw HTTP/1.1
E…x<@……..fN/.f…PD._..a..P…….GET /raw HTTP/1.1
User-Agent: TrickLoader
Host: myexternalip.com
Connection: Keep-Alive
2016-11-01 21:36:39.424287 IP 192.168.1.102.51122 > 78.47.139.102.80: Flags [.], ack 229, win 255, length 0
E..(x=@……..fN/.f…PD.`..a..P…0K……..
2016-11-01 21:36:39.458850 IP 192.168.1.102.51123 > 91.219.28.77.443: Flags [S], seq 2520488089, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.;@….R…f[..M…..;…….. ……………..
2016-11-01 21:36:42.473180 IP 192.168.1.102.51123 > 91.219.28.77.443: Flags [S], seq 2520488089, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.<@….Q…f[..M…..;…….. ……………..