Unknown Trojan Downloader Dropper Malware pooyarahyaft.com 8E70FF.exe PCAP File Download Traffic Analysis

SHA256: dd706516a433b11d7f775eaecc0d549d2c3a5916ad64207c101d84fcc9d7d76d
File name: 8E7F0FF.exe
Detection ratio: 43 / 57
Analysis date: 2017-01-16 07:13:01 UTC ( 0 minutes ago )
ALYac Trojan.GenericKD.4119935 20170116
AVG Inject3.BPLB 20170116
AVware Trojan.Win32.Generic!BT 20170116
Ad-Aware Trojan.GenericKD.4119935 20170116
AegisLab Troj.Dropper.Vb!c 20170116
AhnLab-V3 Trojan/Win32.Injector.C1733516 20170116
Antiy-AVL Trojan/Win32.TSGeneric 20170116
Arcabit Trojan.Generic.D3EDD7F 20170116
Avast Win32:Malware-gen 20170116
Avira (no cloud) TR/Dropper.VB.nntiu 20170116
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9591 20170116
BitDefender Trojan.GenericKD.4119935 20170116
CAT-QuickHeal Trojan.Dynamer 20170116
ClamAV Win.Trojan.Agent-5486292-0 20170116
Comodo UnclassifiedMalware 20170116
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
Cyren W32/Trojan.MMAU-5749 20170116
ESET-NOD32 a variant of Win32/Injector.DJJI 20170116
Emsisoft Trojan.GenericKD.4119935 (B) 20170116

2017-01-16 00:14:09.858318 IP 192.168.1.102.63327 > 72.52.124.44.80: Flags [P.], seq 0:296, ack 1, win 256, length 296: HTTP: GET /amana/8E7F0FF.exe HTTP/1.1
E..P/.@…Ci…fH4|,._.P..!..tifP…p…GET /amana/8E7F0FF.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: pooyarahyaft.com
Connection: Keep-Alive

2017-01-16 00:15:37.552142 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [S], seq 1655366239, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4~3@….P…f.Z…b..b.._…… .p……………
2017-01-16 00:15:37.583531 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [.], ack 2888845567, win 258, length 0
E..(~4@….[…f.Z…b..b..`.0H.P….9……..
2017-01-16 00:15:37.584936 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [P.], seq 0:195, ack 1, win 258, length 195
E…~5@……..f.Z…b..b..`.0H.P….3………….X|V……n…9.~.3..$….i0.&..*..8.,.+.0./…..$.#.(.’.
.       …..9.3…..=.<.5./.
.j.@.8.2…..Y………wdcp.microsoft.com……….
…………………………………#………..
2017-01-16 00:15:37.618304 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [.], ack 2921, win 258, length 0
E..(~6@….Y…f.Z…b..b..#.0TgP………….
2017-01-16 00:15:37.623758 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [P.], seq 195:409, ack 4206, win 253, length 214
E…~7@……..f.Z…b..b..#.0YlP………..f…ba………..I.wZBQ….[.l5….E…&…d-.p#.;s..h..>.-$.4.U..`.!….#+.U.2………#..]W..(……………..`jR…../..[?….M.3.3.6$q..V.R-…./…….$..Y..&z…}~?.F=.w.-V……N…….$z….$.d2.
…U.
2017-01-16 00:15:37.668207 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [P.], seq 409:686, ack 4313, win 253, length 277
E..=~8@….B…f.Z…b..b….0Y.P……………f.V.@s.M=.I….CtW6MN……….A..A68.LzK..,…….     ….|O…..U……….>.|{|.`
.$…J.A…..A…’…..’z..P*v….c:..i;……+…A..ti……g….(…..        `d…i….Q…P…#..RM.nE…-T.;..aI.]H..?……$..HG…!.R-I..#…k….A…..s…..vvZo..B.YXMH….J.B.41 ‘mD…
2017-01-16 00:15:37.668738 IP 192.168.1.102.63330 > 13.90.208.215.443: Flags [.], seq 686:5006, ack 4313, win 253, length 4320
E…~9@….v…f.Z…b..b….0Y.P….:…..@P……(.@
..N….:@`.~…OcF.JfK…0……@…<..S…..x”p.”…*4G$… …G>G.;.r..”|e…W..O(c.^Q.~.?.sX._.+..#(…..    ………………..g.k.r5…!.3.YT.?mO.^…<…. X.c5………tk….>.!……X……..x.G………     p….X…..L.%…)      .~.%……’\m.S…D..C..Q…..U….y.-Q.e`….7.A.2{I.;qq:.Y.2r..(.~ee…\..#.@.t../n.1…..1…N.!S..M……I..”.{-4h. …….w……….(.i………………….z[….cv……| a.1..`..5.$…..G..h….7.n)1p……@.Hk..~K..0.
..hF……/…Qlz.0.c….z,…A/……K.v:G.e,..#>..Z._..Xl
.\..ps…^…x……=.2………n..P..&D..n………;.)l.9..v@…P.U.S  ..7;.H..y_`……..q..+..U.i.Kg]_…_…lpe=@..$.m……..5GWr..=.QuI.5AXM…*..l..1..q….%t….z..:.6bL./…)o.f.M.Gk..#EN.HL…|._.._..
.H.*H….[…WW.o..h#…….Y..H.].o….0.m.<v.H…….T..`B.%..9.4..m…5’….a.Mg.y….Pr…..F+.     …1..i’l….2..’…i..Y].      I.4.V|.[…..K….-dB…….C……r..1..rEN.r*….i..8..K.Z|………+….l..B….E<….Ky…om..$……B..0/i…F.6[…}.
….63…       .7dBN.R….().r.k…H<%2…..v\.|c%.1.z.N.t .\..\r…d.U..nG.
..U.EK?@|…….}../..Y..l.!q.^….kD….o.
.AfJc.r6^..}d<aD…1a…:.k.i…………….H.F…0.U…HQ.s…..