2017-11-21-Hancitor-malspam-traffic.pcap

MD5a94ea7163ccd53f22108a9865eb3a675
Submission Date2017-11-27 23:28:43
Tagsmsword
Alert 36
Showing 1-20 of 36 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2017-11-21T10:40:12.804929-080010.11.21.101174.129.241.106ET POLICY External IP Lookup api.ipify.org*
2
2017-11-21T10:40:51.632498-080010.11.21.101185.111.107.150ET TROJAN Fareit/Pony Downloader Checkin 2*
3
2017-11-21T10:40:54.421438-080010.11.21.10191.221.37.38ET TROJAN Fareit/Pony Downloader Checkin 2*
4
2017-11-21T10:42:14.728808-0800185.153.198.4010.11.21.101ET DROP Dshield Block Listed Source group 1*
5
2017-11-21T10:52:30.820018-0800185.5.251.3310.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
6
2017-11-21T10:52:30.820793-0800185.5.251.3310.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
7
2017-11-21T10:52:30.820976-0800185.5.251.3310.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
8
2017-11-21T10:52:32.076961-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
9
2017-11-21T10:52:32.076961-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
10
2017-11-21T10:52:35.992069-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
11
2017-11-21T10:52:35.992069-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
12
2017-11-21T10:52:37.371833-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
13
2017-11-21T10:52:37.371833-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
14
2017-11-21T10:52:38.450534-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
15
2017-11-21T10:52:38.450534-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
16
2017-11-21T10:52:40.809229-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
17
2017-11-21T10:52:40.809229-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
18
2017-11-21T10:52:41.902943-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
19
2017-11-21T10:52:41.902943-0800185.127.26.22710.11.21.101ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)*
20
2017-11-21T10:52:32.080802-0800185.127.26.22710.11.21.101ET TROJAN Observed Malicious SSL Cert (IcedID CnC)*
DNS 36
Showing 1-20 of 36 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2017-11-21T10:39:45.056885-080010.11.21.10110.11.21.1queryusroute66popcorn.comA(not set)
2
2017-11-21T10:39:45.274978-080010.11.21.110.11.21.101answerusroute66popcorn.comA(not set)
3
2017-11-21T10:40:12.599084-080010.11.21.10110.11.21.1queryapi.ipify.orgA(not set)
4
2017-11-21T10:40:12.652320-080010.11.21.110.11.21.101answerapi.ipify.orgA(not set)
5
2017-11-21T10:40:43.393980-080010.11.21.10110.11.21.1queryartifexbygg.seA(not set)
6
2017-11-21T10:40:43.814773-080010.11.21.110.11.21.101answerartifexbygg.seA(not set)
7
2017-11-21T10:40:51.811224-080010.11.21.10110.11.21.1querykbentertainmentanddesign.comA(not set)
8
2017-11-21T10:40:51.864113-080010.11.21.110.11.21.101answerkbentertainmentanddesign.comA(not set)
9
2017-11-21T10:40:12.812719-080010.11.21.10110.11.21.1queryfortroledin.comA(not set)
10
2017-11-21T10:40:12.946927-080010.11.21.110.11.21.101answerfortroledin.comA(not set)
11
2017-11-21T10:40:42.567284-080010.11.21.10110.11.21.1queryhimsedtione.ruA(not set)
12
2017-11-21T10:40:42.660506-080010.11.21.110.11.21.101answerhimsedtione.ruA(not set)
13
2017-11-21T10:40:50.450001-080010.11.21.10110.11.21.1queryhimsedtione.ruA(not set)
14
2017-11-21T10:40:50.542972-080010.11.21.110.11.21.101answerhimsedtione.ruA(not set)
15
2017-11-21T10:40:53.442861-080010.11.21.10110.11.21.1queryfortroledin.comA(not set)
16
2017-11-21T10:40:53.495851-080010.11.21.110.11.21.101answerfortroledin.comA(not set)
17
2017-11-21T10:42:14.472734-080010.11.21.10110.11.21.1queryagaratas.comA(not set)
18
2017-11-21T10:42:14.526329-080010.11.21.110.11.21.101answeragaratas.comA(not set)
19
2017-11-21T10:42:16.256570-080010.11.21.10110.11.21.1queryb84AC83F50000000E.agaratas.comA(not set)
20
2017-11-21T10:42:16.483065-080010.11.21.110.11.21.101answerb84AC83F50000000E.agaratas.comA(not set)
TLS 20
Showing 1-20 of 20 items.
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
1
2017-11-21T10:52:30.820008-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
2
2017-11-21T10:52:30.820785-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
3
2017-11-21T10:52:30.820882-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
4
2017-11-21T10:52:32.076913-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
5
2017-11-21T10:52:35.992004-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
6
2017-11-21T10:52:37.371739-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
7
2017-11-21T10:52:38.450439-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
8
2017-11-21T10:52:40.809219-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
9
2017-11-21T10:52:41.902858-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
10
2017-11-21T10:52:32.080737-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
11
2017-11-21T10:52:32.106233-080010.11.21.101185.127.26.227TLS 1.2localhost
12
2017-11-21T10:52:34.834936-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
13
2017-11-21T10:52:29.122903-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
14
2017-11-21T10:52:30.820209-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
15
2017-11-21T10:52:30.821607-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
16
2017-11-21T10:52:30.821615-080010.11.21.101185.5.251.33TLS 1.2localhost
17
2017-11-21T10:52:31.434255-080010.11.21.101185.5.251.33TLS 1.2atlanimeday.com
18
2017-11-21T10:52:39.665715-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
19
2017-11-21T10:57:31.942890-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
20
2017-11-21T11:02:32.788814-080010.11.21.101185.127.26.227TLS 1.2gooblesooq.com
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 23
Showing 1-20 of 23 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2017-11-21T10:40:12.804929-080010.11.21.101api.ipify.org80GET/200
2
2017-11-21T10:40:43.392571-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
3
2017-11-21T10:40:53.322119-080010.11.21.101artifexbygg.se80GET/wp-content/plugins/easyrotator-for-wordpress/2200
4
2017-11-21T10:42:55.258320-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
5
2017-11-21T10:48:57.308420-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
6
2017-11-21T10:44:55.922652-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
7
2017-11-21T10:50:58.410459-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
8
2017-11-21T10:46:56.617597-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
9
2017-11-21T10:57:00.304107-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
10
2017-11-21T10:42:16.240570-080010.11.21.101usroute66popcorn.com80GET/?P6SYKyUjh=louis.cheezit@yahoo.com200
11
2017-11-21T10:52:59.004874-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
12
2017-11-21T11:05:02.936493-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
13
2017-11-21T10:42:55.258320-080010.11.21.101artifexbygg.se80GET/wp-content/plugins/easyrotator-for-wordpress/4200
14
2017-11-21T10:59:00.938237-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
15
2017-11-21T10:54:59.621291-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
16
2017-11-21T11:03:02.235117-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
17
2017-11-21T10:42:55.258320-080010.11.21.101himsedtione.ru80POST/mlu/forum.php200
18
2017-11-21T11:01:01.537317-080010.11.21.101himsedtione.ru80POST/ls5/forum.php200
19
2017-11-21T10:42:55.258320-080010.11.21.101fortroledin.com80POST/d2/about.php200
20
2017-11-21T10:42:55.258320-080010.11.21.101artifexbygg.se80GET/wp-content/plugins/easyrotator-for-wordpress/1200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 60
Showing 1-20 of 60 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2017-11-21T11:04:18.692830-08001096107651544838flow10.11.21.1014917931.216.35.4480TCPpcapanalyzer
2
2017-11-21T11:04:18.692830-0800710325099142718flow10.11.21.1014918091.221.37.3880TCPpcapanalyzer
3
2017-11-21T11:04:18.692830-0800992912543586013flow10.11.21.10149213185.111.107.15080TCPpcapanalyzer
4
2017-11-21T11:04:18.692830-08001557513925823254flow10.11.21.1015365010.11.21.153UDPpcapanalyzer
5
2017-11-21T11:04:18.692830-0800572965667946858flow10.11.21.10149212185.127.26.227443TCPpcapanalyzer
6
2017-11-21T11:04:18.692830-0800573461716992521flow10.11.21.1016224710.11.21.153UDPpcapanalyzer
7
2017-11-21T11:04:18.692830-08001700512629148683flow10.11.21.10149177185.111.107.15080TCPpcapanalyzer
8
2017-11-21T11:04:18.692830-08001282152789525531flow10.11.21.10149188185.111.107.15080TCPpcapanalyzer
9
2017-11-21T11:04:18.692830-08001987444361868085flow10.11.21.1014917896.0.148.280TCPpcapanalyzer
10
2017-11-21T11:04:18.692830-08001002599816576067flow10.11.21.1015959410.11.21.153UDPpcapanalyzer
11
2017-11-21T11:04:18.692830-0800440680609182336flow10.11.21.1014917631.216.35.4480TCPpcapanalyzer
12
2017-11-21T11:04:18.692830-08001004519667788522flow10.11.21.10149206185.127.26.227443TCPpcapanalyzer
13
2017-11-21T11:04:18.692830-0800441775872185325flow10.11.21.10149197185.5.251.33443TCPpcapanalyzer
14
2017-11-21T11:04:18.692830-08001992130217429438flow10.11.21.1016026310.11.21.153UDPpcapanalyzer
15
2017-11-21T11:04:18.692830-08002137072519729043flow10.11.21.10149216185.111.107.15080TCPpcapanalyzer
16
2017-11-21T11:04:18.692830-08001717396177421303flow10.11.21.10149187185.111.107.15080TCPpcapanalyzer
17
2017-11-21T11:04:18.692830-0800171916667964780flow10.11.21.10149214185.111.107.15080TCPpcapanalyzer
18
2017-11-21T11:04:18.692830-08001020973640456223flow10.11.21.10149175185.111.107.15080TCPpcapanalyzer
19
2017-11-21T11:04:18.692830-08001446596356247838flow10.11.21.10149202185.127.26.227443TCPpcapanalyzer
20
2017-11-21T11:04:18.692830-0800321744374769652flow10.11.21.1015961910.11.21.153UDPpcapanalyzer
File 38
Showing 1-20 of 38 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2017-11-21T10:39:46.038265-080045.76.37.6010.11.21.101invoice_653074.docComposite Document File V2 Document, Can't read SAT66093
2
2017-11-21T10:40:13.206566-080010.11.21.10191.221.37.38/ls5/forum.phpASCII text, with no line terminators120
3
2017-11-21T10:40:42.996224-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120
4
2017-11-21T10:40:43.392571-0800185.111.107.15010.11.21.101/ls5/forum.phpASCII text, with very long lines, with no line terminators1052
5
2017-11-21T10:40:44.561470-080031.216.35.4410.11.21.101/wp-content/plugins/easyrotator-for-wordpress/18086 relocatable (Microsoft)40585
6
2017-11-21T10:40:12.804929-0800174.129.241.10610.11.21.101/ASCII text, with no line terminators15
7
2017-11-21T10:40:50.877737-080010.11.21.101185.111.107.150/mlu/forum.phpdata204
8
2017-11-21T10:40:52.242936-080096.0.148.210.11.21.101/wp-content/plugins/easyrotator-for-wordpress/2JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 1661248
9
2017-11-21T10:40:53.322119-080031.216.35.4410.11.21.101/wp-content/plugins/easyrotator-for-wordpress/28086 relocatable (Microsoft)47387
10
2017-11-21T10:40:53.747628-080010.11.21.10191.221.37.38/d2/about.phpdata232
11
2017-11-21T10:40:54.229721-080031.216.35.4410.11.21.101/wp-content/plugins/easyrotator-for-wordpress/48086 relocatable (Microsoft)8685
12
2017-11-21T10:42:15.453125-0800185.153.198.4010.11.21.101sectelfac.gzgzip compressed data, was "sectelfac.xls", max compression, from FAT filesystem (MS-DOS, OS/2, NT)6146
13
2017-11-21T10:42:54.842860-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120
14
2017-11-21T10:48:56.905855-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120
15
2017-11-21T10:42:55.258320-0800185.111.107.15010.11.21.101/ls5/forum.phpASCII text, with no line terminators12
16
2017-11-21T10:44:55.531776-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120
17
2017-11-21T10:48:57.308420-0800185.111.107.15010.11.21.101/ls5/forum.phpASCII text, with no line terminators12
18
2017-11-21T10:44:55.922652-0800185.111.107.15010.11.21.101/ls5/forum.phpASCII text, with no line terminators12
19
2017-11-21T10:50:57.977737-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120
20
2017-11-21T10:46:56.219220-080010.11.21.101185.111.107.150/ls5/forum.phpASCII text, with no line terminators120

Commentshttp://malware-traffic-analysis.net/2017/11/21/index2.html

Update Download PCAP Delete