2020-03-25-Netwire-RAT-infection-traffic-example-1-of-2.pcap

MD5ce0fe65a4d6c27cb9b3d8e67867bccd5
Submission Date2020-03-26 00:13:54
Tags(not set)
Alert 3
Showing 1-3 of 3 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2020-03-25T12:03:04.451359-0700116.202.210.8210.3.25.101ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project*
2
2020-03-25T12:03:48.433211-0700213.219.212.20610.3.25.101ET POLICY PE EXE or DLL Windows file download HTTP*
3
2020-03-25T12:03:48.433211-0700213.219.212.20610.3.25.101ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download*
DNS 8
Showing 1-8 of 8 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2020-03-25T12:03:46.460946-070010.3.25.10110.3.25.1queryptgteft.comA(not set)
2
2020-03-25T12:03:46.794727-070010.3.25.110.3.25.101answerptgteft.comA(not set)
3
2020-03-25T12:02:54.765084-070010.3.25.10110.3.25.1querymurthydigitals.comA(not set)
4
2020-03-25T12:02:54.793274-070010.3.25.110.3.25.101answermurthydigitals.comA(not set)
5
2020-03-25T12:03:48.150897-070010.3.25.10110.3.25.1querymatpincscr.comA(not set)
6
2020-03-25T12:03:48.433211-070010.3.25.110.3.25.101answermatpincscr.comA(not set)
7
2020-03-25T12:03:49.536595-070010.3.25.10110.3.25.1querywww.Novmintservices.comA(not set)
8
2020-03-25T12:03:49.559315-070010.3.25.110.3.25.101answerwww.Novmintservices.comA(not set)
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 3
Showing 1-3 of 3 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2020-03-25T12:02:55.581932-070010.3.25.101murthydigitals.com80GET/PM_2019_Screen_18_Tax_File.doc200
2
2020-03-25T12:03:47.692349-070010.3.25.101ptgteft.com80GET/Exten/TY1920/TY30.exe200
3
2020-03-25T12:03:49.524897-070010.3.25.101matpincscr.com80GET/tec_encrypted_340BD0.bin200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 8
Showing 1-8 of 8 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2020-03-25T12:03:48.433211-0700569567073373448flow10.3.25.10149710185.163.47.2132121TCPpcapanalyzer
2
2020-03-25T12:03:48.433211-0700578504896720028flow10.3.25.1015304010.3.25.153UDPpcapanalyzer
3
2020-03-25T12:03:48.433211-07001704860073610609flow10.3.25.1015145010.3.25.153UDPpcapanalyzer
4
2020-03-25T12:03:48.433211-0700159676869455891flow10.3.25.1015056510.3.25.153UDPpcapanalyzer
5
2020-03-25T12:03:48.433211-0700317108892082901flow10.3.25.10149685116.202.210.8280TCPpcapanalyzer
6
2020-03-25T12:03:48.433211-0700602024141012874flow10.3.25.10149708213.219.212.20680TCPpcapanalyzer
7
2020-03-25T12:03:48.433211-07001932050958693505flow10.3.25.10149709213.219.212.20680TCPpcapanalyzer
8
2020-03-25T12:03:48.433211-07001089215166285970flow10.3.25.1016377310.3.25.153UDPpcapanalyzer
File 3
Showing 1-3 of 3 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2020-03-25T12:02:55.581932-0700116.202.210.8210.3.25.101/PM_2019_Screen_18_Tax_File.docMicrosoft Word 2007+117204
2
2020-03-25T12:03:47.692349-0700213.219.212.20610.3.25.101/Exten/TY1920/TY30.exePE32 executable (GUI) Intel 80386, for MS Windows65536
3
2020-03-25T12:03:49.524897-0700213.219.212.20610.3.25.101/tec_encrypted_340BD0.bindata130624

Comments(not set)

Update Download PCAP Delete