2020-03-25-Netwire-RAT-infection-traffic-example-2-of-2.pcap

MD591d819c88fc9f843a0bce3b831b1caf7
Submission Date2020-03-26 00:15:29
Tags(not set)
Alert 4
Showing 1-4 of 4 items.
#
TimestampSrc IpDest IpAlert SignatureP
1
2020-03-25T12:46:09.414168-070010.3.25.102213.219.212.206ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile*
2
2020-03-25T12:45:24.005729-0700104.27.138.3110.3.25.102ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project*
3
2020-03-25T12:46:08.928314-0700213.219.212.20610.3.25.102ET POLICY PE EXE or DLL Windows file download HTTP*
4
2020-03-25T12:46:08.928314-0700213.219.212.20610.3.25.102ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download*
DNS 8
Showing 1-8 of 8 items.
#
TimestampSrc IpDest IpDns TypeResource Record NameResource Record TypeResource Data
1
2020-03-25T12:46:08.581008-070010.3.25.10210.3.25.1querysaidialxo.comA(not set)
2
2020-03-25T12:46:08.928314-070010.3.25.110.3.25.102answersaidialxo.comA(not set)
3
2020-03-25T12:45:12.665307-070010.3.25.10210.3.25.1querywww.artizaa.comA(not set)
4
2020-03-25T12:45:12.718584-070010.3.25.110.3.25.102answerwww.artizaa.comA(not set)
5
2020-03-25T12:46:10.308339-070010.3.25.10210.3.25.1querywww.rossogato.comA(not set)
6
2020-03-25T12:46:10.669547-070010.3.25.110.3.25.102answerwww.rossogato.comA(not set)
7
2020-03-25T12:46:10.933682-070010.3.25.10210.3.25.1querywww.myamystills.comA(not set)
8
2020-03-25T12:46:11.044642-070010.3.25.110.3.25.102answerwww.myamystills.comA(not set)
TLS 0
#
TimestampSource IPDestination IPTLS VersionServer Name Indication
No results found.
TFTP 0
#TimestampSrc IpDest IpTftp PacketTftp FileTftp Mode
No results found.
HTTP 3
Showing 1-3 of 3 items.
#
TimestampSourceHostnamePortMethodURLStatus
1
2020-03-25T12:45:12.878842-070010.3.25.102www.artizaa.com80GET/Andys_18US_Tax.doc200
2
2020-03-25T12:46:09.785219-070010.3.25.102saidialxo.com80GET/lp.exe200
3
2020-03-25T12:46:10.887599-070010.3.25.102www.rossogato.com80GET/ROSSO_encrypted_54E9BA0.bin200
SMB 0
#
TimestampSrc IpDest IpSMB DialectCommandSessionTree
No results found.
SMTP 0
#
TimestampSourceDestinationEmail FromEmail ToSubject
No results found.
Flow 8
Showing 1-8 of 8 items.
#
TimestampFlow IdEvent TypeSourceSource PortDestinationDestination PortProtocolHost
1
2020-03-25T12:46:08.928314-0700577371195457330flow10.3.25.1025065410.3.25.153UDPpcapanalyzer
2
2020-03-25T12:46:08.928314-0700578925973648499flow10.3.25.1025159910.3.25.153UDPpcapanalyzer
3
2020-03-25T12:46:08.928314-0700445859296857843flow10.3.25.10249837185.196.8.12280TCPpcapanalyzer
4
2020-03-25T12:46:08.928314-070032447216024723flow10.3.25.10249834104.27.138.3180TCPpcapanalyzer
5
2020-03-25T12:46:08.928314-0700909711469726321flow10.3.25.10249836213.219.212.20680TCPpcapanalyzer
6
2020-03-25T12:46:08.928314-0700662192500778715flow10.3.25.1026174010.3.25.153UDPpcapanalyzer
7
2020-03-25T12:46:08.928314-0700809127630852234flow10.3.25.10249838185.163.47.1682020TCPpcapanalyzer
8
2020-03-25T12:46:08.928314-0700974797404167568flow10.3.25.1025337810.3.25.153UDPpcapanalyzer
File 3
Showing 1-3 of 3 items.
#
TimestampSourceDestinationFile NameFile MagicFile Size
1
2020-03-25T12:45:12.878842-0700104.27.138.3110.3.25.102/Andys_18US_Tax.docMicrosoft Word 2007+150534
2
2020-03-25T12:46:09.785219-0700213.219.212.20610.3.25.102/lp.exePE32 executable (GUI) Intel 80386, for MS Windows69632
3
2020-03-25T12:46:10.887599-0700185.196.8.12210.3.25.102/ROSSO_encrypted_54E9BA0.bindata130624

Comments(not set)

Update Download PCAP Delete