Category Archives: Banking Trojans

Tinba Tiny Banking Trojan Malware Traffic Sample PCAP Download

Download Tinba PCAP sample : tinba.pcap Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny andbanker; the same malware is also known as Tinybanker and Zusy.   2012-05-09 22:14:39.253725 IP 10.0.2.15.1026 >… Read More »

Share Button

SpyEye Banking Trojan Malware Traffic Sample PCAP Download

Download SpyEye Banking Trojan PCAP : spyeye.pcap 2010-02-13 09:23:18.490261 IP 192.168.242.131.56129 > 192.168.242.2.53: 32546+ A? www.whatsrunning.net. (38) E..B…….A………A.5..F(.”………..www.whatsrunning.net….. 2010-02-13 09:23:18.575013 ARP, Request who-has 192.168.242.131 tell 192.168.242.2, length 46 ………PV…………………………….. 2010-02-13 09:23:18.575035 ARP, Reply 192.168.242.131 is-at 00:0c:29:8c:57:d8, length 28 ……….).W……PV……. 2010-02-13 09:23:18.575271 IP 192.168.242.2.53 > 192.168.242.131.56129: 32546 2/0/0 CNAME whatsrunning.net., A 64.38.48.114 (68) E..`!…………….5.A.L…”………..www.whatsrunning.net………………………….@&0r 2010-02-13 09:23:18.595196… Read More »

Share Button

Malware Sample Dridex Banking Trojan .DOC Macro Download .EXE & C2 PCAP Traffic Sample

Dridex PCAP Sample #2 : dridex2.pcap This is what happens when you open the .doc file – a Macro runs which downloads a malicious executable:     Checks in and downloads data from : https://119.160.223.115:1143 https://151.80.142.33:1743 https://202.69.40.173:243 https://216.117.130.191:1143 After checking in, these C2 sites were used : https://103.23.154.184:443 https://129.15.78.110:443 https://148.202.223.222:443 https://14.98.240.58:443 https://176.53.0.103:443 https://181.177.231.245:443 https://185.47.108.92:443 https://188.126.116.26:443… Read More »

Share Button

New Dridex Banking Trojan Malware Spam Campaign Traffic Analysis and PCAP

Download :Dridex Pcap Sample One This is a sample of the above pcap from the new Dridex campaign, you can see a few key elements:   Hostile IP: 119.160.223.115 Port: 1143 Crafted X.509 SSL Certificate: Gofonfee Airehas Corp.1.0…U….ichetitssore.re0   2016-01-27 07:07:50.343095 IP 119.160.223.115.1143 > 192.168.56.17.49160: Flags [.], ack 96, win 115, length 0 EH.(.s@.0..Gw..s..8..w…<.F.Av.P..s………. 2016-01-27… Read More »

Share Button

HISTORICAL Malware Sample – Citadel Banking Trojan – Traffic Sample Indicators Analysis

2013-02-03 21:49:49.204451 IP 172.16.253.130.1068 > 174.112.126.155.80: Flags [P.], seq 0:428, ack 1, win 64240, length 428 E….D@…”A…..p~..,.P[..0W.E.P…….POST /C270suqdh/file.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: vivaspace2013.com Content-Length: 122 Connection: Keep-Alive Cache-Control: no-cache   ..Cx.oB…3.Yc>……..8|….M………8…E.a4.!.A…A+.z.Q…,\.\<\.#.$?………@;…C ‘J-j*L…R….)3.HP….eu……. 2013-02-03 21:49:49.206158 IP… Read More »

Share Button