Category Archives: Banking Trojans

HISTORICAL Malware Sample – ZeuS Banking Trojan – Traffic Sample Indicators Analysis

2012-04-11 18:03:31.581904 IP 192.168.254.194.49756 > 72.9.244.132.80: Flags [P.], seq 1:420, ack 1, win 16425, length 419 E…..@………H       …\.P…..V..P.@)}…POST /orders2010.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: mugspade.ru Content-Length: 76 Cache-Control: no-cache… Read More »

Share Button

HISTORICAL Malware Sample – USteal – Traffic Sample Indicators Analysis

2013-03-07 05:57:38.635080 IP 10.0.2.15.1039 > 10.0.2.3.53: 18556+ A? jeck1072.ucoz.ru. (34) E..>.7….”g … ……5.*.;H|………..jeck1072.ucoz.ru….. 2013-03-07 05:57:38.665478 IP 10.0.2.3.53 > 10.0.2.15.1039: 18556 1/0/0 A 193.109.247.77 (50) E..N….@.b. … ….5…:..H|………..jeck1072.ucoz.ru………….8@…m.M 2013-03-07 05:57:38.942737 IP 10.0.2.15.1040 > 193.109.247.77.21: Flags [S], seq 3556468413, win 65535, options [mss 1460,nop,nop,sackOK], length 0 E..0.8@…5. ….m.M……f…..p….w………. 2013-03-07 05:57:39.060840 IP 193.109.247.77.21 > 10.0.2.15.1040: Flags [S.], seq… Read More »

Share Button

MALWARE – SpyEye Banking Trojan – Historical Traffic Sample

2010-02-13 09:23:18.680440 IP 192.168.242.131.1390 > 64.38.48.114.80: Flags [P.], seq 1:227, ack 1, win 64240, length 226 E.. ..@………@&0r.n.P6…A.J.P….B..POST /whatsrunning/CheckNewVersion.aspx HTTP/1.0 Connection: keep-alive Content-Length: 9 Host: www.whatsrunning.net Accept: text/html, */* Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library) 2010-02-13 09:23:39.842860 IP 192.168.242.131.1391 > 60.12.117.147.80: Flags [P.], seq 1:843, ack 1, win 64240, length 842 E..r..@………<.u..o.P.@..-.H.P….t..POST http://nazarethimaging.com/grab/websitechk.php HTTP/1.1… Read More »

Share Button

Dridex Banking Trojan Uses Macros in Spam E-mail for Infection PCAP Traffic Sample

2015-01-26 13:21:55.581158 IP 192.168.221.134.56563 > 192.168.221.2.53: 54791+ A? elektromarket.cba[.]pl. (38) E..B.n…..b………..5…_………….elektromarket.cba[.]pl….. 2015-01-26 13:21:55.760514 IP 192.168.221.2.53 > 192.168.221.134.56563: 54791 1/0/0 A 95.211.144.65 (54) E..R.|…..D………5…>m…………..elektromarket.cba[.]pl…………….._..A 2015-01-26 13:21:55.763961 IP 192.168.221.134.49158 > 95.211.144.65.80: Flags [S], seq 4015467107, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 E..4.o@…l….._..A…P.W*c…… …………….. 2015-01-26 13:21:55.902226 IP 95.211.144.65.80 > 192.168.221.134.49158: Flags [S.], seq 4178395771, ack 4015467108,… Read More »

Share Button

Gameover ZeuS Banking Malware Trojan PCAP Converted Traffic Sample

……..R.bS…………..w. 2013-09-20 08:24:28.471331 IP 172.16.98.8.1033 > 172.16.1.1.53: 14471+ A? meetandmatch.co.uk. (36) E..@.h……..b…… .5.,._8…………meetandmatch.co[.]uk….. 2013-09-20 08:24:28.530980 IP 172.16.1.1.53 > 172.16.98.8.1033: 14471 1/0/0 A 64.40.145.4 (52) E..P….@………b..5. .<1.8…………meetandmatch.co[.]uk………….T`..@(.. 2013-09-20 08:24:28.561935 IP 172.16.98.8.1036 > 64.40.145.4.80: Flags [S], seq 3968230758, win 65535, options [mss 1460,nop,nop,sackOK], length 0 E..0.i@…….b.@(…..P..ef….p…M……….. 2013-09-20 08:24:28.581616 IP 64.40.145.4.80 > 172.16.98.8.1036: Flags [S.], seq 647516673, ack… Read More »

Share Button