HISTORICAL Malware Sample – Citadel Banking Trojan – Traffic Sample Indicators Analysis

By | July 25, 2015

2013-02-03 21:49:49.204451 IP 172.16.253.130.1068 > 174.112.126.155.80: Flags [P.], seq 0:428, ack 1, win 64240, length 428

E….D@…”A…..p~..,.P[..0W.E.P…….POST /C270suqdh/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: vivaspace2013.com

Content-Length: 122

Connection: Keep-Alive

Cache-Control: no-cache

 

..Cx.oB…3.Yc>……..8|….M………8…E.a4.!.A…A+.z.Q…,\.\<\.#.$?………@;…C

‘J-j*L…R….)3.HP….eu…….

2013-02-03 21:49:49.206158 IP 172.16.253.130.1067 > 174.112.126.155.80: Flags [.], ack 3569868611, win 64240, length 0

E..(.E@…#……p~..+.P5(d….CP…….

2013-02-03 21:49:49.206353 IP 172.16.253.130.1067 > 174.112.126.155.80: Flags [P.], seq 0:434, ack 1, win 64240, length 434

E….F@…”9…..p~..+.P5(d….CP…K…POST /C270suqdh/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: vivaspace2013.com

Content-Length: 128

Connection: Keep-Alive

Cache-Control: no-cache

 

 

..D.J..$F…..x.N…’=..2e.>….r.dK<..v.*….I.>..Mn…./.kJH..r……..FZo.iS~!z..URF……….U.eq[…,…1u^..!yE!W:..

5&b.

 

Share Button

One thought on “HISTORICAL Malware Sample – Citadel Banking Trojan – Traffic Sample Indicators Analysis

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *