2016-01-19 - EITEST ANGLER EK FROM 89.45.67.196

PCAP AND MALWARE:

 

NOTES:

 

TRAFFIC

ASSOCIATED DOMAINS:

 

COMPROMISED SITE AND REDIRECT:

 

ANGLER EK:

 

POST-INFECTION HTTP TRAFFIC:

 

OTHER IP ADDRESSES FROM THE PCAP:

 

TRAFFIC

MALWARE RETRIEVED FROM THE INFECTED HOST (1 OF 2):

File name:  C:\Users\[username]\AppData\Local\Temp\{C04D850C-EE67-4643-A4C8-52C639ED76BB}\TMPC9A4.tmp
File size:  190.0 KB ( 194,560 bytes )
MD5 hash:  80f6cb1af6ebd2f1d4365c1751b0527a
SHA1 hash:  fe0e79f3b318bcd43b6cffcbd3d11e9435c43f65
SHA256 hash:  37fb40b722079bb4fbafe75a92efa5d923869a016ec629cfe134b4682bd85a00
Detection ratio:  17 / 54
First submission:  2016-01-20 01:10:49 UTC
VirusTotal link:  click here

 

MALWARE RETRIEVED FROM THE INFECTED HOST (2 OF 2) - KOVTER:

File name:  C:\Users\[username]\AppData\Local\Temp\{E2E499C7-78BB-4A42-9237-95F11006E23E}\TMPC9B5.tmp
File size:  308.1 KB ( 315,449 bytes )
MD5 hash:  0447e3f16b04f6923534ebe33a85d119
SHA1 hash:  d8f733dcd290c0522317a5605cd9f73095554e0f
SHA256 hash:  1fab44d73ff5a75946ba1360c673a190b63161911c849d9464f3d2e9299ca2b4
Detection ratio:  17 / 54
First submission:  2016-01-20 14:26:31 UTC
VirusTotal link:  click here

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.