Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
T:11:18:00 | WinXP | 188.129.213.30 (ISA2.BOG.GE): RUSTAVI, GE. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | f8b57d78bf NEW |
none[none] | none:none |
none|none | none | none |
T:11:34:00 | WinXP | 211.40.96.220 (BORA.NET): BORANET-NET, SUWON, KYONGGI-DO, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 33 33 of 33 |
4c3df24b32 NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
none:none ASM:Graph |
Armadillo| tElock| |
lines=90 lines=75 embedded dns |
trace trace |
T:11:39:00 | WinXP | 77.255.88.159 (COM.PL): NETIA, PL. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
42 of 43 | 420b1a76c4 NEW |
none[none] | none:none |
none|none | none | none |
T:12:00:00 | WinXP | 95.180.23.248 (IKOMLINE.NET): IKOMLINE, RS. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
38 of 42 | 8a2553433c NEW |
none[none] | none:none |
none|none | none | none |
T:12:05:00 | Win2K-f | 61.150.5.66 (163DATA.COM.CN): XI'AN DATA BRANCH XIAN CITY SHAANXI PROVINCE, XIAN, SHAANXI, CN. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 41 of 43 |
5799ab6538 NEW ddbe111920 NEW |
2713679411 [0] none [none] |
ASM:Graph none:none |
tElock| none|none |
lines=64 embedded dns none |
trace none |
T:12:33:00 | WinXP | 117.20.170.77 (-): STARHUB HSPA, SINGAPORE, SINGAPORE, SG. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 43 | b269b15ffd NEW |
none[none] | none:none |
none|none | none | none |
T:12:47:00 | Win2K-f | 70.184.249.117 (COX.NET): COX COMMUNICATIONS, TULSA, OKLAHOMA, US. (DSL) |
83.133.119.197:65520 | EU:proxim.ircgalaxy.pl US:microsoft.com EU:ii.derquda.com |
135 | pcap | raw alerts ruleset |
irc http 147 lines |
Yeah : 1.8 profile |
none | summary tarball |
14 of 43 32 of 36 35 of 36 |
9d2da7680e NEW bea8cb1865 NEW fac78fde16 NEW |
none[none] 154de51a66[0] 882896ab05[0] |
none:none ASM:Graph ASM:Graph |
none|none Armadillo| tElock| |
none lines=91 lines=126 embedded dns |
none trace trace |
T:12:48:00 | Win2K-f | 24.81.26.245 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, VANCOUVER, BRITISH COLUMBIA, CA. (DSL) |
n/a | DE:irc.zief.pl EU:ii.derquda.com |
135 | pcap | raw alerts ruleset |
http 346 lines |
Yeah : 1.3 profile |
none | summary tarball |
14 of 43 34 of 40 |
9d2da7680e NEW a72398081f NEW |
none[none] 3f0ad45d1c[0] |
none:none ASM:Graph |
none|none tElock| |
none lines=10 |
none trace |
T:13:03:00 | Win2K-f | 91.194.198.96 (TRONIC.PL): P.H.U. TRONIC, PL. (DSL) |
n/a | DE:irc.zief.pl US:gg.arrancar.org US:69.43.160.145:555 |
445 | pcap | raw alerts ruleset |
other 7 lines |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none |
T:13:10:00 | Win2K-f | 187.7.71.108 (VELOXZONE.COM.BR): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
83.133.119.197:65520 | EU:proxim.ircgalaxy.pl US:microsoft.com |
445 | pcap | raw alerts ruleset |
irc 23 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none |
T:14:37:00 | WinXP | 173.20.142.187 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, ALBANY, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
37 of 41 38 of 41 |
692f9bb8df NEW d482a2bec3 NEW |
2bf6f4e9f0 [0] 50a83c6b54[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
T:14:39:00 | WinXP | 173.30.226.220 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, SPRINGFIELD, MISSOURI, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 76 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:14:48:00 | Win2K-f | 70.252.74.67 (SWBELL.NET): AT&T INTERNET SERVICES, LITTLE ROCK, ARKANSAS, US. (DIAL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:14:53:00 | WinXP | 174.42.149.94 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - WARRENSVILLE HEIGHTS, CHARLOTTE, NORTH CAROLINA, US. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 43 | 95d1a78f0d NEW |
none[none] | none:none |
none|none | none | none |
T:14:58:00 | WinXP | 208.53.202.21 (MT-RUSHMORE.NET): FORT RANDALL TELEPHONE CO, CONGRESS, ARIZONA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru :kidos-bank.ru |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
26 of 28 | 7d99b0e910 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
T:15:49:00 | WinXP | 72.251.24.67 (1DIAL.COM): AD-BASE SYSTEMS INC. (DBA GLOBALPOPS), SAN FRANCISCO, CALIFORNIA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
43 of 43 | 3a7a43199e NEW |
none[none] | none:none |
none|none | none | none |
T:16:27:00 | Win2K-f | 110.12.70.181 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
83.133.119.197:65520 | US:microsoft.com EU:proxim.ircgalaxy.pl EU:ii.derquda.com |
135 | pcap | raw alerts ruleset |
irc http 133 lines |
Yeah : 1.8 profile |
none | summary tarball |
29 of 32 28 of 32 14 of 43 |
8a75955033 NEW 9276c8b36b NEW 9d2da7680e NEW |
2bf3e548b9 [0] none [0] none [none] |
ASM:Graph none:none none:none |
tElock| Armadillo| none|none |
lines=126 embedded dns lines=90 none |
trace trace none |
16:35:00 | Win2K-f | 200.107.121.33 (-): SERCOM DE HONDURAS, TEGUCIGALPA, FRANCISCO MORAZAN, HN. (DSL) |
n/a | US:www.maxmind.com EU:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 5 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
T:16:43:00 | Win2K-f | 67.14.211.51 (ARTELCO.COM): WORLD LYNX, MAGAZINE, ARKANSAS, US. (DSL) |
91.193.194.67:65520 | EU:proxim.ircgalaxy.pl EU:ii.derquda.com |
445 | pcap | raw alerts ruleset |
irc http 13 lines |
Yeah : 1.3 profile |
none | summary tarball |
14 of 43 | 9d2da7680e NEW |
none[none] | none:none |
none|none | none | none |
T:16:52:00 | Win2K-f | 70.164.194.141 (COX.NET): COX COMMUNICATIONS, OCALA, FLORIDA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 40 of 41 |
3b3a6d7615 NEW b7a694b220 NEW |
ed7beb96f5 [0] 9f0354af30[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=91 lines=64 embedded dns |
trace trace |
T:17:49:00 | WinXP | 184.74.71.220 (-): . |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:17:56:00 | WinXP | 187.94.18.160 (CAMPUSEAI.ORG): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
41 of 43 | fb486908b0 NEW |
none[none] | none:none |
none|none | none | none |
T:18:40:00 | WinXP | 12.76.244.217 (ATT.NET): AT&T WORLDNET SERVICES, SIMPSONVILLE, SOUTH CAROLINA, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
26 of 28 | a92e3f8fc8 NEW |
none[0] | none:none |
PolyEnE| | lines=68 | trace |
T:19:01:00 | Win2K-f | 61.222.227.12 (-): TAIWAN PROVINCE RUNNING WATER CO. LTD. DI SEVERN DISTRICT MANAGE CHU, KAOHSIUNG, T'AI-WAN, TW. (100Mbps) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
T:19:09:00 | WinXP | 116.59.113.147 (HINET.NET): CHT-MOBILE BUSINESS GROUP CHUNGHWA, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 1.3 profile |
none | summary tarball |
41 of 41 | 5c6df5141d NEW |
none[none] | none:none |
none|none | none | none |
19:35:00 | WinXP | 115.81.154.214 (TAIWANMOBILE.NET): TAIWAN MOBILE CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
35 of 35 | 9716d7995a NEW |
c3a5354b6f [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
19:36:00 | Win2K-f | 210.212.213.82 (-): THE TRANSPORT COMMISSIONER, HYDERABAD, ANDHRA PRADESH, IN. (100Mbps) |
n/a | US:www.maxmind.com US:checkip.dyndns.org :www.getmyip.org EU:getmyip.co.uk US:www.vouchercodes.net US:67.15.94.80:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 62 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 1 of 42 |
d9cb288f31 NEW f42aec228d NEW |
45603a001c [0] none [none] |
ASM:Graph none:none |
UPX| none|none |
lines=174 embedded dns none |
trace none |
T:19:45:00 | WinXP | 187.80.48.96 (CAMPUSEAI.ORG): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | 7b57508def NEW |
none[none] | none:none |
none|none | none | none |
T:19:45:00 | Win2K-f | 210.212.213.82 (-): THE TRANSPORT COMMISSIONER, HYDERABAD, ANDHRA PRADESH, IN. (100Mbps) |
n/a | US:www.maxmind.com :www.getmyip.org EU:checkip.dyndns.org DE:131.220.6.26:80 |
445 | pcap | raw alerts ruleset |
http 6 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
20:41:00 | WinXP | 187.80.48.96 (CAMPUSEAI.ORG): COMITE GESTOR DA INTERNET NO BRASIL, BR. (DSL) |
n/a | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
none | 7b57508def NEW |
none[none] | none:none |
none|none | none | none |
T:21:02:00 | Win2K-f | 174.116.12.117 (ROGERS.COM): ROGERS CABLE COMMUNICATIONS INC, ST. JOHN'S, NEWFOUNDLAND AND LABRADOR, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
T:21:05:00 | WinXP | 174.39.150.253 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - OMAHA, NORTH PLATTE, NEBRASKA, US. (DSL) |
213.155.0.224:80 | DE:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 1.3 profile |
none | summary tarball |
34 of 34 | d20f157117 NEW |
738f555183 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
23:20:00 | Win2K-f | 190.221.87.201 (-): . |
n/a | US:www.maxmind.com EU:checkip.dyndns.org :www.getmyip.org EU:getmyip.co.uk US:www.vouchercodes.net US:217.160.239.39:80 US:67.15.94.80:80 EU:91.198.22.70:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | dc331fb791 NEW |
none[3] | none:none |
UPX| | none | trace |
23:55:00 | WinXP | 98.134.176.219 (WINDSTREAM.NET): ALLTEL MIP CUSTOMERS - LITTLE ROCK, HOT SPRINGS NATIONAL PARK, ARKANSAS, US. (DSL) |
n/a | DE:citi-bank.ru DE:213.155.0.224:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
42 of 43 | aad01847fa NEW |
none[none] | none:none |
none|none | none | none |