ADDED | TYPE | FAMILY | METHOD | URI | SAMPLE | PCAP | UA + MORE INFO |
---|---|---|---|---|---|---|---|
2/8/2015 | APT | DarkKomet | 8EA4AB05FA7E D573BA5A4EFFC3FB629308will vary - encrypted keep alive or other data |
Sample | pcap | Library Ssheet | |
2/8/2015 | APT | PlugX / Korplug / Gulpix | POST | /update?id= | Sample Sample2 |
pcap | Library Ssheet |
2/7/2015 | APT | Windata | XYZ/WinData.DLL?HELO-STX-1*10.0.0.15*RemotePC*[MAC:00-55-28-11-21-23 XYZ/WinData.DLL?HELO-STX-1*1[IPAddress]*[ComputerName]*0605[MAC:[MacAddress]]$ |
Sample | Library Ssheet | ||
2/4/2015 | APT | Pingbed | GET | /default.htm /default1.htm /default2.htm |
Sample | pcap | Library Ssheet |
2/4/2015 | APT | Minaps backdoor | GET / POST | /download/device_ad.asp?device_t=8054693706&key=ptvcrcqz&device_id=ad&cv=ptvcrcqzlyepaudko /download/logo.png /download/record.asp?device_t=2415079444&key=vgrnuebv&device_id=ad&cv=vgrnuebvhauzshyue&result=%0D%0ATime%3A%09Fri%20Apr%2025%2013%3A09%3A12%202014%0AAgent%3A%09Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Win32%3B%20Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600))%0D%0Aid%20error%21%0D%0Ano%20command%0D%0Arun%20http%3A%2F%2FAdobeFlash.info.tm%2Fdownload%2Flogo.png%20setup.exe%09%0D%0ANext%3AFri%20Apr%2025%2014%3A09%3A14%202014%0Adelay%3A3600%20sec%0D%0A%0D%0A POST/download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi |
Sample | Library Ssheet | |
2/3/2015 | APT | njRAT / Backdoor.LV | lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'|Examiner|'|'|2013-06-21|'|'|USA|'|'|WinXPProfessionalSP2... 171.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJDMzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win8.1SP0x64|'|'|Yes|'|'|0.7d|'|'|..|'|'||'|'|b88ece4c04f706c9717bbe6fbda49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL[truncated] 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJDMzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win8.1SP0x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2, lv|'|'|VHJvamFuX0M0NkY2RTk=|'|'|MARK|'|'|user|'|'|2013-11-22|'|'||'|'|WinXP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof] |
Sample | Library Ssheet | ||
2/3/2015 | APT | Protux worm | POST | http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 http://202.71.136.14:80/ggBwkFNqDu1869.avi /newTroy.jpg /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3 |
Sample Sample2 |
pcap | Library Ssheet |
2/3/2015 | APT | Wykcores | GET | 279843 /279859 /280015 /287171 /315171 /110937 /111968 /113000 /114031 /115062 |
Sample | Library Ssheet | |
2/2/2015 | APT | TinyBaron / Miniduke / CosmicDuke | GET | modules/db/mgr.php? /modules/db/mgr.php?F=3? |
Sample | Library Ssheet | |
2/1/2015 | APT | Cobra / Turla | POST | /%s/%s? uid=%d&context=%s&mode=text&data=%s |
Sample | Library Ssheet | |
2/1/2015 | APT | Panda | POST | /forum/login.cgi | Sample | pcap | Library Ssheet |
2/1/2015 | APT | Panda | POST | /Photos/Query.cgi?loginid= | Sample | pcap | Library Ssheet |
2/1/2015 | APT | Aided Frame | GET | /img/js.php | Sample | pcap | Library Ssheet |
2/1/2015 | APT | Scanbox Watering hole framework | POST | /i/recv.php | Sample | pcap | Library Ssheet |
2/1/2015 | APT | Syria Twitter. apk | POST | /contacts | Sample | pcap | Library Ssheet |
1/22/2015 | APT | Gholee / Rocket Kitten | GET / POST | /index.php?c=Ud7atknq&r=17117d /index.php?c=Ud7atknq&r=1710b2 |
Sample | pcap | Library Ssheet |
1/22/2015 | APT | Lagulon (Operation Cleaver) | POST | /contador/server.php /i/server.php /includes/server.php |
Sample | pcap | Library Ssheet |
1/22/2015 | APT / CRIME | Scieron / Httneilc / HTClient | packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82 0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38 0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 0040 00 12 00 63 01 00 |
Sample | pcap | Library Ssheet | |
1/22/2015 | APT? | Medusa | POST | %s/bbc_mirror/%s/search?id=%s /CNN_Mirror/EN/%s/search?id=%s |00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00 |
Sample | pcap | Library Ssheet |
9/9/2013 | APT | Vidgrab | POST | (172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. | Sample | pcap | Library Ssheet |
9/8/2013 | APT | Page / stscout / Elise / lStudio / Wumins | GET | /29af9cdc/page_12082223.html | Sample | pcap | Library Ssheet |
9/8/2013 | APT | Darkcomet | GET | /a.php?id=c2ViYWxpQGxpYmVyby5pdA== | Sample | pcap | Library Ssheet |
8/9/2013 | APT (IN) | Hanove / Tourist | POST | /kamp.php | Sample | pcap | Library Ssheet |
8/7/2013 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | Library Ssheet | |
8/7/2013 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | Library Ssheet | |
8/7/2013 | APT | Surtr Initial GET | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | Library Ssheet | |
7/15/2013 | APT | Taleret | GET | / | Sample | pcap | Library Ssheet |
7/15/2013 | APT | Taleret | GET | /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU- | Sample | pcap | Library Ssheet |
5/23/2013 | APT | Hangover Smackdown Minapro | GET | /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 | Sample | pcap | Library Ssheet |
5/15/2013 | APT | Mediana Proxy | GET | /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0 | Sample | pcap | Library Ssheet |
5/14/2013 | APT | Hupigon / Graybird | ........................................;...WindowsXP5.1(2600.ServicePack3)................................................................$...DELLXT...................................................................................................................4s.love.......HACK.. | Sample | pcap | Library Ssheet | |
5/14/2013 | APT | Variant Letsgo / TabMsgSQL downloader (comment crew) | GET | /index.htm | Sample | pcap | Library Ssheet |
5/14/2013 | APT | Tapaoux | GET | /ol/yahoo/banner4.php?jpg=../yahoo | Sample | pcap | Library Ssheet |
5/12/2013 | APT | Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U!1 | Sample | pcap | Library Ssheet | |
5/12/2013 | APT | IXESHE | GET | /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9jOKyjnxKjQJAx_bigfix_client_string:baQMyZrdqDAA | Sample | pcap | Library Ssheet |
5/8/2013 | APT2 | KoreanBanker DL | GET | /web/down/kbs.exe | Sample | pcap | Library Ssheet |
5/5/2013 | APT | Plugx | SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png | Sample | pcap | Library Ssheet | |
5/5/2013 | APT | RssFeeder (moved from TBD tab, common name still unknown) 2nd stage | POST | /orange/news.php | Sample | pcap | Library Ssheet |
5/5/2013 | APT | RssFeeder (moved from TBD tab, common name still unknown) initialGET | POST | /data/rss | Sample | pcap | Library Ssheet |
5/5/2013 | APT | Swami | GET | /im/linux.php | Sample | pcap | Library Ssheet |
5/1/2013 | APT | Comfoo / Vinself / Mspub | POST | /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/12AzAONjkCYw/UD1aND43a0xiWQ161/ | Sample | pcap | Library Ssheet |
5/1/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f72b8 | Sample | pcap | Library Ssheet |
5/1/2013 | APT2 | Disttrack / Shamoon | GET | /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 | Sample | pcap | Library Ssheet |
4/30/2013 | APT | 9002 | POST | 9002..................wx....9002..................wx....9002....................... | Sample | pcap | Library Ssheet |
4/30/2013 | APT | MSWab /Yayih | POST | /bbs/info.asp | Sample | pcap | Library Ssheet |
4/30/2013 | APT | 9002 | POST | /2d | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | GET | /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | GET | /search?qu= | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | GET | /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | GET | /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | POST | /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Favorites | POST | /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Gh0st | GET | /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] | Sample | pcap | Library Ssheet |
4/30/2013 | APT | Gh0st var | GET | /h.gif?pid=113&v=130586214568HTTP/1.1 | Sample | pcap | Library Ssheet |
4/29/2013 | APT | Glasses | GET | /ewpindex.htm | Sample | pcap | Library Ssheet |
4/29/2013 | APT | IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | POST | /index000000001.asp | Sample | pcap | Library Ssheet |
4/29/2013 | APT | LURK | GET | LURK0........x.kf.e.apgpbpa0c..#........ | Sample | pcap | Library Ssheet |
4/28/2013 | APT | DNSWatch / Protux | GET | /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve | Sample | pcap | Library Ssheet |
4/28/2013 | APT | DNSWatch / Protux | GET | /news.jpg | Sample | pcap | Library Ssheet |
4/28/2013 | APT | DNSWatch / Protux | POST | /PHqgHumeay5705.mp3 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | APT1 WEBC2_RAVE | GET | /comp/sem/resources.htm | Sample | pcap | Library Ssheet |
4/28/2013 | APT | backdoor ? | GET | /18110123/page_32262308.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Banechant 1 | GET | /IGKKT | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Banechant payload dl 2 | GET | /adserv/logo.jpg HTTP /1.1 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Beebus | GET | /windosdate/v6/default.aspx?ln=en-us | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Beebus data send | POST | /s/asp?__uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVwBJAE4ARABPAFcAUwBNAEEAQQBOAEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==p=2 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /1799.asp | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /3961.html Cookie:Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs= |
Sample | pcap | Library Ssheet |
4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /8223.asp (also can be like /2007.asp,/2013.asp etc | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /indexs.zip | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Coswid | GET | /old/google.png | Sample | pcap | Library Ssheet |
4/28/2013 | APT | CVE-2012-0754 SWF in DOC | GET | /test.mp4 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | CVE-2012-0779 | GET | /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Depyot | GET | /new/3d/d/pdf.php?id=2 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f6b50 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=3109c2a2 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?product=windows | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Downloader BMP | GET | /images/evil.bmp | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Einstein | GET | /gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Einstein data send | POST | /gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Enfal / Lurid | GET | /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Enfal / Lurid | GET | /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Enfal / Lurid | POST | /cgi-bin/CMS_SubitAll.cgi | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Enfal / Lurid | POST | /cgl-bin/Owpq4.cgi | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Enfal / Lurid | POST | /Sjwpc/odw3ux | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Foxy | POST | /404error.asp | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Foxy Checkin | GET | /images/leftnav_prog_bg.jpg | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Gh0st ASP ver | GET | /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Gh0st PHP ver | GET | /ld/queenfun/vl/login.php?cd2hpdGU&uU11TVEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Gh0st v2000 var | n | v2010........f...............(......ServicePack2..?..|...|...|0.@.. | Sample | pcap | Library Ssheet |
4/28/2013 | APT | GoogleAdC2 | GET | /html/lost.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | GoogleAdC2 2nd stage | GET | /Trojan2.jpg | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Googles | GET | /sll/monica.jpg | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Greencat | GET | /<HOSTNAME>/ | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Gtalk | GET | /facebook.png | Sample | pcap | Library Ssheet |
4/28/2013 | APT | IXESHE | GET | /AWS26329.jsp?UrFvwIJIOKTRyfxR9KNRqhg8lcPr/CGjUwP8yJUs7RjH7OinJ/85cgrqiP8jKGjpqgb/wTrO7OIjhxoHcGaFaURqK/aHophHLd23K=NHk=a9oQhvDQaLky8qo/RnJz42A | Sample | pcap | Library Ssheet |
4/28/2013 | APT | IXESHE AES | GET | /AES210001129016878.jsp?UrFwUIO3h7ofgwQInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=+LLQhpkZ9LOhGbgqvJghHci7M | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /indexbak.asp?rands=IXLCGIXELZ&acc=&str=select%20id%20from%20tab_online%20where%20regcode%20=%20'IXLCGIXELZ' | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str=select%20top%201%20%20from%20tab_message%20where%20toid%20=%20'198'%20order%20by%20id%20asc | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=XJOTLVALQF&acc=vy&str=insert%20into%20tab_online%20(mode,clientname,clientip,accessip,onlinetime,lasttime,regcode)%20values%20('0','victim','192.168.1.12','145.42.112.19','2011-06-08%2013:45:54','2011-06-08%2013:45:54','NMQVPTXFBH') | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Letsgo / TabMsgSQL downloader | GET | /new/iistart.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Likseput | GET | /index.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Lingbo (?) | POST | /windowsupdatev7/search%3Fhl%3cWABQAFMAUAAzACOAUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AM>QAxADYA%26meta%3DMDAwMGhIÆÑuMDk%3D%26id%3Dlfdxfircvscxggb | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Luckycat - WIMMIE | POST | /count/count.php?m=c&n=[HOSTNAME]_ | Sample | pcap | Library Ssheet |
4/28/2013 | APT | MiniASP | GET | /device_<decoded ID string>asp?device_t=<random 10 digits>&key=<random 8 lowercaseletters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters> | Sample | pcap | Library Ssheet |
4/28/2013 | APT | MiniASP | GET | /record.asp?device_t=<random10digits>&key=<random8lowercaseletters>&device_id=<decodedIDstring>&cv=<random17lowercaseletters>&result=<URLencodedresultdata> | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Miniduke | POST | /index.php | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Mirage | POST | /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Mirage - later var | GET | /search?hl=en&q=(RemovedBase64string)&meta=acbazuxmhecthlegrepunkkdmpweqtg | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Mongal | GET | /3010850A0000F0FD0F00323137443744324536313634333833380044454C4C58540000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000007014C61757261000000000000000000000000000000000000000000000000000000000000000000000000 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Murcy | GET | /150828 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long string> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Netravler | GET | /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT&hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQaCicYTaZR6RDKbDYWCpKKBhM88YjIajKXLfKOEmQ0nIxm86m46D0YVg::end /nt2012/asp/nettraveler.asp?hostid=411CD510&hostname=mikepc&hostip=10.12.0.23&filename=travlerbackinfo-2012-1- |
Sample | pcap | Library Ssheet |
4/28/2013 | APT | NfLog | GET | /IElog/TestURL.aspHTTP/1.0 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | NfLog | POST | /NfLog/Nfile.asp | Sample | pcap | Library Ssheet |
4/28/2013 | APT | NTESSESS | GET | /6K8gL8.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | PNG trojan | GET | /index.htm | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Poison Ivy | GET | 256 bytes of seemingly random data after a successful TCP handshake, then 48 byte “keep-alive†requests | Sample | pcap | Library Ssheet |
4/28/2013 | APT | RedOctober AuthInfo | POST | http://%s:%s%s | Sample | pcap | Library Ssheet |
4/28/2013 | APT | RedOctober Sysinfo | POST | /cgi-bin/nt/sk | Sample | pcap | Library Ssheet |
4/28/2013 | APT | RegSubDat | POST | /5501000000/log | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Sanny / Win32.Daws | POST | /write.php | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Seasalt | GET | /postinfo.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Sofacy | POST | /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Sofacy | POST | /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Sykipot / Wyksol | GET | /kys_allowget.asp?namegetkys.kys | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Taidoor | GET | /apzsr.php?id=021793111D309GE67E | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Tarsip Eclipse | GET | /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Tarsip Moon | GET | /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif=qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Vinself | POST | /w880/T19R17Q16/12010L11014 | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-Bolid | GET | /firefox.html | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-Clover | GET | /Default.asp | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-CSON | GET | /Default.aspx?INDEX=<10_random_characters> | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-CSON Response to commands | POST | /Default.aspx?ID=IMNQRSSRXK | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-HEAD | GET | / | Sample | pcap | Library Ssheet |
4/28/2013 | APT | WEBC2-Table | GET | /order.htm | Sample | pcap | Library Ssheet |
4/28/2013 | APT | Xtreme Rat | GET | /1234567890.functions | Sample | pcap | Library Ssheet |
About contagio exchange
CONTAGIO EXCHANGE
Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)