Index of /publicDatasets/CTU-Malware-Capture-Botnet-162-1

	Name	Last modified	Size	Description
	Parent Directory		-
	fast-flux-dga-first-analysis.txt	2017-01-13 22:08	3.8K
	bro/	2017-08-31 09:45	-
	README.md	2016-05-29 11:32	1.0K
	README.html	2017-01-13 22:08	1.3K
	2016-05-29_capture-win5.weblogng	2016-06-15 17:38	798
	2016-05-29_capture-win5.tcpdstat	2016-09-03 16:52	1.9K
	2016-05-29_capture-win5.rrd	2016-05-29 10:38	8.0M
	2016-05-29_capture-win5.pcap	2016-05-29 10:38	1.5M
	2016-05-29_capture-win5.passivedns	2016-05-29 10:49	2.5K
	2016-05-29_capture-win5.json	2016-05-29 11:37	147K
	2016-05-29_capture-win5.html	2016-05-29 11:37	422K
	2016-05-29_capture-win5.dnstop	2016-05-29 10:49	2.4K
	2016-05-29_capture-win5.capinfos	2016-05-29 10:49	762
	2016-05-29_capture-win5.binetflow	2016-05-29 11:10	442K
	2016-05-29_capture-win5.biargus	2016-05-29 11:10	1.0M
	8e45ab1536864c8a23591fffc0266e1dab1787845e75ba5f25e0383a9388ec36.exe.zip	2016-05-29 10:47	23K

Description

• Probable Name: Upatre
• MD5: b8fc436bab8c22cdfa2d4d137358ca93
• SHA1: fe545fd99a9f7b98483e57d3249706ede5e76d2d
  
• SHA256: 8e45ab1536864c8a23591fffc0266e1dab1787845e75ba5f25e0383a9388ec36
• Duration: 21.47hs

• Zip password: infected

• Infected IP address: 10.0.2.105

• VirusTotal
• HybridAnalysis

• RobotHash

Timeline

Sat May 28 13:09:48 CEST 2016

started win5

Sat May 28 13:12:23 CEST 2016

infected

The CC port is not open and the malware keeps connecting for a long time. Summary:

• The malware binary file is working
• The CC server is working.
• The support CC connections were still being looked for.

Sun May 29 10:38:11 CEST 2016

poweroff