Stratosphere Malware Capture 209-1

Http Referer Graph

Graph of http domains and their referers taken from the bro http log. An arrow means that the first domain was refered by the second domain.

Description

• Probable Name: PUA AdToolbar
• MD5: e016c24380e135866d83dab1de24ef4d
• SHA1: b0a5cfcf073b99a425a4e72c79d521ab1742c831
• SHA256: f3669f7c5ee635b4ae6b087b4655ba95b7a2e5360c495f1f34818571a9bc4e2c
• Password of zip file: infected

• Duration: 18 days 18:05:04

• VirusTotal
• HybridAnalysis

• RobotHash

Files

• .capinfos
  • Capinfos file
• .dnstop
  • DNS top file
• .mitm
  • Mitm proxy interception file of http and https
• .passivedns
  • Passive DNS file
• .pcap
  • Original pcap file
• .rrd
  • RRD file for graphs
• .weblogng
  • WEB log of http traffic
• .exe.zip
  • Original malware file
• bro
  • Folder with all the bro output files
• .biargus
  • Argus binary file. Bidirectional flows, 3600s of report time.
• .binetflow
  • Argus text file with bidirectional flows. Report time 3600 secs.
• .uniargus
  • Argus binary file. Unidirectional flows, 5s of report time.
• .uninetflow
  • Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

IP Addresses

- Infected host: 192.168.1.123
- Default GW: 192.168.1.2

Timeline

Nov 16 15:52:27 CET 2016

started win13

Wed Nov 16 15:54:15 CET 2016

infected

Mon Dec 5 09:57:31 CET 2016

power off