Description
Probable Name: Trickbot
MD5: 2b48789d9272700de5405bf9a9c05204
SHA1: 0d7c3aba2f525060faa04ed7d93794e2c08983e4
SHA256: d44543259ac4c83e4f3a8ded001aff1cbe19a26269835d68754d9a48cc3a31be
Password of zip file: infected
Duration: 34 days 19:11:46.
Proxy Usage: This capture did use an intermediate proxy.
VirusTotal
HybridAnalysis
RobotHash
![](https://robohash.org/2b48789d9272700de5405bf9a9c05204)
Files
- .capinfos
- .dnstop
- mitm.out
- Mitm proxy interception file of http and https
- .mitm.weblog
- This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
- This file includes a header with the columns names. There are two new columns defined by us:
- Column id: This number is unique for all the weblogs generated inside the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
- Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated all the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
- .passivedns
- .pcap
- .rrd
- .weblogng
- WEB log of http traffic only. Generated with justsniffer
- .exe.zip
- bro
- Folder with all the bro output files
- .biargus
- Argus binary file. Bidirectional flows, 3600s of report time.
- .binetflow
- Argus text file with bidirectional flows. Report time 3600 secs.
- .uniargus
- Argus binary file. Unidirectional flows, 5s of report time.
- .uninetflow
- Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.
IP Addresses
- Infected host: 192.168.113
- Default GW: 192.168.1.2
This MAC 08:00:27:11:4e:fa belongs the ips: - 192.168.1.113 - fd2d:ab8c:225:0:ac13:6a8c:41cc:1f02 - fd2d:ab8c:225:0:a592:be17:3cd:bad - fd2d:ab8c:225:0:e892:3cb9:ebe2:60b5 - fd2d:ab8c:225:0:d815:735f:8357:3769
The same MAC is used for other ips Move to another capture the ips - 192.168.1.130 - fd2d:ab8c:225:0:1d3:35e9:7d97:2325 - fd2d:ab8c:225:0:50fe:fa0b:79ca:ceb0 - fd2d:ab8c:225:0:10f4:64e2:5483:1856
Timeline
Tue Feb 20 22:46:56 CET 2018
started win3
Tue Feb 20 23:16:56 CET 2018
Date of last Last packet in tcpdump before infection (1970/01/01 01:29:44.934543)
infected
Tue Mar 27 18:58:44 CEST 2018
power off
Disclaimer
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org
Suricata run with rules updated on 2022-07-14