SHA256: 34d8dc64e8e425b5a78799ee124f43c8b4045f611e5187d8266abda6dfb50e45
RobotHash
In order to better analyze this mixed capture, we also executed the malware alone, without any user interaction. The capture can be found here.
Started win normal
Started google chrome
Started skype
Searched for "more stuff" in google
Enter the www.huffingpost.com
Infected
First packet after infection (not necessary an infected packet) 1970-01-01 02:22:39.378395 IP 10.0.2.200.61691 > 8.8.8.8.53: 23144+ A? clients2.google.com. (37)
Search "is it infected" on google
Enter normally to www.advancedtissue.com
Search "my bank" in google
enter normally www.mybank.eu
enter normally www.mybank2u.com
Interact with www.mybank2u.com Click on links, ask for loans, download pdfs.
Stop interacting with webpages, but I didn't close any
Poweroff the vm