| ADDED | TYPE | FAMILY | METHOD | URI | SAMPLE | PCAP | UA + MORE INFO |
|---|---|---|---|---|---|---|---|
| 2/8/2015 | APT | DarkKomet | 8EA4AB05FA7E D573BA5A4EFFC3FB629308will vary - encrypted keep alive or other data | Sample | pcap | LibrarySsheet | |
| 2/8/2015 | APT | PlugX / Korplug / Gulpix | POST | /update?id= | Sample Sample2 | pcap | LibrarySsheet |
| 2/7/2015 | APT | Windata | XYZ/WinData.DLL?HELO-STX-1*10.0.0.15*RemotePC*[MAC:00-55-28-11-21-23 XYZ/WinData.DLL?HELO-STX-1*1[IPAddress]*[ComputerName]*0605[MAC:[MacAddress]]$ | Sample | LibrarySsheet | ||
| 2/4/2015 | APT | Pingbed | GET | /default.htm /default1.htm /default2.htm | Sample | pcap | LibrarySsheet |
| 2/4/2015 | APT | Minaps backdoor | GET / POST | /download/device_ad.asp?device_t=8054693706&key=ptvcrcqz&device_id=ad&cv=ptvcrcqzlyepaudko /download/logo.png /download/record.asp?device_t=2415079444&key=vgrnuebv&device_id=ad&cv=vgrnuebvhauzshyue&result=%0D%0ATime%3A%09Fri%20Apr%2025%2013%3A09%3A12%202014%0AAgent%3A%09Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Win32%3B%20Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600))%0D%0Aid%20error%21%0D%0Ano%20command%0D%0Arun%20http%3A%2F%2FAdobeFlash.info.tm%2Fdownload%2Flogo.png%20setup.exe%09%0D%0ANext%3AFri%20Apr%2025%2014%3A09%3A14%202014%0Adelay%3A3600%20sec%0D%0A%0D%0A POST/download/device_input.asp?device_t=2437266266&key=zqlameug&device_id=ad&cv=zqlameugaocrxjeqi | Sample | LibrarySsheet | |
| 2/3/2015 | APT | njRAT / Backdoor.LV | lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'|Examiner|'|'|2013-06-21|'|'|USA|'|'|WinXPProfessionalSP2... 171.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJDMzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win8.1SP0x64|'|'|Yes|'|'|0.7d|'|'|..|'|'||'|'|b88ece4c04f706c9717bbe6fbda49ed2,132.inf|'|'|Li4uLi4uLk5FVy4uL[truncated] 251.ll|'|'|Li4uLi4uLk5FVy4uLi4uLi4uX0FFNTJDMzdE|'|'|SENTA|'|'|sentai55|'|'|15-01-29|'|'||'|'|Win8.1SP0x64|'|'|Yes|'|'|0.7d|'|'|..|'|'|QnVyd2VsbCB2LiBIb2JieSBMb2JieSBBYnJpZGdlZCBbQ29tcGF0aWJpbGl0eSBNb2RlXSAtIFdvcmQA|'|'|b88ece4c04f706c9717bbe6fbda49ed2, lv|'|'|VHJvamFuX0M0NkY2RTk=|'|'|MARK|'|'|user|'|'|2013-11-22|'|'||'|'|WinXP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof] | Sample | LibrarySsheet | ||
| 2/3/2015 | APT | Protux worm | POST | http://ruthless.hobby-site.com:80/PHqgHumeay5705.mp3 http://202.71.136.14:80/ggBwkFNqDu1869.avi /newTroy.jpg /http://Microsoft.dumb1.com:80/PHqgHumeay5705.mp3 | Sample Sample2 | pcap | LibrarySsheet |
| 2/3/2015 | APT | Wykcores | GET | 279843 /279859 /280015 /287171 /315171 /110937 /111968 /113000 /114031 /115062 | Sample | LibrarySsheet | |
| 2/2/2015 | APT | TinyBaron / Miniduke / CosmicDuke | GET | modules/db/mgr.php? /modules/db/mgr.php?F=3? | Sample | LibrarySsheet | |
| 2/1/2015 | APT | Cobra / Turla | POST | /%s/%s? uid=%d&context=%s&mode=text&data=%s | Sample | LibrarySsheet | |
| 2/1/2015 | APT | Panda | POST | /forum/login.cgi | Sample | pcap | LibrarySsheet |
| 2/1/2015 | APT | Panda | POST | /Photos/Query.cgi?loginid= | Sample | pcap | LibrarySsheet |
| 2/1/2015 | APT | Aided Frame | GET | /img/js.php | Sample | pcap | LibrarySsheet |
| 2/1/2015 | APT | Scanbox Watering hole framework | POST | /i/recv.php | Sample | pcap | LibrarySsheet |
| 2/1/2015 | APT | Syria Twitter. apk | POST | /contacts | Sample | pcap | LibrarySsheet |
| 1/22/2015 | APT | Gholee / Rocket Kitten | GET / POST | /index.php?c=Ud7atknq&r=17117d /index.php?c=Ud7atknq&r=1710b2 | Sample | pcap | LibrarySsheet |
| 1/22/2015 | APT | Lagulon (Operation Cleaver) | POST | /contador/server.php /i/server.php /includes/server.php | Sample | pcap | LibrarySsheet |
| 1/22/2015 | APT / CRIME | Scieron / Httneilc / HTClient | packet data 0000 16 03 01 00 41 01 00 00 3d 03 01 54 c1 2a fa 82 0010 a5 0b 00 4c 7b 26 c9 33 81 bd 63 34 08 ab b3 38 0020 3a de 83 db b1 9c 95 02 3e c3 34 00 00 16 00 04 0030 00 05 00 0a 00 09 00 64 00 62 00 03 00 06 00 13 0040 00 12 00 63 01 00 | Sample | pcap | LibrarySsheet | |
| 1/22/2015 | APT? | Medusa | POST | %s/bbc_mirror/%s/search?id=%s /CNN_Mirror/EN/%s/search?id=%s |00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|0 0|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00 | Sample | pcap | LibrarySsheet |
| 9/9/2013 | APT | Vidgrab | POST | (172.16.253.130)|1067|WinXP|D|L|No| 0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|. | Sample | pcap | LibrarySsheet |
| 9/8/2013 | APT | Page / stscout / Elise / lStudio / Wumins | GET | /29af9cdc/page_12082223.html | Sample | pcap | LibrarySsheet |
| 9/8/2013 | APT | Darkcomet | GET | /a.php?id=c2ViYWxpQGxpYmVyby5pdA== | Sample | pcap | LibrarySsheet |
| 8/9/2013 | APT (IN) | Hanove / Tourist | POST | /kamp.php | Sample | pcap | LibrarySsheet |
| 8/7/2013 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | LibrarySsheet | |
| 8/7/2013 | APT | Surtr 2nd Stage DL | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | LibrarySsheet | |
| 8/7/2013 | APT | Surtr Initial GET | 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ | Sample | pcap | LibrarySsheet | |
| 7/15/2013 | APT | Taleret | GET | / | Sample | pcap | LibrarySsheet |
| 7/15/2013 | APT | Taleret | GET | /jw!Dyz0_2mTExQ0xbBnlp.RZcXoHmU- | Sample | pcap | LibrarySsheet |
| 5/23/2013 | APT | Hangover Smackdown Minapro | GET | /flaws/snwd.php?tp=1&tg=[ID]&tv=Error[]&ts=[PLATFORM]&mt=[account]&tr=[NoFiles]&Y1Y5F2 | Sample | pcap | LibrarySsheet |
| 5/15/2013 | APT | Mediana Proxy | GET | /index.htm?n763t4OPmrs6fXq7fXp7uj16e-r&Length=0 | Sample | pcap | LibrarySsheet |
| 5/14/2013 | APT | Hupigon / Graybird | ........................................;...WindowsXP5.1(2600.ServicePack3)................................................................$...DELLXT...................................................................................................................4s.love.......HACK.. | Sample | pcap | LibrarySsheet | |
| 5/14/2013 | APT | Variant Letsgo / TabMsgSQL downloader (comment crew) | GET | /index.htm | Sample | pcap | LibrarySsheet |
| 5/14/2013 | APT | Tapaoux | GET | /ol/yahoo/banner4.php?jpg=../yahoo | Sample | pcap | LibrarySsheet |
| 5/12/2013 | APT | Gh0st | Gh0st....d...x.Kc``....@....\..L@:8..,39U!1 | Sample | pcap | LibrarySsheet | |
| 5/12/2013 | APT | IXESHE | GET | /AWS96.jsp?baQMyZrdI5Rojs9Khs9fhnjwj/8mIOm9jOKyjnxKjQJAx_bigfix_client_string:baQMyZrdqDAA | Sample | pcap | LibrarySsheet |
| 5/8/2013 | APT2 | KoreanBanker DL | GET | /web/down/kbs.exe | Sample | pcap | LibrarySsheet |
| 5/5/2013 | APT | Plugx | SSL - see http://4.bp.blogspot.com/-m2u0QTwirDk/UYO4 6Pm7OOI/AAAAAAAAAFw/SG_eKhd1-Nw/s640/Untitled.png | Sample | pcap | LibrarySsheet | |
| 5/5/2013 | APT | RssFeeder (moved from TBD tab, common name still unknown) 2nd stage | POST | /orange/news.php | Sample | pcap | LibrarySsheet |
| 5/5/2013 | APT | RssFeeder (moved from TBD tab, common name still unknown) initialGET | POST | /data/rss | Sample | pcap | LibrarySsheet |
| 5/5/2013 | APT | Swami | GET | /im/linux.php | Sample | pcap | LibrarySsheet |
| 5/1/2013 | APT | Comfoo / Vinself / Mspub | POST | /BmYBcnhwJxwk/VTlaMWlnYEw12511/18688/12AzAONjkCYw/UD1aND43a0xiWQ161/ | Sample | pcap | LibrarySsheet |
| 5/1/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f72b8 | Sample | pcap | LibrarySsheet |
| 5/1/2013 | APT2 | Disttrack / Shamoon | GET | /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | 9002 | POST | 9002..................wx....9002..................wx....9002....................... | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | MSWab /Yayih | POST | /bbs/info.asp | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | 9002 | POST | /2d | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | GET | /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | GET | /search?qu= | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | GET | /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | GET | /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | POST | /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Favorites | POST | /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Gh0st | GET | /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] | Sample | pcap | LibrarySsheet |
| 4/30/2013 | APT | Gh0st var | GET | /h.gif?pid=113&v=130586214568HTTP/1.1 | Sample | pcap | LibrarySsheet |
| 4/29/2013 | APT | Glasses | GET | /ewpindex.htm | Sample | pcap | LibrarySsheet |
| 4/29/2013 | APT | IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRAT | POST | /index000000001.asp | Sample | pcap | LibrarySsheet |
| 4/29/2013 | APT | LURK | GET | LURK0........x.kf.e.apgpbpa0c..#........ | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | DNSWatch / Protux | GET | /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | DNSWatch / Protux | GET | /news.jpg | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | DNSWatch / Protux | POST | /PHqgHumeay5705.mp3 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | APT1 WEBC2_RAVE | GET | /comp/sem/resources.htm | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | backdoor ? | GET | /18110123/page_32262308.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Banechant 1 | GET | /IGKKT | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Banechant payload dl 2 | GET | /adserv/logo.jpg HTTP /1.1 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Beebus | GET | /windosdate/v6/default.aspx?ln=en-us | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmIa_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Beebus C2 checkin | GET | /s/asp?XAAAAM4w5jmOS_kMZlr67o8jettxsYA8dZgeNAHes-Nn5p-6AFUD6yncpz5AL6wAAA==p=1 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Beebus data send | POST | /s/asp?__uLBwO1bAMKBgG2BQAAAAEAAAACAAAAAAAAAG9zYW11AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVwBJAE4ARABPAFcAUwBNAEEAQQBOAEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==p=2 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /1799.asp | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /3961.html Cookie:Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT0zOTU0O2hvc3RuYW1lPXZpY3RpbTs= | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /8223.asp (also can be like /2007.asp,/2013.asp etc | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Cookies /Cookiebag / Dalbot | GET | /indexs.zip | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Coswid | GET | /old/google.png | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | CVE-2012-0754 SWF in DOC | GET | /test.mp4 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | CVE-2012-0779 | GET | /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Depyot | GET | /new/3d/d/pdf.php?id=2 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=000f6b50 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?id=3109c2a2 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Destory Rat / Sogu / Thoper | POST | /update?product=windows | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Downloader BMP | GET | /images/evil.bmp | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Einstein | GET | /gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Einstein data send | POST | /gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Enfal / Lurid | GET | /oi2c/wlc3/ [reducted]:00-00-00-00-00-00/ij83d | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Enfal / Lurid | GET | /trandocs/nm/.[reducted] :00-00-00-00-00-00lCrrrwhite | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Enfal / Lurid | POST | /cgi-bin/CMS_SubitAll.cgi | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Enfal / Lurid | POST | /cgl-bin/Owpq4.cgi | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Enfal / Lurid | POST | /Sjwpc/odw3ux | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Foxy | POST | /404error.asp | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Foxy Checkin | GET | /images/leftnav_prog_bg.jpg | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Gh0st ASP ver | GET | /1/v2/1oginv2.asp?hi2wsdf351&x.’..[xf)..<.3XqHr....)IL{..&y192.168.0.69 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Gh0st PHP ver | GET | /ld/queenfun/vl/login.php?cd2hpdGU&uU11TVEV&s&pMTkyLjE2OC4wljYS&hi2wsdf35l | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Gh0st v2000 var | n | v2010........f...............(......ServicePack2..?..|...|...|0.@.. | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | GoogleAdC2 | GET | /html/lost.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | GoogleAdC2 2nd stage | GET | /Trojan2.jpg | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Googles | GET | /sll/monica.jpg | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Greencat | GET | /<HOSTNAME>/ | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Gtalk | GET | /facebook.png | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | IXESHE | GET | /AWS26329.jsp?UrFvwIJIOKTRyfxR9KNRqhg8lcPr/CGjUwP8yJUs7RjH7OinJ/85cgrqiP8jKGjpqgb/wTrO7OIjhxoHcGaFaURqK/aHophHLd23K=NHk=a9oQhvDQaLky8qo/RnJz42A | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | IXESHE AES | GET | /AES210001129016878.jsp?UrFwUIO3h7ofgwQInYPRbkQaHVM9Bih7kZ9rO+pKUrbklllsgfOk=+LLQhpkZ9LOhGbgqvJghHci7M | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /indexbak.asp?rands=IXLCGIXELZ&acc=&str=select%20id%20from%20tab_online%20where%20regcode%20=%20'IXLCGIXELZ' | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str=select%20top%201%20%20from%20tab_message%20where%20toid%20=%20'198'%20order%20by%20id%20asc | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Letsgo / TabMsgSQL | GET | /safe/1.asp?rands=XJOTLVALQF&acc=vy&str=insert%20into%20tab_online%20(mode,clientname,clientip,accessip,onlinetime,lasttime,regcode)%20values%20('0','victim','192.168.1.12','145.42.112.19','2011-06-08%2013:45:54','2011-06-08%2013:45:54','NMQVPTXFBH') | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Letsgo / TabMsgSQL downloader | GET | /new/iistart.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Likseput | GET | /index.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Lingbo (?) | POST | /windowsupdatev7/search%3Fhl%3cWABQAFMAUAAzACOAUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4AM>QAxADYA%26meta%3DMDAwMGhIÆÑuMDk%3D%26id%3Dlfdxfircvscxggb | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Luckycat - WIMMIE | POST | /count/count.php?m=c&n=[HOSTNAME]_ | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | MiniASP | GET | /device_<decoded ID string>asp?device_t=<random 10 digits>&key=<random 8 lowercaseletters>&device_id=<decoded ID string>&cv=<random 17 lowercase letters> | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | MiniASP | GET | /record.asp?device_t=<random10digits>&key=<random8lowercaseletters>&device_id=<decodedIDstring>&cv=<random17lowercaseletters>&result=<URLencodedresultdata> | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Miniduke | POST | /index.php | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Mirage | POST | /resuIt?hl=en&meta=mdlyorvkildpiicqqownoatgvow | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Mirage - later var | GET | /search?hl=en&q=(RemovedBase64string)&meta=acbazuxmhecthlegrepunkkdmpweqtg | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Mongal | GET | /3010850A0000F0FD0F00323137443744324536313634333833380044454C4C58540000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000007014C61757261000000000000000000000000000000000000000000000000000000000000000000000000 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Murcy | GET | /150828 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?action=getcmd&hostid=E81B9088&hostname=DellXT | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Netravler | GET | /fly/2013/2011/nettraveler.asp?hostid=E81B9088&hostname= DellXT&hostip=172.16.253.130&filename=travlerbackinfo-2013-1-14-0-29.dll&filestart=0&filetext=begin::tCvUBC2vGMy3Gu300GKz1EXQa CuRHQgIhFJhMLBUmNNhrtTsN9yhTLJTKhFJs4STgtWw1lvSDEbjIX <very long string> UjfNI0fBFg3GI2GWcB8EVKIPlGwrkknFPSsHigx-LIIiZKrqD0pqgt | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Netravler | GET | /nt2011/zy/nettraveler.asp?hostid=E81B9088&hostname=DellXT&hostip=172.16.253.130&filename=FileList-1006-233757.ini&filestart=0&filetext=begin::OgA1AC2QzebTgdToZTkXQaCicYTaZR6RDKbDYWCpKKBhM88YjIajKXLfKOEmQ0nIxm86m46D0YVg::end /nt2012/asp/nettraveler.asp?hostid=411CD510&hostname=mikepc&hostip=10.12.0.23&filename=travlerbackinfo-2012-1- | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | NfLog | GET | /IElog/TestURL.aspHTTP/1.0 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | NfLog | POST | /NfLog/Nfile.asp | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | NTESSESS | GET | /6K8gL8.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | PNG trojan | GET | /index.htm | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Poison Ivy | GET | 256 bytes of seemingly random data after a successful TCP handshake, then 48 byte “keep-alive†requests | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | RedOctober AuthInfo | POST | http://%s:%s%s | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | RedOctober Sysinfo | POST | /cgi-bin/nt/sk | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | RegSubDat | POST | /5501000000/log | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Sanny / Win32.Daws | POST | /write.php | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Seasalt | GET | /postinfo.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Sofacy | POST | /~wong/cgi-bin/brvc.cgi?DELLXT88901be8-05_01 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Sofacy | POST | /~bars/cgi-bin/qfa.cgi?20120311_06:44:06.bin.FFFFFFFFFS | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Sykipot / Wyksol | GET | /kys_allowget.asp?namegetkys.kys | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Taidoor | GET | /apzsr.php?id=021793111D309GE67E | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Tarsip Eclipse | GET | /blg7_8newtpl/image/7/7_12/images/redir?di=130b51e7dc7&prd=bEFU&pver=131&j=1&ck=0 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Tarsip Moon | GET | /images/icons/2055?meth=gc&tid=2011506&cqe=3878658&inif=qKero9uLh4iCj4eIksvQ1ILS0IfAp6itNvX0dTI19DI19HWyNfU38Crp7St26ClvsiFiYvAqbW229PI18CuorWo29SF0d8=&syun=230 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Vinself | POST | /w880/T19R17Q16/12010L11014 | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-Bolid | GET | /firefox.html | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-Clover | GET | /Default.asp | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-CSON | GET | /Default.aspx?INDEX=<10_random_characters> | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-CSON Response to commands | POST | /Default.aspx?ID=IMNQRSSRXK | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-HEAD | GET | / | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | WEBC2-Table | GET | /order.htm | Sample | pcap | LibrarySsheet |
| 4/28/2013 | APT | Xtreme Rat | GET | /1234567890.functions | Sample | pcap | LibrarySsheet |
