Detecting PureLogs traffic with CapLoader

Experts in network security monitoring and network forensics

Netresec

NETRESEC| Products| Training| Resources| Blog| About Netresec

NETRESEC » Blog

Erik Hjelmvik

,

Monday, 09 June 2025 14:26:00 (UTC/GMT)

Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware.

The PureLogs protocol detection was added to CapLoader in the recent 2.0 release.

The PCAP file analyzed in the video is from Brad Duncan’s fantastic malware-traffic-analysis.net website.

Indicators of Compromize (IOC):

mxcnss.dns04.com:7702
176.65.144.169:7702

Posted by Erik Hjelmvik on Monday, 09 June 2025 14:26:00 (UTC/GMT)

Tags: #CapLoader #malware-traffic-analysis.net #PIPI

Short URL: https://netresec.com/?b=256a8c4

Recent Posts

» Detecting PureLogs traffic with CapLoader

» CapLoader 2.0 Released

» Comparison of tools that extract files from PCAP

» Decoding njRAT traffic with NetworkMiner

» How to Install NetworkMiner in Linux

» Online Network Forensics Training

» NetworkMiner 3.0 Released

» How to set PCAP as default save file format in Wireshark

Blog Archive

» 2025 Blog Posts

» 2024 Blog Posts

» 2023 Blog Posts

» 2022 Blog Posts

» 2021 Blog Posts

» 2020 Blog Posts

» 2019 Blog Posts

» 2018 Blog Posts

» 2017 Blog Posts

» 2016 Blog Posts

» 2015 Blog Posts

» 2014 Blog Posts

» 2013 Blog Posts

» 2012 Blog Posts

» 2011 Blog Posts

List all blog posts

Video blog posts

News Feeds

𝕏: @netresec

Bluesky

Bluesky: @netresec.com

Mastodon

Mastodon: @netresec@infosec.exchange

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 | Contact | Privacy | Mastodon | Bluesky | 𝕏 | RSS