How does malware exfiltrate data using FTP?

Many infostealers have a hardcoded FTP server address, username, and password. After collecting sensitive data from the victim's machine, the malware initiates an FTP session and uses the STOR command to upload the stolen files (looting) to the attacker's drop server. This behavior maps to MITRE T1048.003.

Why is finding an unencrypted FTP password in malware traffic a good thing?

If the malware uses unencrypted FTP, security analysts can extract the attacker's credentials from the PCAP. This allows the incident response team to access the drop server, identify exactly what data was stolen, and potentially uncover other victims or attacker infrastructure.

What file formats can I upload?

We accept native .pcap and .pcapng packet-capture files only. Compressed archives (ZIP, RAR, 7-Zip, etc.) are not supported.

Is there an upload size limit?

Yes. Plan-based upload size limits apply.

How long do you retain my PCAP and the report?

Both the original file and its PDF report are stored for one hour and then permanently deleted.

What does the one-time payment include?

A single $9 payment covers one upload, full AI analysis, and a downloadable PDF report—no recurring fees.

Which plans let me upload multiple files?

Monthly and yearly subscription tiers include multiple uploads per cycle, as shown in the pricing table.

Do you provide an API for automated uploads?

Yes. Our REST API is available to Advanced subscribers. Generate an access key and integrate from CI, SIEM, or custom scripts.

In what format is the analysis delivered?

Results are provided as a professionally formatted PDF with network statistics, threat findings, and remediation advice.

What if I miss the 1-hour download window?

For security, both the capture and its report are erased after an hour. Re-upload the file to run a new analysis.

Do you collect any personal data from the files?

No. We cannot track user-identifiable information, and everything is auto-purged after processing.

What personal information is required for subscriptions?

Only the minimal billing details required by our payment processor (card, country, email) are collected.

How does your AI engine work?

Our engine blends deep-packet inspection with machine-learning to decode protocols, detect anomalies, extract credentials, and map threats to MITRE ATT&CK.

Can I upgrade or cancel my subscription at any time?

Yes. You can upgrade, downgrade, or cancel anytime from your dashboard; changes apply immediately or at the next billing cycle.

Do you store or display the passwords found in my PCAP?

No. Pcap AI operates on strict zero-trust principles. Any cleartext credentials or sensitive payloads detected during the analysis are immediately mathematically masked (e.g., [REDACTED]). Your PDF report will prove the exposure exists without ever printing the actual secrets, ensuring your compliance with SOC2 and GDPR.

How to Detect Malware Exfiltration and Recover Attacker Credentials

The Challenge: Blind Spots in Data Exfiltration

When an endpoint gets infected by an Infostealer (like AgentTesla), the malware aggregates saved browser passwords, cookies, and system data, then silently exfiltrates this "loot" to an external drop server. Because attackers sometimes use unencrypted, standard protocols like FTP to bypass basic firewall rules, spotting the exact moment data leaves the network is incredibly difficult.

Lost in the Noise

Standard network monitors might just see regular FTP traffic on port 21 and ignore it, missing the fact that corporate data is being actively looted.

Manual Forensics

Manually carving out the exact stolen files and finding the attacker's Command and Control (C2) IP in Wireshark takes hours during a critical incident.

The Solution: Automated Detection & The "Forensic Jackpot"

Pcap AI turns the attacker's sloppy OPSEC into your biggest advantage. Our engine instantly flags the unencrypted data transfer, maps the behavior, and automatically extracts the credentials the malware uses to log into its own drop server.

✦ MITRE T1048.003 (Exfiltration Over Unencrypted Protocol): Instantly detects abnormal outbound data transfers over FTP, proving exactly when and where the looting occurred.
✦ C2 Credential Recovery: Because the malware uses unencrypted FTP, Pcap AI extracts the attacker's hardcoded username and password (MITRE T1040), giving your Incident Response team the keys to the drop server.
✦ Enterprise-Grade Redaction: To maintain strict SOC2/GDPR compliance, all recovered plaintext passwords are mathematically masked (e.g., P********3) in the final PDF report. We prove the exposure without creating a new security risk.

Wireshark Manual Analysis vs. Pcap AI

Manual (Wireshark)

Filtering by ftp.request.command == "USER" or following TCP streams to manually piece together the exfiltration timeline.

Pcap AI

Automated mapping to MITRE ATT&CK and extraction of attacker IPs and masked passwords in less than 20 seconds.

Try it yourself with the original PCAP

The network traffic analyzed in this case study was sourced from the excellent community repository malware-traffic-analysis.net . You can download the exact .pcap file from their site to test our engine.

Upload PCAP to Test

AI Analysis Output (Sample)

AI Analysis Proof for How to Detect Malware Exfiltration and Recover Attacker Credentials

Download Full PDF Report See exactly what our AI discovers.