EITest Leads to RIG-v EK at Ursnif Variant Dreambot.


  • – www[.]caltech[.]fr – Compromised website
  • – GET /images/[removed]/KTDEi/.avi – CnC traffic
  • – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download
  • – curlmyip.net – External IP lookup

Post-Infection DNS Queries:

  • resolver1.opendns.com – ET POLICY OpenDNS IP Lookup
  • curlmyip.net
  • myip.opendns.com
  • nod32s.com




SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0
File name: RIG-v EK Flash Expoit.swf

SHA256: 2bfe062e8fb089f22d8dbe33184174098e87ba0b7ecc36e3db1290a5896d00c0
File name: QTTYUADAF

SHA256: c845c57e8fe49ae9fa7413cd51d7fdba563e5aeb422d01f4f1d473ca7dcb0a56
File name: radE86B9.tmp.exe
Hybrid-Analysis Report

SHA256: a8f7a0471f65cfad7031d77bf131532fa8d930e9eea86c23584771251d0b51d5
File name: t64.dll

Infection Chain:

Shout-out to @kkrnt who told me about the compromised website. Here is an image of the compromised website:


Loading the website in my browser and inspecting the TCP stream between my host and the web server showed that the EITest script had been injected into the web page. Below is the EITest script returned by the web server:


The URL within the script redirected my host to the RIG-v EK pre-landing page. The host was then redirected to the landing page after which we see the Flash exploit followed by the malware payload.

We see cmd.exe create QTTYUADAF in %Temp% and execute it. The script causes the host to make a GET request for the malware payload. The malware payload (radE86B9.tmp.exe) is dropped and executed in %Temp%:


The file is also copied to [User]AppDataRoamingcatskend:


docpDump (1).exe is the copy. After an hour it grew in size by 225KB.

There is a registry entry created for persistence:


The bot checks-in with the CnC server via[removed]/KTDEi/.avi.

We then see the GET request for the Tor client, which is currently being hosted at The most current resolution for is static. The name servers include:

Name Servers

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

When the Tor cleint is retrieved from we see the bot create a registry entry in HKCU\SoftwareAppDataLowSoftwareMicrosoft [random guid]:


This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was FFDA.bin.

We also see the creation of cached-microdescs, which is used by the Tor client:


For a more detailed dive into Dreambot: https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

As always I recommend blocking the RIG EK IP address as well as the CnC servers. Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: