EITest Leads to RIG EK at and Drops Dreambot



  • – thelifestyle.guru – Compromised website
  • – free.fabuloussatchi.com – RIG EK
  • – GET /images/[removed]/.avi – CnC Beacon
  • – GET /tor/t64.dll – Tor module
    • The User-Agent string used during the callback is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64), which is the indentifier for IE 8
  • – curlmyip.net – Used to identify the host external IP address
  • DNS queries to:
    • resolver1.opendns.com
    • nod32s.com
    • myip.opendns.com

File System:

  • Downloader is dropped and executed in %TEMP%
  • Payload is dropped and executed in %TEMP%
  • The malware is copied to %APPDATA% via C:Users[User]AppDataRoamingcatskenddocpDump.exe
  • Tor client is dropped in %TEMP% and is using the pattern [A-F0-9]{4}.bin as the filename and is 3,088 KB
  • cached-microdescs is created in %APPDATA%, which is used by the Tor client


  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • When the Tor client is retrieved we see the bot create a registry entry in HKCUSoftwareAppDataLowSoftwareMicrosoft[random GUID]

Process Activity:

Process tree


SHA256: 8411ffb402372f51fbcc5f4d80f23eaf79871650d5cbbac8597c3667a49870b6
File name: Flash Exploit.swf

SHA256: 3c206e33e3ac1a3efb09f6225a60bae7c7c3cbaf095035ee48131a27c3e4e63b
File name: o32.tmp

SHA256: cad48968802d933e1ef7a346c8112b6c919d521227121e126360e26d95626793
File name: h00czx4n.exe
Hybrid-Analysis Report

Infection chain

This was a typical EITest to RIG exploit kit infection chain. Below is the image of the injected script on the compromised website:


Shout-out to my friend @nao_sec for finding the website

The injected script contains the URL for the RIG exploit kit landing page.  In this infection chain I also got two identical payloads. Below is an image of the traffic showing the infection chain:


Below are some images of the changes to the registry as well as files that were created by the malware:

Artifacts for download (password is “infected”):

Malicious Artifcats.zip

The sample can be downloaded from the Hybrid-Analysis report.

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: