Dreambot Dropped by HookAds

This will be a quick post as I just wanted to put out some updated IOCs.

“popunder.php” from the HookAds decoy site:


decode64 contains Base64 string which decodes to the location the RIG EK pre-filter page at balkali[.]info/banners/countryhits


pre-filter page

Partial image of pre-filter page. Base64 string decodes to the RIG EK landing page.

HookAds is still pushing Dreambot via RIG EK.

Network Based IOCs


  • – balkali.info – GET /banners/countryhits – HookAds server
  • – IP-literal hostname used by RIG EK
  • – GET /images/[removed]/B.avi and GET /home/2.css – Dreambot C2


  • wdwefwefwwfewdefewfwefw.onion
  • resolver1.opendns.com
  • myip.opendns.com

Other Contacted Hosts:

  • via TCP port 443
  • via TCP port 9090

ET Rules Triggered:

  • ET POLICY OpenDNS IP Lookup
  • ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
  • POLICY TLS possible TOR SSL traffic

Images of Traffic:


SHA256: 5bc5bf65fa088d58df193e99a31d3471cf20aeade39c980362857ccea028d19b
File name: popunder.php.txt

SHA256: 86dfda35f3a035cd1a294fc427d9f2774f75fbda687902f261f2cf8d215938ff
File name: countryhits.txt

SHA256: 87a3d00fe14e3a773e905c00cc3a912999d41a3fcf4093fbec7c0c5ebae7bb77
File name: RigEK Landing Page from

SHA256: b97163074bc8bb1893310e27aa673cbb89ae0ac9b88fad149fe2bfe9adcf4897
File name: RigEK Flash exploit from

SHA256: 82a322e80c3cc0645123812b8933bad1e88f164b82a649167bbca4028809ff13
File name: o32.tmp

SHA256: c3680493f64fce0dfe7cfa77a752ec15baa31c9ad5f76d5156fa6a465a399623
File name: q1t3ly73.exe
Hybrid-Analysis Report

SHA256: 4384458b9c3f09af64f386552588ea9b35e4aa7438bbb515dadf4b4619e10820
File name: 2.css (32-bit Windows OS)

SHA256: 939ca8ad0e3c61b471d7fd918f4701e548f98084ff461fa7c897191b0f778fa4
File name: 3.css (64-bit Windows OS)


HookAds RigEK 072617 – Malicious Artifacts.zip

Password is “infected”

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: