Tag: Dreambot

Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – amateur.duckporno.com – Compromised adult website 80.77.82.42 – sumterads.info – GET /rotation/hits? 92.53.97.168 – zag.2043kutahya.net – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/y/.avi 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif 94.23.186.184 – GET /tor/t32.dll – Tor client 37.48.122.26 – curlmyip.net – GETs external IP of host Outbound ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...