Tag: Rig-V
EITest Leads to RIG-v EK at 217.107.34.241 and Drops Dreambot.
IOCs: 192.99.46.21 – littleinspiration.com – Compromised website 217.107.34.241 – zone.klynnholding.com – RIG EK 5.196.159.175 – GET /images/[removed]/.avi – CnC traffic 5.196.159.175 – GET /tor/t64.dll – Tor module download 37.48.122.26 – curlmyip.net – External IP lookup Post-infection Tor traffic via TCP port 443 and 9001 SSH connections to 91.239.232.81, which also host one or more Tor relays according to https://exonerator.torproject.org Additional DNS ...
HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.
IOCs: 104.27.134.78 – multimediaz.net – Website hosting script for onclickads.net 206.54.163.4 – onclickads.net – Checks Flash. Redirects to onclkds.com. 206.54.163.50 – onclkds.com – Returns “302 Moved Temporarily,” new location is set to avatrading.org 185.51.244.202 – avatrading.org – Domain in fake ad network. Contains iframe for stockholmads.info 185.51.244.210 – stockholmads.info – GET /rotation/check-hits? – Contains iframe for RIG-v EK ...
EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.
IOCs: 104.28.31.109 – lepatek.com – Compromised website 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin. Traffic: Hashes: SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8 File name: RIG-v EK Flash Exploit.swf SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea File name: QTTYUADAF SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e File name: rad26801.tmp.exe Hybrid-Analysis Report Infection Chain: Loading the website in my browser and ...
Keitaro TDS Leads to RIG-v EK at 188.225.36.231
IOCs: 188.225.36.231 – hand.stayatsouthpadre.com – RIG-v EK 31.11.32.225 – www pivesso.us – GET /Img/Gif/oni64.gif – Tor client 37.48.122.26 – curlmyip.net – Used for host IP lookup Post-infection Tor traffic going over TCP port 9001 – ET POLICY TLS possible TOR SSL traffic DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup 222.222.67.208.in-addr.arpa myip.opendns.com Traffic: Hashes: SHA256: 0c1b3a0131c98032141d2315902b546bd926d5d4365628dafbbfca165f934f12 ...
Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.
IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – bethanyads.info – GET /rotation/hits? – Fake ad server 194.87.237.240 – sell.underinsuredinamerica.com – RIG-v EK Post-Infection Traffic: 89.223.31.51 – GET /images/[truncated]/f2NJW2/.avi – ET TROJAN Ursnif Variant CnC Beacon 89.223.31.51 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...
EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware
IOCs: 212.166.71.52 – blog.masmovil.es – Compromised website 194.87.145.225 – sound.formpools.co – RIG-v EK 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback Traffic: Hashes: SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449 File name: EITest RIG-v EK Flash Exploit.swf SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650 File name: QTTYUADAF SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb File name: rad871F7.tmp.exe and SmartScreen.exe Hybrid-Analysis Report Infection Chain: I want to give a shout-out to @FreeBSDfan for ...
RIG-v at 194.87.144.170. EK Drops Dreambot.
IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – walterboroads.info – GET /rotation/hits? – Malicious redirect 194.87.144.170 – mail.mobildugun.com – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon 94.23.186.184 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...
Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.
IOCs: 88.214.225.168 – amateur.duckporno.com – Compromised adult website 80.77.82.42 – sumterads.info – GET /rotation/hits? 92.53.97.168 – zag.2043kutahya.net – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/y/.avi 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif 94.23.186.184 – GET /tor/t32.dll – Tor client 37.48.122.26 – curlmyip.net – GETs external IP of host Outbound ...
Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.
IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...
Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.
IOCs: 93.158.215.169 – fredomasearchdsd.top – RIG-v EK 186.2.163.47 – spora.biz – Spora ransomware domain Traffic: Hashes: SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5 File name: Landing Page.html SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52 File name: Flash Exploit.swf SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911 File name: radF0D46.tmp.exe Hybrid-Analysis Report Infection Chain: I found a website with an iframe containing a URL for a RIG-v EK landing page: It doesn’t ...
Malware breakdown 