Tag: Vawtrak
Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)
IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...
EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak
IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...
EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak
IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...
Malware breakdown 