Back to Posts

RIG from 185.153.198.105 sends Terdot.A / Zloader

Posted in trojan, exploitkit

RIG from 185.153.198.105 sends Terdot.A / Zloader

Domains:

89.234.67.10   dulwichharps.com Compromised site
185.153.198.105   fu39j.vckbcn.top RIG
107.173.51.100   djuwheuijkweifhjdwie.gq Terdot.A Checkin
185.164.64.156   djuwheuijkweifhjdwie.gq Terdot.A Checkin




Traffic:

image-title-here Evil Redirector


image-title-here RIG & Terdot.A Traffic


image-title-here Terdot.A CnC Traffic




Network Signatures:
[1:2023343:3] ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016
[1:2023482:2] ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2
[1:2020722:3] ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
[1:2820089:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b641)
[1:2023200:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)
[1:2023199:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)
[1:2820091:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642)
[1:2014726:88] ET POLICY Outdated Windows Flash Version IE
[1:2021752:13] ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2811657:2] ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M1
[1:2020720:2] ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015
[1:2022916:3] ET CURRENT_EVENTS RIG EK Payload Jun 26 2016
[1:2809511:3] ETPRO TROJAN Win32/Terdot.A / Zloader Checkin
[1:2016858:9] ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)




File Hashes:

Detection ratio: 30 / 54 Link

MD5: e9f82eeb6a9104be9e81c963d6aa211a
SHA1: 4d7dbc9804f5f2a7c7d34bc2a758adb184f79b58
SHA256: 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1
File type: Flash

image-title-here



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG-v from 109.234.34.144 sends Cerber Ransomware