Back to Posts

Sundown/Xer EK from sends Neurevt.A/Betabot

Posted in trojan, exploitkit

Sundown/Xer EK from sends Neurevt.A/Betabot

Domains: Compromised site Sundown/Xer EK Neurevt.A/Betabot Checkin


image-title-here Evil Redirector

image-title-here Sundown/Xer EK & Terdot.A Traffic

image-title-here Neurevt.A/Betabot Check-in Traffic

Network Signatures:
[1:2022341:2] ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2
[1:2023480:4] ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1
[1:2023270:4] ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016
[1:2822428:2] ETPRO CURRENT_EVENTS SunDown EK Flash Exploit Artifact Oct 05 2016
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download
[1:2819649:3] ETPRO CURRENT_EVENTS SunDown/Xer Payload M2
[1:2811659:2] ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M2
[1:2015704:6] ET CURRENT_EVENTS DoSWF Flash Encryption Banner
[1:2018784:7] ET TROJAN Win32/Neurevt.A/Betabot Check-in 4
[1:2807970:7] ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3

Process Tree:

image-title-here Exploit and Neurevt execution

File Hashes:

Detection ratio: 9 / 54 Link

MD5: 6fb9730f849be2ac2cd661782c939b67
SHA1: c10fd1ea6b439bdc5c92db0f9c2eef48e0f64a89
File type: Flash


Detection ratio: 22 / 56 Link

MD5: c62b024c2f916344da1471c4d2d7f766
SHA1: 4e57b0592e0ceeabe916603715c4f696f1a5274a
File type: Win32 EXE


associated files:

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG from sends Terdot.A / Zloader