Back to Posts

Sundown/Xer EK from 164.132.116.52 sends Neurevt.A/Betabot

Posted in trojan, exploitkit

Sundown/Xer EK from 164.132.116.52 sends Neurevt.A/Betabot

Domains:

217.23.13.109   partycasino.club Compromised site
164.132.116.52   jpk.pnnln.com Sundown/Xer EK
121.11.83.197   b.brakingbdomovieza2.com Neurevt.A/Betabot Checkin




Traffic:

image-title-here Evil Redirector


image-title-here Sundown/Xer EK & Terdot.A Traffic


image-title-here Neurevt.A/Betabot Check-in Traffic




Network Signatures:
[1:2022341:2] ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2
[1:2023480:4] ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1
[1:2023270:4] ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016
[1:2822428:2] ETPRO CURRENT_EVENTS SunDown EK Flash Exploit Artifact Oct 05 2016
[1:2000419:22] ET POLICY PE EXE or DLL Windows file download
[1:2819649:3] ETPRO CURRENT_EVENTS SunDown/Xer Payload M2
[1:2811659:2] ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M2
[1:2015704:6] ET CURRENT_EVENTS DoSWF Flash Encryption Banner
[1:2018784:7] ET TROJAN Win32/Neurevt.A/Betabot Check-in 4
[1:2807970:7] ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3




Process Tree:

image-title-here Exploit and Neurevt execution




File Hashes:

Detection ratio: 9 / 54 Link

MD5: 6fb9730f849be2ac2cd661782c939b67
SHA1: c10fd1ea6b439bdc5c92db0f9c2eef48e0f64a89
File type: Flash

image-title-here


Detection ratio: 22 / 56 Link

MD5: c62b024c2f916344da1471c4d2d7f766
SHA1: 4e57b0592e0ceeabe916603715c4f696f1a5274a
File type: Win32 EXE

image-title-here



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG from 185.153.198.105 sends Terdot.A / Zloader