Back to Posts

RIG EK from 174.128.251.30 drops Dreambot

Posted in trojan, exploitkit

RIG EK from 174.128.251.30 drops Dreambot & Tor client


Domains:

46.30.215.7   www.telme2.com   Compromised site
174.128.251.30   y4qxp72.q446gl.top   RIG EK
85.204.74.140   85.204.74.140   Dreambot Checkin



Traffic:

image-title-here Evil EITest Inject


image-title-here RIG EK, CnC Traffic & TOR Traffic



Network Signatures:

[1:2023343:3] ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016
[1:2023482:2] ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2
[1:2020722:3] ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
[1:2023198:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)
[1:2814493:3] ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M2
[1:2816230:3] ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2016 M5
[1:2820088:3] ETPRO CURRENT_EVENTS CVE-2015-2419 M1 (b643) Observed in Sundown/Xer EK
[1:2820090:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642)
[1:2820091:3] ETPRO CURRENT_EVENTS Sundown/Xer EK Landing May 05 2016 (b642)
[1:2814492:3] ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M1
[1:2023199:2] ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)
[1:2020721:3] ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2020720:2] ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015
[1:2820989:3] ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
[1:2823044:3] ETPRO TROJAN W32.Dreambot Checkin
[1:2023471:2] ET CURRENT_EVENTS Possible Malicious Tor Module Download
[1:2018789:2] ET POLICY TLS possible TOR SSL traffic



Process Tree:

image-title-here Exploit and Trojan execution



File Hashes:

Detection ratio: 10 / 54 Link

SHA256: b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e
File type: Flash


Detection ratio: 9 / 56 Link

SHA256: 05e4921b72db683e43b1c91b507528602d5989e50b68a13dd852f711ecf74c94
File type: Win32 EXE



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG-v EK from 195.133.146.58 sends SSL Banking Trojan