Dreambot Dropped by HookAds

This will be a quick post as I just wanted to put out some updated IOCs.

“popunder.php” from the HookAds decoy site:

balkali[.]info/banners/countryhits:

HookAds is still pushing Dreambot via RIG EK.

Network Based IOCs

HTTP:

• 80.77.82.41 – balkali.info – GET /banners/countryhits – HookAds server
• 188.225.33.164 – IP-literal hostname used by RIG EK
• 104.223.89.174 – GET /images/[removed]/B.avi and GET /home/2.css – Dreambot C2

DNS:

• wdwefwefwwfewdefewfwefw.onion
• resolver1.opendns.com
• myip.opendns.com

Other Contacted Hosts:

• 193.23.244.244 via TCP port 443
• 76.73.17.194 via TCP port 9090

ET Rules Triggered:

• ET POLICY OpenDNS IP Lookup
• ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR
• POLICY TLS possible TOR SSL traffic

Images of Traffic:

Hashes

SHA256: 5bc5bf65fa088d58df193e99a31d3471cf20aeade39c980362857ccea028d19b
File name: popunder.php.txt

SHA256: 86dfda35f3a035cd1a294fc427d9f2774f75fbda687902f261f2cf8d215938ff
File name: countryhits.txt

SHA256: 87a3d00fe14e3a773e905c00cc3a912999d41a3fcf4093fbec7c0c5ebae7bb77
File name: RigEK Landing Page from 188.225.33.164.txt

SHA256: b97163074bc8bb1893310e27aa673cbb89ae0ac9b88fad149fe2bfe9adcf4897
File name: RigEK Flash exploit from 188.225.33.164.swf

SHA256: 82a322e80c3cc0645123812b8933bad1e88f164b82a649167bbca4028809ff13
File name: o32.tmp

SHA256: c3680493f64fce0dfe7cfa77a752ec15baa31c9ad5f76d5156fa6a465a399623
File name: q1t3ly73.exe
Hybrid-Analysis Report

SHA256: 4384458b9c3f09af64f386552588ea9b35e4aa7438bbb515dadf4b4619e10820
File name: 2.css (32-bit Windows OS)

SHA256: 939ca8ad0e3c61b471d7fd918f4701e548f98084ff461fa7c897191b0f778fa4
File name: 3.css (64-bit Windows OS)

Downloads

HookAds RigEK 072617 – Malicious Artifacts.zip

Password is “infected”

Until next time!