All posts by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool[.]org – Compromised Website 74.208.161.160 – besucador.me-audio.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic via TCP port 443 Hashes: SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327aec53952d0f File name: Neutrino EK Landing Page.html SHA256: 43db664f321a9ad0b4413f8bfff65e776fa052f278bb902156d6ccedf16d7bd4 File name: Neutrino EK SWF Exploit.swf SHA256: 35f97fefe5a6f02b00ebf3b5ac41bd8d8bfdab38aef3b737063d9774db1fcfc6 File name: rad050CF.tmp.dll So again we find that the pseudo-Darkleech campaign has been leading ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.161.160 Which Drops CryptMIC Ransomware

IOCs: 181.224.138.165 – etratech[.]com – Compromised Website 74.208.161.160 – spuitvissen.mycasemanager.co.uk – Neutrino EK 85.14.243.9 – CryptMIC post-infection traffic over TPC port 443 Hashes: SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a155be25fb148410 File name: Neutrino EK Landing Page.html SHA256: bc2f96dbdca32491b5966fcf4ee22bda4ad25c5abcb660780ce7baddc2e00d2c File name: Neutrino EK SWF Exploit.swf SHA256: dc5a6e8098e30ee0d2fad66dd038ca76801e70d82db36903db7040b9c2cb3f05 File name: rad63FC3.tmp.dll Infection chain is pseudoDarkleech campaign to Neutrino EK to CryptMIC ransomware. ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.192.10 Which Drops CryptMIC Ransomware

IOCs: 216.58.216.99 – moanavoyage.org – Compromised Site 74.208.192.10 – biodynaaminen.pahiremidlands.co.uk – Neutrino EK 85.14.243.9 –  CryptMIC post-infection traffic over TCP port 443 Hashes: SHA256: 44ea0ce673f1c5cd0637a2212d2b9370e9cffc8487ce96209c8fae3236461170 File name: Neutrino EK Landing Page.html SHA256: 373c2de51a57012eb0b9f212caff5442b6107e35040f13ff2dd180d74d54b335 File name: Neutrino EK SWF Exploit.swf SHA256: 49c845bf2371b515b71787464e7225a76bbb3724b92bc9a80fad843eba6d9b69 File name: radE41AE.tmp.dll This is another typical pseudo-Darkleech to Neutrino EK infection chain. Below ...

p

pseudoDarkleech Leads to Neutrino EK at 74.208.192.13 Which Then Drops CryptMIC Ransomware

IOCs: 72.10.49.22 – ionedds.com – Compromised Site 74.208.192.13 – arkisempaa-mycobutin.smoothbadger.uk – Neutrino EK 85.14.243.9 – Post-infection CryptMIC callback traffic over TCP port 443 Hashes: SHA256: c2e931c5b81ecc0cb617f7e9ebf20e7626f2dee496e6f0e1e65bc19eb42a365c File name: Neutrino EK Landing Page SHA256: 0a42e068479e729d295a0d5e9505d7e291c201d557e315f5327e009455ea81df File name: Neutrino EK SWF Exploit SHA256: ca7a59c4a6106e1f74f7519250c19e1bf48ea0aeed2cdf22b0a4715f0a858b81 File name: rad7318C.tmp.dll – Payload in %APPDATA% The infection chain starts with a ...

E

EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak

IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...