EITest Gate at Leads to Rig EK at and Drops What Appears to be Betabot

IOCs: – azarsenalsc[.]org – Compromised Site – aliancaadm.top – EITest Gate – zio11q.oa3ri8.top – Rig EK – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot – GET /rd927.exe – Post infection download – and30.blabladomdom.com – POST /bla30/gate.php – and30.blabladomdom.com – POST /bla30/gate.php – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...


ZIP File Containing HTA File Leads to Locky Ransomware

IOCs: – onushilon.org/56f2gsu782desf – GET request for payload Hashes: SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7 File name: 20160920034329138280504.zip SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66 File name: QL5LY62838.hta SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d File name: iIrfSCB1 SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e File name: iIrfSCB1.dll Infection Chain: The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip ...


Rig EK at Drops CryptMIC Ransomware

Rig EK at Drops CryptMIC Ransomware


Rig EK at Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware


EITest Gate at Leads to RigEK and Drops Vawtrak

IOCs: – kinepolis.top – EITest Gate – culxw0.b28zu4.top – Rig Exploit Kit – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: – ctwruhwdk.com – apgtsdeh.com – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...


“Delivery Confirmation” Leads to Locky Ransomware

IOC: – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl Hashes: SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a File name: giHhrMNI1.dll ¬† SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0 File name: giHhrMNI1 The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below: Notice how the email contains a ...


pseudoDarkleech Leads to Neutrino EK at and Drops CryptMIC Ransomware

IOCs: – busbycabinets.com – Compromised Site – apulaisista.scrubs101webstore.com – Neutrino EK – SSL/HTTPS callback traffic – Contains Ransom Note Hashes: SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7 File name: Neutrino EK Landing Page.html SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a File name: Neutrino EK Flash Exploit.swf SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad432F6.tmp.dll Traffic: The Infection Chain: The infection chain starts off with the ...