Tag: CryptMIC

p

pseudoDarkleech Leads to Rig EK at 164.132.88.58 And Drops CryptMIC

IOCs: 50.22.5.55 – gendisasters.com – Compromised Website 164.132.88.58 – consulavissem-descorderar.navyamateurradioclub.org – Rig EK 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 (not encrypted) Traffic: Hashes: SHA256: eff15c0ede4f784532fd933843a2bf4dda86c92dbed785b979af50b7c808e34e File name: RigEK Landing Page.html SHA256: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008 File name: RigEK Flash Exploit.swf SHA256: d9553d2651fd05d98dbb551ed32f5875b73010b0387a487e3410ca75486c5d79 File name: radF7DD3.tmp.exe Infection Chain: The user would browse to the compromised website. ...

p

pseudoDarkleech Leads to Rig EK at 164.132.88.59 Which Drops CryptMIC Ransomware

IOCs: 50.87.151.118 – fourcornersbc.com – Compromised Site 164.132.88.59 – betonmaustanfordin.freshstyleapparel.com – Rig EK 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 Traffic: Hashes: SHA256: 38ff6f31844f6ce957c9b8fe3b42ac157e3f5b9e77ba86c83bd3165a5ffdac7f File name: RigEK Landing Page.html SHA256: dde4ec698a206614b0cce449493f72ae16be7867f0a9b76d40b192dd5ce003f5 File name: RigEK Flash Exploit.swf SHA256: b4ed980b3bac17066661433f6f2ab58e370cf75f453baadd4322a3c53a9c28da File name: rad57379.tmp.exe Infection Chain: The infection chain started with me browsing to the compromised ...

p

pseudoDarkleech Leads to Rig EK at 137.74.61.215 and Drops CryptMIC

IOCs: 206.188.193.161 – gallolocomexican.com – Compromised Website 137.74.61.215 – barkatullavbwait.ernestboaten.com – Rig EK 162.244.35.19 – CryptMIC C2 via TCP port 443 – Traffic sent in the clear Traffic: Hashes: SHA256: 1e20d2cb0ad52d1dbead4d7f029921d9cc6fb541e11fac6a899bf33b86577656 File name: RigEK Landing Page.html SHA256: 25ea816e89234c1974e791b04eb83280c92296500fa9fbbdae24056d0b7a8bfe File name: RigEK Flash Exploit.swf SHA256: 293e77ff35ff9482c1ea58025f8ddd9b2bf09b4d08dc1202794e1ba193d7c511 File name: IIj6sFosp SHA256: 1fbfd0132f0ca12a41fec858e065763fc5d1b7a282b24e6cb5f45be2bbe02b1b File name: rad84159.tmp.exe Infection Chain: ...

p

pseudoDarkleech Leads to Rig EK at 5.196.126.82 Which Delivers CryptMIC

IOCs: 162.144.62.185 – tygerauto.com – Compromised Website 5.196.126.167 – aufrufenderasamblea.cyclemanagementassociates.info – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 (not encrypted) Traffic: Hashes: SHA256: b7911fe9343c681b9ed5cc34f9489d4b82d8dc2aaf1136c05ba44d9546707687 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File name: RigEK Flash Exploit.swf SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d File name: rad68A3A.tmp.exe Infection Chain: Below is an image grab from the compromised ...

Rig EK at 91.121.208.103 Drops CryptMIC

IOCs: 65.254.227.224 – zurnyachts[.]com – Compromised Site 91.121.208.103 – butterteigenpassionisten.loganslittleangels.org – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 Traffic: Video of Infection: Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉 Hashes: SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File ...

Malvertising in Action

ShadowGate IOCs: IP = 212.116.121.239 IP = 5.200.55.173 Watch a host be compromised in real time! The original article is from Nick Biasini over at Talos. Click on this link to read more about this particular gate, malvertising, and how ShadowGate was eventually taken down!  

R

Rig EK at 149.202.239.50 Drops CryptMIC Ransomware

IOCs: 192.185.112.45 – 101beautytricks.com – Compromised Site 149.202.239.50 – dissect.theawesomestmusic.com – Rig EK 91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear) Traffic: Hashes: SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230 File name: RigEK Landing Page.html SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff File name: RigEK Flash Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc File name: rad8035D.tmp.exe Infection Chain: ...