Tag: EITest Gate

E

EITest Gate at 31.184.192.173 Leads to Rig EK at 185.141.25.28 and Drops… ?

IOCs: 66.84.14.125 – orfab.com – Compromised Site 31.184.192.173 – piperandscoot.top – EITest Gate 185.141.25.28 – jxlyv.xajee73.top – Rig EK 185.146.171.131/bt/logout.php – post infection callback traffic Hashes: SHA256: cc21bee629f99e6a5e5b433f593670b2dea4075b6252fb04fd1bfbb40fbf8e80 File name: EITest Flash Redirect.swf SHA256: bf9cda2afc425019312f8c4bc5856ad8378ea980dcd3e195e615224c6777eb5c File name: EITest Gate.html SHA256: c73c63f4b5ebd3ebe7c4de16a99519c876a93c50b12b1a3406c28c2929752d68 File name: RigEK Landing Page.html SHA256: 970491ca792332f3479200c94dddfe7d77112beb0b879d5becb279010860b487 File name: RigEK Flash Exploit.swf Traffic: As ...

E

EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot

IOCs: 198.15.70.67 – azarsenalsc[.]org – Compromised Site 31.184.193.179 – aliancaadm.top – EITest Gate 185.117.73.220 – zio11q.oa3ri8.top – Rig EK 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot 103.234.37.4 – GET /rd927.exe – Post infection download 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...

E

EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak

IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...

E

EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware

IOCs: 184.106.55.122 – deadendbbq[.]com – Compromised Website 194.165.16.204 – nohydyc.top – EITest Gate 195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit 5.39.86.86 – GET /default.jpg 5.39.86.86 – POST /z/setting.php Hashes: SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34 File name: EITest SWF Redirect.swf SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9 File name: EITest Gate.html SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a File name: RigEK Landing Page.html SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6 File name: RigEK SWF ...

E

EITest Gate at 85.93.0.110 Leads to Rig EK at 178.32.92.122 and Drops Vawtrak

IOCs: 88.208.252.222 – cam-machine.com – Compromised Website 85.93.0.110 – focecu.xyz – EITest Gate 178.32.92.122 – eeuo5tu8.top – Rig EK 108.61.99.79 – GET /module/d1967c99c0c7f9b468f2e08e59e41ffe GET /module/311ac29c5a8f6b4e7a247db98207fd6e GET /module/96df1c84c7fb13e880e399f9627e0db0 GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d GET /module/a104f2955999a2f1a1c881e8930b82f6 Post-Infection DNS Queries resolving to 91.235.129.178: zmluvsfe.com machinabat.pw baltolux.bid twoggis.bid Post-Infection DNS Queries resolving to 185.4.67.154: chanpie.pw zoomir.bid buhnuti.bid wermoo.pw DNS standard query responses ...

E

EITest Gate at 85.93.0.13 Leads to Rig EK at 109.234.38.67 Which Drops Cerber Ransomware

IOCs: 85.93.0.13 – kavafo.xyz – EITest Gate 109.234.38.67 – qw.thesleepdoctormattress.com – Rig EK 162.250.144.215 – ip-api.com – GET /json – IP Check 115.28.36.224 – http://www.doswf.com – Associated with Rig EK Flash Exploit 91.223.89.201 – Decryptor Site – Associated Files 148.251.6.214 – btc.blockr.io – Associated with BitCoin Information 31.184.234.0/24 and 31.184.235.0/24 via UDP port 6892 Hashes: ...

F

For the First Time Ever, EITest Gate Leads to Rig EK

IOCs: 85.93.0.12 – epanofap.top – EITest IP/Domain 185.158.152.118 – free.giftofhair.org – Rig EK Hashes: EITest Gate Flash Redirect: 2e562c81b88c1a2061c6aa591c25f90c EITest Gate Landing Page: 859a8994f27d2f9ded7d3aab783d4680 Rig EK Landing Page: 50ad7f7a888954b8a79469f8662864a2 Rig EK Flash Exploit: c6014a32cc06f862ea44db720dfcf553 Rig EK Payload: 7e1622d13f59a7e9f6c0939a2c35ba45     I believe today is the first time that anyone has ever seen the EITest gate leading to a Rig Exploit ...