Tag: Ransomware

“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time. The subject line of the malspam samples that I received all started with “IMG_” ...

RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.

IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...

EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.

IOCs Network Activity: 104.27.184.144 – teknonisme.com – Compromised WordPress site 188.225.39.227 – fix.russianpropoganda.com – RIG exploit kit 195.248.235.240 – stat6.s76.r53.com.ua – GET / addrecord.php? and POST /uploadextlist.php – C2 traffic 148.251.13.83 – stat6.s76.r53.com.ua – GET / addrecord.php? – C2 traffic Additional answers from the DNS query: 195.248.235.241 – stat6.s76.r53.com.ua – C2 traffic 31.41.216.90 – stat6.s76.r53.com.ua – C2 ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

RIG EK at 92.53.105.43 Drops ASN1 Ransomware

IOCs: 80.77.82.40 – wrapsing.gdn – GET /rotation/exoclick – Fake ad server points to RIG EK 92.53.105.43 – far.temperedgraces.com – RIG EK dxostywsduvmn6ra.onion – Payment domain Uses HKLM\Software\Microsoft\Windows\CurrentVersion\Run for persistence Ransom notes = !!!!!readme!!!!!.htm Filenames aren’t changed and encrypted files aren’t appended with a new extension SHA256: b14ffe0bdadfbab0de8b5ef1b5d078a7c500e5f4e164d771163171e1ed170542 File name: RIG EK Flash Exploit.swf SHA256: 2f51e6819a2dff508dae58abf95b5d381801debe0cd52b88d6ac05ad05531ba9 ...

EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.

IOCs: 104.28.18.48 – amaz0ns.com – Compromised website 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run) 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin Traffic: Hashes: SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b File name: Landing Page.html SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554 File name: RIG EK v4.0 Flash Exploit.swf SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69 File name: o32.tmp SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52 File ...

EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.

IOCs: 104.28.31.109 – lepatek.com – Compromised website 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin. Traffic: Hashes: SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8 File name: RIG-v EK Flash Exploit.swf SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea File name: QTTYUADAF SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e File name: rad26801.tmp.exe Hybrid-Analysis Report Infection Chain: Loading the website in my browser and ...

EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware

IOCs: 212.166.71.52 – blog.masmovil.es – Compromised website 194.87.145.225 – sound.formpools.co – RIG-v EK 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback Traffic: Hashes: SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449 File name: EITest RIG-v EK Flash Exploit.swf SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650 File name: QTTYUADAF SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb File name: rad871F7.tmp.exe and SmartScreen.exe Hybrid-Analysis Report Infection Chain: I want to give a shout-out to @FreeBSDfan for ...

Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.

IOCs: 93.158.215.169 – fredomasearchdsd.top – RIG-v EK 186.2.163.47 – spora.biz – Spora ransomware domain Traffic: Hashes: SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5 File name: Landing Page.html SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52 File name: Flash Exploit.swf SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911 File name: radF0D46.tmp.exe Hybrid-Analysis Report Infection Chain: I found a website with an iframe containing a URL for a RIG-v EK landing page: It doesn’t ...