Tag: ZeuS

E

EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234

IOCs: 46.252.207.1 – amberhsu.com – Compromised site 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET) 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org ...

E

EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.

IOCs: 216.17.111.107 – theconservativeclub.us – Compromised website 176.223.111.152 – bj4lr.xl2sz08.top – Rig EK 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic: Hashes: SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3 File name: RigEK Landing Page.html SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd File ...

E

EITest Leads to Rig EK at 176.223.111.33 and 176.223.111.77, Malicious SSL Certificate Detected

IOCs: 184.168.152.59 – abc-imports.com – Compromised website 176.223.111.33 – hs0ql.hd9ads4fb.top – Rig EK 176.223.111.77 – wub2v.pgpbpgu.top – Rig EK (second run) 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic (first run): Hashes: ...

E

EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail

IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...