Profile

Cover photo
Malware Breakdown
47,958 views
AboutPosts

Stream

Malware Breakdown

Shared publicly  - 
 
EITest gate (31.184.192.188) leads to RigEK (185.117.73.207) and drops Vawtrak
IOCs : 31.184.192.188 - kinepolis.top - EITest Gate 185.117.73.207 - culxw0.b28zu4.top - Rig Exploit Kit 108.61.99.79 - GET Request via direct IP with the following URI pattern - "/module/[32 alphanumeric characters]" Post Infection DNS Quer ies : 95.46.98....
IOCs : 31.184.192.188 - kinepolis.top - EITest Gate 185.117.73.207 - culxw0.b28zu4.top - Rig Exploit Kit 108.61.99.79 - GET Request via...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
pseudoDarkleech -> Neutrino EK at 188.165.197.194 drops CryptMIC Ransomware
IOCs : 184.106.55.84 - www. busbycabinets .com - Compromised Site 188.165.197.194 - apulaisista.scrubs101webstore .com - Neutrino EK 46.165.246.9 - SSL/HTTPS callback traffic - Contains Ransom Note Hashes : SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae2579922...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Malspam Contains ZIP'D JScript File (boxun4.bin)
IOCs : Sub-domains at .adultgameapp.ru   I received some malspam on 9/2/16 entitled "Take easy steps on the ladder of happiness". The email address of the sender was tqdwsaltpan@wavesboatclub.com and it was supposedly from a "Bettie K. Letbetter": Allowing ...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
EITest Gate Leads to Rig EK and Drops CryptFile2 Ransomware
IOCs : 184.106.55.122 - www.deadendbbq[.]com - Compromised Website 194.165.16.204 - nohydyc.top - EITest Gate 195.133.201.44 - rty.exploredowntownwestpalmbeach.com - Rig Exploit Kit 5.39.86.86 - GET /default.jpg 5.39.86.86 - POST /z/setting.php Hashes : SHA...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Afraidgate -> Neutrino EK -> Locky
IOCs : 195.58.170.31 - skopikundlohn[.]at - Compromised Site 138.68.18.73 - crew.nbbgradstudents.com - Afraidgate JS 5.2.73.124 - kqccnxro.thatset.top - Neutrino EK 188.127.249.32 - POST /data/info.php - callback traffic 95.85.19.195 - POST /data/info.php -...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Pseudo-Darkleech -> Neutrino EK -> CryptMIC Ransomware
IOCs: 181.224.138.165 - www.etratech[.]com - Compromised Website 74.208.161.160 - spuitvissen.mycasemanager.co.uk - Neutrino EK 85.14.243.9 - CryptMIC post-infection traffic over TPC port 443 Hashes: SHA256: 3f8bedcc1f738469b7fae7446387aeeb5b4e1b8f1b5bb810a...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Malspam "Delivery Confirmation" leads to Locky
IOC : 49.212.150.106 - mochacat.net - GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl File Hashes : SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f4...
IOC : 49.212.150.106 - mochacat.net - GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl File Hashes : SHA256: 405ad2f09856f718fe3fce209c9d9e5...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
pseudoDarkleech -> Neutrino EK at 137.74.223.56 -> CryptMIC Ransomware
IOCs : 184.106.55.75 - www.getfueled.com - Compromised Site 137.74.223.56 - baldonafunktionel.kayhaggard.com - Neutrino EK 46.165.246.9 - SSL/HTTPS callback traffic - Contains Ransom Note Hashes : SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Malspam contains ZIP'd WScript that retrieves Locky
IOCs : 82.197.131.109 - imex.atspace.com - GET /sxqtddp?VlwYKkCOYvI=axCugUhsM 213.205.40.169 - www.archiviestoria.it - GET /waotorf?VlwYKkCOYvI=axCugUhsM 69.195.129.70 - tlehsdy.biz - POST /data/info.php Hashes : SHA256: 010b6da42c0b377f4b28fbcaa1268f046eeb...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Another Afraidgate leads to Neutrino EK at 5.2.73.124 and drops Locky
IOCs : 50.97.68.34 - www.eddieoneverything[.]com - Compromised Site 138.68.18.73 - null.delayofgame.com - Afraidgate JS 5.2.73.124 - aqxsgncqro.anyoneshall.top - Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Pseudo-Darkleech -> Neutrino EK -> CryptMIC Ransomware
IOCs: 181.224.139.64 - www.stjoeschool[.]org - Compromised Website 74.208.161.160 - besucador.me-audio.co.uk - Neutrino EK 85.14.243.9 - CryptMIC post-infection traffic via TCP port 443 Hashes: SHA256: f370ed0da244a4d8eeda498dd211fa224289398ffc6c068030327ae...
1
Add a comment...

Malware Breakdown

Shared publicly  - 
 
Pseudo-Darkleech -> Neutrino EK -> CryptMIC Ransomware
IOCs: 216.58.216.99 - www.moanavoyage.org - Compromised Site 74.208.192.10 - biodynaaminen.pahiremidlands.co.uk - Neutrino EK 85.14.243.9 -  CryptMIC post-infection traffic over TCP port 443 Hashes: SHA256: 44ea0ce673f1c5cd0637a2212d2b9370e9cffc8487ce96209c...
1
Add a comment...
Basic Information
Gender
Decline to State
Links