2015-01-26 - NEUTRINO EK FROM 108.61.197.150 - PELILG.EFRAI2.EU:28623 (VAWTRAK/NEVERQUEST PAYLOAD)

ASSOCIATED FILES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

NEUTRINO EK:

 

POST-INFECTION TRAFFIC:

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

Signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-26-Neutrino-EK-flash-exploit.swf
File size:  41.4 KB ( 42375 bytes )
MD5 hash:  0d89ee85522cc508eca373dd3ec9c29b
Detection ratio:  1 / 57
First submission:  2015-01-26 21:15:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0e618ceaada97a742cc2712ed43a961fc691355d080a092008bcfb45cf71d42d/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-26-Neutrino-EK-malware-payload.exe
File size:  368.0 KB ( 376832 bytes )
MD5 hash:  f7728b78b60cc138d776f5199fc9650c
Detection ratio:  9 / 57
First submission:  2015-01-26 21:15:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8997858aadb4933e78d071862f54a2c5dfdc64f8d1a3203f2943f600b3b9681/analysis/

 

DROPPED MALWARE:

File name:  C:\ProggramData\ZedfOzbeb\TugeBucb.fec
File size:  284.0 KB ( 290816 bytes )
MD5 hash:  579e5da03d3b0d1509cc2f2c2efae413
Detection ratio:  6 / 57
First submission:  2015-01-26 21:15:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3220bc8be25f45390196ba669e8b27587e2b1938f44ea1ece9d457c1794ac8ba/analysis/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.