2015-10-21 - NEUTRINO EK FROM 89.38.150.119 SENDS NECURS

ASSOCIATED FILES:

 

NOTES:

 

CHAIN OF EVENTS


Shown above:  Results in Security Onion after using tcpreplay on the pcap.

 

ASSOCIATED DOMAINS:

 

REDIRECT/GATE:

 

NEUTRINO EK:

 

POST-INFECTION TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-10-21-Neutrino-EK-flash-exploit.swf
File size:  92.9 KB ( 95138 bytes )
MD5 hash:  97bedff81331b2198b0f07b1088d6bcb
SHA1 hash:  1b3777daf1090eb60559e57f388f22342b7751df
SHA256 hash:  497a23fa67dd737b81e00481240e9e9e3e4e1bab7d6f74f211717a2873a203d5
Detection ratio:  0 / 56
First submission:  2015-10-21 16:46:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/497a23fa67dd737b81e00481240e9e9e3e4e1bab7d6f74f211717a2873a203d5/analysis/

 

MALWARE PAYLOAD:

File name:  2015-10-21-Neutrino-EK-malware-payload.exe
File name:  C:\Windows\Installer\{D9420F8B-C520-4316-D4D2-8B77B4998B1C}\syshost.exe
File size:  194.5 KB ( 199168 bytes )
MD5 hash:  3251e5ebe7c0e61aac2d2f74b3423e12
SHA1 hash:  f752e081246dda766aa87ff89615824d684a9d40
SHA256 hash:  3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048
Detection ratio:  8 / 56
First submission:  2015-10-21 08:41:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048/analysis/
Malwr link:  https://malwr.com/analysis/NTYzOWRmYmVmZGQwNDcxMzg5Y2IxMDdjYzIwNjRlMzc/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/3e2a76ed82bd9320700deb079a8d6fdcb5236c37b8f5c2b0e72683fd8dacb048?environmentId=4

 

REGISTRY KEYS:


Shown above:  One of the registry keys created or updated by this malware.

 

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.