2015-11-10 - ANGLER EK SENDS TINBA BANKING TROJAN

ASSOCIATED FILES:

NOTES:


Shown above: Script injected into a page from the comrpomised website.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

FIRST RUN (NO INFECTION):

 

SECOND RUN (NO INFECTION):

 

THIRD RUN (INFECTION!):

 

SNORT EVENTS

Significant signature hits after using tcpreplay on Security Onion with the Emerging Threats and ETPRO rulesets (without ET POLICY or ET INFO events):

Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.7.6 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

ANGLER EK FLASH EXPLOIT - FIRST RUN:

File name:  2015-11-10-Angler-EK-flash-exploit-first-run.swf
File size:  75.8 KB ( 77,623 bytes )
MD5 hash:  7125e72ea05e8aa746e2545c90c772c4
SHA1 hash:  a5e1590ff29b93de99c21dd8dfd63f0e1e3bf587
SHA256 hash:  ceaf7e0069ee705ea47b93c52540f63e0635b33daa576a81be09b1ffb8382d6b
Detection ratio:  1 / 53
First submission:  2015-11-10 17:21:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ceaf7e0069ee705ea47b93c52540f63e0635b33daa576a81be09b1ffb8382d6b/analysis/

 

ANGLER EK FLASH EXPLOIT - SECOND RUN:

File name:  2015-11-10-Angler-EK-flash-exploit-second-run.swf
File size:  82.9 KB ( 84,898 bytes )
MD5 hash:  498e9abeea83d77506c3f50dc786052f
SHA1 hash:  4c7fbf8b2325e17346bbc91452ed25d7fa151f5e
SHA256 hash:  cacff0ac8cfc0cd58fe6c3377c21d473e61ab7ca9c1e8ca0ba04d9ef3dd79909
Detection ratio:  1 / 53
First submission:  2015-11-10 17:22:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/cacff0ac8cfc0cd58fe6c3377c21d473e61ab7ca9c1e8ca0ba04d9ef3dd79909/analysis/

 

ANGLER EK FLASH EXPLOIT - THIRD RUN:

File name:  2015-11-10-Angler-EK-flash-exploit-third-run.swf
File size:  51.7 KB ( 52894 bytes )
MD5 hash:  351eb1c661b0951f828927d1c1ff31af
SHA1 hash:  aff180029e9c8a53b42cd3354e8bd6d7ff693e5c
SHA256 hash:  1d922897ebaae30b0626a87cb22ac3d6d175d7382383818d5c6f86e94cc6764f
Detection ratio:  2 / 53
First submission:  2015-11-10 17:22:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1d922897ebaae30b0626a87cb22ac3d6d175d7382383818d5c6f86e94cc6764f/analysis/

 

ANGLER EK MALWARE PAYLOAD (THIRD RUN) - TINBA:

File name:  2015-11-10-Angler-EK-malware-payload.exe
File name:  C:\Users\[username]\AppData\Roaming\719F37CB\bin.exe
File size:  120.0 KB ( 122,880 bytes )
MD5 hash:  7d3629066390751e9824026a058626d4
SHA1 hash:  3a0b4b3032e59683e89df1945561d51898416ec8
SHA256 hash:  8150215095481c9ec360ea832243e12eda0257b3a005d7170efb799571ad8fca
Detection ratio:  2 / 52
First submission:  2015-11-10 17:22:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8150215095481c9ec360ea832243e12eda0257b3a005d7170efb799571ad8fca/analysis/
Malwr link:  https://malwr.com/analysis/ZWQwNzE0ZDg0ZThkNDdkY2I5OGNjNjAxODIzOGUxNDY/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.