2016-01-11 - RIG EK FROM 46.30.43.79 SENDS QBOT

ASSOCIATED FILES:

NOTES:


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

MALICIOUS JAVASCRIPT IN .JS FILE FROM COMPROMISED WEBSITE:

 

VARIABLE RETURNED FROM GATE:

 

RIG EK:

 

POST-INFECTION QBOT ACTIVITY - TCP TRAFFIC:

 

POST-INFECTION QBOT ACTIVITY - DNS TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2016-01-11-Rig-EK-flash-exploit.swf
File size:  13.9 KB ( 14191 bytes )
MD5 hash:  25c89ea76c405b600345f6418ad53eba
SHA1 hash:  b2908859caca1f2f38cd54a8efc0e059ad7a8208
SHA256 hash:  527dc4ff26309ecfb6003ca4fc2d8b5e695c90994baf6f12a30ee5b7727aa43f
Detection ratio (at the time of submission):  4 / 54
First submission:  2016-01-11 19:47:12 UTC
VirusTotal - link

 

MALWARE PAYLOAD:

File name:  2016-01-11-Rig-EK-malware-payload-Qbot.exe
File size:  208.0 KB ( 212992 bytes )
MD5 hash:  1dfc0905de2dc77f69a97376f1c02f63
SHA1 hash:  228ba1685199684adcfdf8f272bab88a106b7bcc
SHA256 hash:  020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480
Detection ratio (at the time of submission):  11 / 54
First submission:  2016-01-11 19:47:26 UTC
VirusTotal - link
Malwr.com - link
Hybrid-Analysis.com - link

 

ANOTHER POST-INFECTION ARTIFACT:

File name:  C:\Users\[username]\AppData\Local\Microsoft\roogar.wpl   (ASCII C program text)
File size:  8.8 KB ( 9051 bytes )
MD5 hash:  fae4b24538aef6bca3959fc3680990c2
SHA1 hash:  b8872fcce3d7deff30116dee41cdaa905a26ac68
SHA256 hash:  32663f468165c47a7d898df1f36d6f282ceb63d8544933e0edb87d111b208f91
Detection ratio (at the time of submission):  0 / 52
First submission:  2016-01-11 19:58:31 UTC
VirusTotal - link


This is another post-infection artifact (ASCII C program text) on the infected host kept persistent by a scheduled task.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.