Malware-Traffic-Analysis.net - 2016-07-20 - Neutrino EK from 131.72.139.201 sends Bandarchor ransomware

2016-07-20 - NEUTRINO EK FROM 131.72.139.201 SENDS BANDARCHOR RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-07-20-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap.zip 211.5 kB (211,468 bytes)

2016-07-20-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap (230,777 bytes)

ZIP archive of the malware: 2016-07-20-other-Neutrino-EK-sends-Bandarchor-malware-and-artifacts.zip 179.3 kB (179,326 bytes)

2016-07-20-other-Neutrino-EK-flash-exploit.swf (84,143 bytes)

2016-07-20-other-Neutrino-EK-landing-page.txt (3,805 bytes)

2016-07-20-other-Neutrino-EK-payload-bandarchor.exe (115,830 bytes)

NOTES:

More information on Bandarchor ransomware can be found here and here.
Today's Bandarchor ransomware sample didn't leave any decryption instructions.
It just listed the email addresses in the names of the encrypted files (see below).

Shown above: My tipper for this traffic at http://www.malwaredomainlist.com/mdl.php.

TRAFFIC

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

spread.diadanoivabh.com.br - GET /alvbh2.html - Redirect pointing to Neutrino EK
131.72.139.201 port 80 - jh6nov.r78s2ed8.top - Neutrino EK
64.237.48.50 port 80 - ahurets.com - POST /555/index.php - Post-infection traffic caused by the Bandarchor ransomware

EMAILS TO GET THE DECRYPT INSTRUCTIONS:

aes256decoder@protonmail.com - First email address generated by the Bandachor ransomware
decrypt@aesencryption.info - Second email address generated by the Bandachor ransomware

FILE HASHES

FLASH FILES:

SHA256 hash: 6e045324f507802f9014451022d96a9fc3ba9b70e72637ca73ed830b1e1418de
File name: 2016-07-20-other-Neutrino-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: 042c522f7329535991ba113c46a6c766fa20bde039d71d96e0bbc06e94369443
File name: 2016-07-20-other-Neutrino-EK-payload-bandarchor.exe

IMAGES

Shown above: Example of the encrypted file names from an infected host.

Shown above: Domain for the second email address was registered yesterday through Namecheap.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-07-20-other-Neutrino-EK-sends-Bandarchor-ransomware.pcap.zip 211.5 kB (211,468 bytes)
ZIP archive of the malware: 2016-07-20-other-Neutrino-EK-sends-Bandarchor-malware-and-artifacts.zip 179.3 kB (179,326 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.