HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot.
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Dns - T1071.004 Dns - T1590.002 Malvertising - T1583.008 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | a5756189-79b3-47a7-9025-3261e7b6af3c |
| Fingerprint | feab3c512fbf448f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 20, 2017, 10:08 a.m. |
| Added to db | Jan. 18, 2023, 9:59 p.m. |
| Last updated | Nov. 16, 2024, 7:04 p.m. |
| Headline | HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot. |
| Title | HookAds Campaign Leads to RIG EK at 188.225.78.240. RIG EK Drops Dreambot. |
| Detected Hints/Tags/Attributes | 31/2/36 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | arrassley.info |
|
| Details | Domain | 123 | ipinfo.io |
|
| Details | Domain | 35 | resolver1.opendns.com |
|
| Details | Domain | 20 | 222.222.67.208.in-addr.arpa |
|
| Details | Domain | 35 | myip.opendns.com |
|
| Details | Domain | 5 | wdwefwefwwfewdefewfwefw.onion |
|
| Details | Domain | 1 | heydrid.info |
|
| Details | Domain | 6 | exploit.zip |
|
| Details | Domain | 1 | clicksgear.com |
|
| Details | Domain | 1 | www.decoysite.com |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | File | 1 | arrassley.inf |
|
| Details | File | 1 | heydrid.inf |
|
| Details | File | 19 | page.txt |
|
| Details | File | 52 | exploit.swf |
|
| Details | File | 23 | o32.tmp |
|
| Details | File | 1 | vwgob5qt.exe |
|
| Details | File | 2 | deviprov.exe |
|
| Details | File | 1 | voip4.rar |
|
| Details | File | 6 | exploit.zip |
|
| Details | File | 8 | popunder.php |
|
| Details | File | 1 | e5f1.bin |
|
| Details | sha256 | 1 | ab4db9eff5259f56e1c9f21444b9b8024d8ce2ffc841e178b10b9a522a750c3c |
|
| Details | sha256 | 1 | b712653deece760b1b981c7d93da44e62b58630ce0bfd511a2d621672cc2f7d6 |
|
| Details | sha256 | 1 | 892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970 |
|
| Details | sha256 | 1 | 478e311fe3d8ad965f135f5949adb5d894375d7f8b435472b856364bfd0370ca |
|
| Details | sha256 | 1 | 1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7 |
|
| Details | sha256 | 2 | 74f24a26da3af4ced5d45721ba587d1b42d009c53c93b3d8d80210d952319f77 |
|
| Details | IPv4 | 1 | 188.225.78.240 |
|
| Details | IPv4 | 1 | 34.193.201.92 |
|
| Details | IPv4 | 10 | 80.77.82.41 |
|
| Details | IPv4 | 1 | 144.168.45.110 |
|
| Details | IPv4 | 1 | 52.2.59.254 |
|
| Details | IPv4 | 24 | 222.222.67.208 |
|
| Details | Url | 8 | https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
|
| Details | Windows Registry Key | 7 | HKCUSoftwareAppDataLowSoftwareMicrosoft |