HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Dns - T1071.004 Dns - T1590.002 Malvertising - T1583.008 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | cf42d85c-3c70-40e2-bba7-f931d68d55c7 |
| Fingerprint | faa17579a6ff4681 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 6, 2017, 7:33 p.m. |
| Added to db | Jan. 18, 2023, 9:59 p.m. |
| Last updated | Nov. 16, 2024, 7:04 p.m. |
| Headline | HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot |
| Title | HookAds Malvertising Campaign Leads to RIG EK at 194.87.93.114 and Drops Dreambot |
| Detected Hints/Tags/Attributes | 26/2/33 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | remainland.info |
|
| Details | Domain | 123 | ipinfo.io |
|
| Details | Domain | 35 | resolver1.opendns.com |
|
| Details | Domain | 35 | myip.opendns.com |
|
| Details | Domain | 1 | rigek.zip |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | File | 8 | popunder.php |
|
| Details | File | 1 | remainland.inf |
|
| Details | File | 7 | t32.dll |
|
| Details | File | 3 | uaps.txt |
|
| Details | File | 19 | page.txt |
|
| Details | File | 52 | exploit.swf |
|
| Details | File | 23 | o32.tmp |
|
| Details | File | 1 | gcg2jb8g.exe |
|
| Details | File | 1 | rigek.zip |
|
| Details | File | 3 | dot3core.exe |
|
| Details | File | 7 | t64.dll |
|
| Details | File | 1 | 5ec9.bin |
|
| Details | sha256 | 1 | 732637809542bf1e174249104d2b1c88dc79da20862318a749accc052638b8f1 |
|
| Details | sha256 | 1 | 29f7549ed1df9ca36112936554aac61b39c3f32d718f166f6e51eaf495268bb2 |
|
| Details | sha256 | 1 | e9ac5882d5629183863c6e5dcfff7e007d24988f86233480b59e9c957621cb3b |
|
| Details | sha256 | 1 | f7f7ae3a95cf3c3dbbdc5100266aa38b25167e14a7e0ad4597e5bf32fdabd3c2 |
|
| Details | sha256 | 1 | 9fc5fb99f72be24ec7d1e2004f1c1f2083885059e0e072314cb712934415bc24 |
|
| Details | sha256 | 1 | e53444daa029ca5821ef53904ad1136fb24eea721a97300e86b38881cbee8a36 |
|
| Details | sha256 | 1 | 19983fa4e8cb3207a845e033ff12caeec114c16b8ab9e291a66d796bc11e3e22 |
|
| Details | sha256 | 1 | 5b8f2ce696576eb57266b0b3114bb3b4ae98f8157bc77d8df034f0ce81be603b |
|
| Details | IPv4 | 1 | 194.87.93.114 |
|
| Details | IPv4 | 10 | 80.77.82.41 |
|
| Details | IPv4 | 2 | 144.168.45.144 |
|
| Details | IPv4 | 1 | 35.166.90.180 |
|
| Details | Url | 8 | https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
|
| Details | Windows Registry Key | 7 | HKCUSoftwareAppDataLowSoftwareMicrosoft |
|
| Details | Windows Registry Key | 15 | HKCUSoftwareMicrosoftWindowsCurrentVersionRun |