ioc[.]one - OSINT Cyber Threat Intelligence Database

HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Whois - T1596.002

Show in Graph

Common Information

Type	Value
UUID	fe265f3c-f5d3-4b87-8014-d92dcdd59e94
Fingerprint	fe2145b98cb340d2
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 19, 2017, 11:17 p.m.
Added to db	Jan. 18, 2023, 9:59 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.
Title	HookAds Malvertising Redirects to RIG-v EK at 217.107.219.99. EK Drops Ursnif Variant Dreambot.
Detected Hints/Tags/Attributes	43/2/129

Source URLs

	Redirection	Url
Details	Source	https://malwarebreakdown.com/2017/02/19/hookads-malvertising-redirects-to-rig-v-ek-at-217-107-219-99-ek-drops-ursnif-variant-dreambot/

URL Provider

Details	Provider	Source level domain
Details	malwarebreakdown.com	malwarebreakdown.com

Attributes

Details	Type	#Events	Value
Details	Autonomous System Number	1	AS46636
Details	Domain	1	multimediaz.net
Details	Domain	3	onclickads.net
Details	Domain	6	onclkds.com
Details	Domain	1	avatrading.org
Details	Domain	1	stockholmads.info
Details	Domain	2	sup.glencoelocksmithil.com
Details	Domain	10	curlmyip.net
Details	Domain	35	resolver1.opendns.com
Details	Domain	20	222.222.67.208.in-addr.arpa
Details	Domain	35	myip.opendns.com
Details	Domain	6	nod32.com
Details	Domain	114	eset.com
Details	Domain	358	pastebin.com
Details	Domain	3	whois.publicinterestregistry.net
Details	Domain	1	whoisprotectservice.net
Details	Domain	2	ns1.topdns.me
Details	Domain	2	ns2.topdns.me
Details	Domain	2	ns3.topdns.me
Details	Domain	2	topdns.me
Details	Domain	81	blog.malwarebytes.com
Details	Domain	1	soft-com.biz
Details	Domain	1	leedsads.info
Details	Domain	1	lilleads.info
Details	Domain	1	malmoads.info
Details	Domain	1	ostravaads.info
Details	Domain	1	trivagoad.com
Details	Domain	1	bristolads.info
Details	Domain	1	amsterdamads.info
Details	Domain	1	lublanads.info
Details	Domain	1	turkuads.info
Details	Domain	1	koperads.info
Details	Domain	1	turinads.info
Details	Domain	1	varnaads.info
Details	Domain	1	sevilleads.info
Details	Domain	1	rotterdamads.info
Details	Domain	1	naplesads.info
Details	Domain	1	munichads.info
Details	Domain	1	mariborads.info
Details	Domain	1	landads.info
Details	Domain	1	umeaads.info
Details	Domain	1	lisbonads.info
Details	Domain	1	hagueads.info
Details	Domain	1	brnoads.info
Details	Domain	1	frankfurtads.info
Details	Domain	1	tampereads.info
Details	Domain	1	helsinkiads.info
Details	Domain	1	utrechtads.info
Details	Domain	1	sofiaads.info
Details	Domain	1	hamburgads.info
Details	Domain	1	pasteero.com
Details	Domain	1	plivdivads.info
Details	Domain	1	pilsenads.info
Details	Domain	1	florenceads.info
Details	Domain	1	yorkads.info
Details	Domain	1	liverpoolads.info
Details	Domain	1	adsrotation.info
Details	Domain	1	adsdelivery.info
Details	Domain	1	hoptop.info
Details	Domain	1	dc-d2922a0b.trivagoad.com
Details	Domain	12	whois.ripe.net
Details	Domain	370	www.proofpoint.com
Details	Email	1	avatrading.org@whoisprotectservice.net
Details	Email	1	eugene.stryapin@soft-com.biz
Details	File	1	stockholmads.inf
Details	File	7	t64.dll
Details	File	52	exploit.swf
Details	File	1	rad763e4.tmp
Details	File	2	deviprov.exe
Details	File	7	t32.dll
Details	File	13	whois.pub
Details	File	1	leedsads.inf
Details	File	1	lilleads.inf
Details	File	1	malmoads.inf
Details	File	1	ostravaads.inf
Details	File	1	bristolads.inf
Details	File	1	amsterdamads.inf
Details	File	1	lublanads.inf
Details	File	1	turkuads.inf
Details	File	1	koperads.inf
Details	File	1	turinads.inf
Details	File	1	varnaads.inf
Details	File	1	sevilleads.inf
Details	File	1	rotterdamads.inf
Details	File	1	naplesads.inf
Details	File	1	munichads.inf
Details	File	1	mariborads.inf
Details	File	1	landads.inf
Details	File	1	umeaads.inf
Details	File	1	lisbonads.inf
Details	File	1	hagueads.inf
Details	File	1	brnoads.inf
Details	File	1	frankfurtads.inf
Details	File	1	tampereads.inf
Details	File	1	helsinkiads.inf
Details	File	1	utrechtads.inf
Details	File	1	sofiaads.inf
Details	File	1	hamburgads.inf
Details	File	1	plivdivads.inf
Details	File	1	pilsenads.inf
Details	File	1	florenceads.inf
Details	File	1	yorkads.inf
Details	File	1	liverpoolads.inf
Details	File	1	adsrotation.inf
Details	File	1	adsdelivery.inf
Details	File	1	hoptop.inf
Details	File	5	firstdetect.js
Details	File	2126	cmd.exe
Details	File	1	b725.bin
Details	sha256	1	55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8
Details	sha256	1	e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea
Details	sha256	1	968c138d81479711c3c1fea10860cf14bcda165971add20bb14e6671cfd7f5ab
Details	sha256	3	f3be7f161667ea0cb63fde959f62cd0775b20727cc0c006f3d9e58ca78a41b0f
Details	sha256	3	5d5bda87bb2871b29c63d7a40c3f7e1ef81ebb4c69396059e94d4ce02ece9f10
Details	IPv4	2	217.107.219.99
Details	IPv4	1	104.27.134.78
Details	IPv4	1	206.54.163.4
Details	IPv4	2	206.54.163.50
Details	IPv4	1	185.51.244.202
Details	IPv4	1	185.51.244.210
Details	IPv4	2	89.223.31.51
Details	IPv4	6	37.48.122.26
Details	IPv4	24	222.222.67.208
Details	IPv4	1	185.51.244.0
Details	Url	1	http://pastebin.com/7ah2pw9h
Details	Url	1	http://pastebin.com/tuy3lehh
Details	Url	2	https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign
Details	Url	8	https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
Details	Windows Registry Key	7	HKCUSoftwareAppDataLowSoftwareMicrosoft