[2017-11-04] RigEK->Dridex

November 04, 2017

Overview

Saz file is 2017-11-04_23-36-06.saz

(↓Analysis result using EKFiddle)

Malware

Dridex

f353055919269aebb1eb27bcc840b91a1b8cc414a0a7a60f16bdfc1cf753fb8b
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//clokin1.ru/
↓
http[:]//clokin1.ru/2.php
↓
[RigEK][Landing Page]
http[:]//188.225.11.195/?Mzc1NDY4&DxTroKMeldW5rbm93bkRNQ2F4SkFiZk14bmt5bWlzc2luZw==&RoGZKIYR=cmVwb3J0&fRHZyCMlYMaAHzm=Y2FwaXRhbA==&dfjhgfdghj=TDVXniBeGLgFlnN9fA19A8qqt3UCBmB-ZiMGK_BLYMA4W_8CQR7Uz2l7wxrAkQPsjg1TH6mI&ZgmXmT=Y2FwaXRhbA==&RQCDJJRLl=cmVwb3J0&wnilndzslSotUD=bG9jYXRlZA==&NNwaOBVzMVPELri=bWlzc2luZw==&yZCNQQuPBcOsXKw=bG9jYXRlZA==&cvbdfghg=xXrQMvWfbRXQCZ3EKvrcT6NEMVHRGECL2Y-dmrHTefjaf1WkzrLFTF_wozKASQSG6_JtdfJ&wDHEPUHon=dW5rbm93bg==&BnbfVKk=cmVwb3J0&dNwdToLSMnEYmrY=bG9jYXRlZA==&HCNlrHT=Y2FwaXRhbA==&feFHQmLTgnbB=YXR0YWNrcw==&QyugcSZugKhkVWcbWlzc2luZw==
↓
[RigEK][SWF Payload]
http[:]//188.225.11.195/?NDAwODU1&AVYcooKuc3Rvcm1lZEdYY21VZ2xQV09LS0w=c3Rvcm1lZA==&LqAvMRxTmCpe=ZGVub21pbmF0aW9ucw==&cvbdfghg=xHrQMrPYbRrFFYDfKPjEUKZEMU7WA0OKwY2Zha3VF5yxFDXGpbf1FxzspV-dCFiEmvdvdLEHIwGh1UTASwQ&SLNthAlEty=YXR0YWNrcw==&xyQelrWXoGvZ=bG9jYXRlZA==&MBRMXKyKeFkp=YXR0YWNrcw==&sgxaUxFbYJstql=cmVwb3J0&CmzUtWVnuAos=YXR0YWNrcw==&dfjhgfdghj=3mo0PVFtG86qu30SEzBXPg5SBrhfZMAtM95bDHLU8jVmknLAUIsh0wxeK6mJVxestV1gQ5wkSn6r7VaSO-w&dSmZDs=YXR0YWNrcw==&NDZXtMywPBpcBSu=bG9jYXRlZA==&NqopCOkVLfj=ZGVub21pbmF0aW9ucw==&kakPNA=ZGVub21pbmF0aW9ucw==&XGhNLsfHqtoM=c3Rvcm1lZA==&sqIgbblIrFW=ZGVub21pbmF0aW9ucw==&eQKNqZnmXpAlaVBbG9jYXRlZA==