[2018-04-10] Unknown->RigEK->Ursnif

April 10, 2018

Overview

Saz file is 2018-04-10_10-47-14.saz

(↓Analysis result using EKFiddle)

Malware

Ursnif

a30aa9e106278ff93cf07b80d0194022fda1d61187cf818cb5e721176e372b1d
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//cash111.club/B3Lhcr?keyword=Adult&cost=0.00100&ad_campaign_id=169809&source=PopCash&sub_id_1=371537
↓
[RigEK][Landing Page]
http[:]//46.30.47.46/?MjY2OTQ1&jweitar&zZnJTXjPCeMaDq=c2Vh&dtjUJAVEUXyzD=c2Vh&t45sd3d=dKbMBOlHgjRfTLwRnmdwIVl0a8quqjEKHmxKU0pOK_BfZMllB-ZKWR7ML6G2xzvNRcw&TrersDXJO=c3BvcnQ=&fdx3fs=wnzQMvXcKRXQFYbCKuXDSKZDKU7WHkaVw4-YhMG3YprNfynz0uzURnLwtASVVF6RrbM&CaOxayGrkixcJ=c2My&bVaKiqMBfRBy=c2My&WiMymzyQQPhJgma=c2Vh&QQdLpdY=cmVzb3J0
↓
[RigEK][SWF Payload]
http[:]//46.30.47.46/?MTg0MzQ1&LZGLtOeDbHtV&tdNYZuhsjmDPU=Zmx5&sEHFiDMpDfPe=bW9uZXk=&HvSNIq=c2Vh&gZtzBfd=bW9uZXk=&t45sd3d=MBOlHijRfTLwRnmdwIVl0a8qutjEKHmxWU0pOK_BfZMllE-ZKWR7AL0V31zrIQQIgmgECy&tZEWHjsPfkGHjk=cmVzb3J0&RfmyKvcxLFCA=Zmx5&MCIEwhWRQCYEf=c2Vh&fdx3fs=wnrQMvXcLhXQFYbDKuXDSKdDKU7WGUaVw4-dhMG3YprNfynz0-zURnLxtASVVF-RrbMdLr
↓
[RigEK][Malware Payload]
http[:]//46.30.47.46/?MzQ3Mjcz&PJOMWog&RzHLMNvu=c3BvcnQ=&RGJsXghfs=cmVzb3J0&enSPdqvTm=c3BvcnQ=&yUiEWnztuH=Zmx5&IubdMMgcfUxg=bWF0Y2h1cA==&mPRcNt=bW9uZXk=&XjarBqwO=c3BvcnQ=&fdx3fs=wnzQMvXcLhXQFYbDKuXDSKFDKU7WHkaVw4-ahMG3YprNfynz0-zURnLwtASVVFmRrbMdKbMBO&t45sd3d=lHijRfTLwFnmdwIUF0a8qusjEKHmxSU0pOK_xfZMllH-ZKWR7IL0VT8zrgdecIlzibfqWNT_A