[2018-05-16] Slyip->RigEK->Ursnif

May 16, 2018

Overview

Saz file is 2018-05-16_13-11-09.saz

Malware

Ursnif

50c87ae46502545421ef9a968743636425edcaff52f0f88cb6de8f20bcdd4d80
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Slyip Campaign]
http[:]//eurohosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//eurohosting.slyip.net/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//eurohosting.slyip.com/3qLMth?browser=ie&countryname=United+States
↓
[RIG Exploit Kit][Landing Page]
http[:]//185.154.53.201/?NDc4NTA3&MCfymoWpzxFf&GuJVMuOW=cmVzb3J0&wSKmsQOeU=c2hha2U=&afiKVN=c2Vh&wMJiydlAqFXJPe=c3BvcnQ=&YsadnypT=cmVzb3J0&fdasd2f=x33QcvWYaRuPDojDM__dSqFBMUzOGUeIwY2fn7DSF52oeDajz7CSFxzw6VmtTjvVgfdOKbZUIgCyjhqEOQE0n-FZEF5K8_6qkEWVzU6fwJ&ta1sdf4=Oy-UaOYg5M_JGWFbI_3Az2x7IVdM8jlBKH7WNUyOlOVl8T5wlBmKbIR6WYqRJ0VEZjUgrNfp0ioh7BUiPvNTt31fOLQwtxq-qK9bVw2ZQu&OFsDBmksShGzYfd=Y2F0cw==&dsAqqTrugPJZIIO=c2Vh&rQnBif=Y2F0cw==&RFXnHRzENSaF=c2hha2U=&jgsSOhgPz=cmVzb3J0&FHVIuTMMtccmu=c2Vh
↓
[RIG Exploit Kit][SWF Payload]
http[:]//185.154.53.201/?NjE5MjE3&pshdWp&ta1sdf4=n41UUVkS863_hkXUzRXPhZSA-RHeZAlDrZadRbJqiln1nrUTIc8jxBKA7mVRmOktVV4T4g4Smqr7VaKO-0RA&rSgzOGLqskaO=c2hha2U=&FepEYRjI=c3BvcnQ=&GnnhIO=c2Vh&JvogdDcCzh=c2hha2U=&THufYUC=Zmx5&lqpsFGsI=bWF0Y2h1cA==&HPPnwhVzmC=Zmx5&RcjuCrY=Zmx5&pWzWeaGLeolq=c2hha2U=&PIQvth=cmVzb3J0&fdasd2f=xHrQMrXYbRzFFYbfKPjEUKFEMUvWA0WKwY2ZharVF5qxFDLGpbD1FxnspVmdCF6EmvBvdLEHIwCh1UbASwYy&hCdougxPJON=c2Vh
↓
[RIG Exploit Kit][Malware Payload]
http[:]//185.154.53.201/?NTAwNzIz&LUMwCms&VlqFwriwNV=cmVzb3J0&xXofBnUBaZ=Zmx5&NTBSkDQJlbC=cmVzb3J0&uRqspCtlBVZAkI=bWF0Y2h1cA==&gaMASdThFmtgisH=bW9uZXk=&NPyLeD=c3BvcnQ=&liCKTGngXMUpj=bW9uZXk=&ta1sdf4=OYg5M-5GRFbI_2wz2x7UVc88klBWH6mNTyO5OUV8U5wlBmKbIR6KYrhJ0VEZjVQrNfpoioh7GUiPvNTt31fOLRD9xnurH8vdwnZQd0UOohwwqbhw&yOrxzmDzZ=bWF0Y2h1cA==&cYzHlSOtk=c2Vh&fdasd2f=x3rQdfWYaRyPCYjDM_jdSqFGMUzOGUePwYqfn7DVF52ofzakz7CSFxzw6VmtTjvVgfBOLrZUIgeyiRqEOQY0n-FZEF5K8_6tkEWVzU6YwJOy_ka&NuhZDKJxqX=Zmx5&JyDTRgHL=Zmx5