[2018-08-26] PseudoGate->RigEK->SmokeLoader->DarkVNC

August 26, 2018

Overview

Saz file is 2018-08-26_21-30-41.saz

(↓Analysis result using EKFiddle)

Malware

SmokeLoader

c4e6c840a1158c3fe2b42203d7efa8a68928fb4bd3756083434c0ed0a903e152
[Hybrid-Analysis] [VirusTotal]

DarkVNC

c46caecc4f10f01cf644d1b4cba240da6c3e88384b4bac7c9f52740e1fee3bb5
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//balmyfurniture.com
↓
[RIG Exploit Kit][Landing Page]
http[:]//176.57.220.229/?NTMzNzcz&FgbUwGlOKrLRs&JCweTka=Zmx5&ZFwfsYl=Y2F0cw==&iNVNWajLD=c2hha2U=&mfOxoFPPus=bWF0Y2h1cA==&refWgbkKt=Zmx5&CtliQrBO=Zmx5&txs4=dKbFTOAbi20PTKAZmmIdaVlwSoaut20aEmhLP05eD_hOPMw5G_pLEErIL6G2xzPNRcw&fdx4f=wnrQMvXcKRXQFYbEKuXDSKFDKU7WGUaVw4-ahMG3Yp3Nfynz1ezURnL3tASVVF6RrbM&fbqcbzOEbVo=Zmx5&kEFjfvPDt=c2Vh&sxCsaYEfN=c3BvcnQ=&sRjMjpopq=Zmx5&apuqNWJ=bW9uZXk=
↓
[RIG Exploit Kit][SWF Payload]
http[:]//176.57.220.229/?NTE2NTM5&xNoUwQ&RrQQREflWaXmxJ=Zmx5&ousVMpxMqWJYf=c3BvcnQ=&TqZwDFFjJa=bW9uZXk=&RVsZDOT=c2My&MEaWAVrUlGH=Zmx5&qytWHdWXHJCHF=c3BvcnQ=&WXNDFzIxvbw=c2My&txs4=ijkCFLQZnz91ZVV4a866oj0KDy0Ofh8bR_kbeYQlE-ZCRRrU63F2kybIkdMIkxReA6lETi-lLYg&qUDGsXCZazWIiz=c2Vh&fdx4f=xXrQMvWYbRXQDp3EKv_cT6NGMVHRGUCL2Y2dmrHVefjaeFWkzrDFTF_wozKATgSG6_dtdfJTDQD&sBzAPtkUY=c2Vh&UKfFkLUp=cmVzb3J0&CRLzFoffXCAYY=c2hha2U=
↓
[RIG Exploit Kit][Malware Payload]
http[:]//176.57.220.229/?NjAzODU=&KlbsxNqAyiJIzjg&jRhRVO=c2Vh&wblxbKqQYTgzyq=c2Vh&BnlzQbYEpnZ=Y2F0cw==&fdx4f=wn3QMvXcKRXQFYbDKuXDSKZDKU7WHkaVw4-ahMG3YprNfynz1ezURnL3tASVVF6RrbMdKbFTO&UMpaNiPkk=c3BvcnQ=&JvqubXOCBfKblR=cmVzb3J0&lLYcKSjkqzxt=Zmx5&eHeGHwgnWfb=c2My&txs4=Abl20PTKAFmmIdaUVwSoauq20aEmhLP05eD_hOPMw5G_pLEErIL0VT8zLgdecIkzibfqWVT_A&izhvKHmMFQcS=c2My&GAZOWKviwa=c2My&SPoDpAEkOD=cmVzb3J0&KzlbUnYIPAOABZ=c2Vh