Rig EK via Malvertising drops Unknown DLL


Malvertising  leads to Rig EK on another “Poker” website. This is the same method used in my two previous posts with slightly varying parameters.

This time I could not identify the payload which appeared to be a DLL. It appeared to run and there was activity in processes but it made no network connections and did not seem to have changed the host significantly even after a reboot.

The DLL is available in the download below. If you have expertise in this area, I would be very keen to know what this file does or is supposed to do.


Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article from Malware Breakdown about Hookads. Similar to these infection chains:



  • 200217rigunkdll-> Contains pcapng and payload  in password protected zip.

Notable Details:

  • – onclkds[.]com – Flash version detector
  • – onclkds[.]com – 302 redirect
  • – adexchangeprediction[.]com – 302 redirect
  • – holdempoker.pw – iframe redirect
  • – holdempoker2.pw – Compromised Site iframe redirect
  • – add.neighborhoodreunions[.]net – Rig EK
  • Payload was rad9E825.tmp.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)


Malvertising chain leads to Rig EK which drops a DLL which did not appear to be make any noticeable changes.

Full Details:

  • A malvertising URL contains a Flash version detector.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • oadd.neighborhoodreunions[.]net -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • Dropped payload “rad9E825.tmp.dll” which came back 0/54 on VT.
  • 0 / 54

    SHA256: f620502a8db93560b8c40b86bb72c04555a35dc81ceabdcedae9f4cc7448ed19
    File name: rad9E825.tmp.dll
    Detection ratio:
  • The payload ran using regsvr32.exe and although there was some activity it did not appear to do anything significant. Perhaps it required a different version of Windows or maybe it made several subtle but important changes. I’ll keep monitoring the machine for any strange activity.
  • The website at appears to have host multiple Poker themed websites. The IP is the same as the previous Bunitu infection but domain is different.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s