Rig EK via JavaScript Re-director drops UrlZone Trojan Banker.


First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…

Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article referencing UrlZone as part of “Avalanche”



(in password protected zip)

Details of infection chain:

(click to enlarge!)




Full Details:

The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.


Next there is a 302 redirect to a script called “scr.php”


The script contains two JavaScript redirects leading to Rig EK.


Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.

SHA256: d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7
File name: hgsaic3x.exe
Detection ratio: 27 / 64

I would be interested to see any IOC’s if anyone wants to analyse the sample.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s