Rig EK drops Smoke loader leading to XMR Miner.

Summary:

Yesterday I caught Rig EK dropping a variant of Smoke Loader which is different to todays one. Today’s sample is more consistent with what you would expect from Smoke Loader with its connectivity checks to popular domains like Microsoft and its attempts to hide processes. Yesterdays sample did not do any of this so campaign is likely ran by different threat actors.

This time only an XMR miner was dropped which did begin to connect to the mining server on port 4444. No other payloads were witnessed.  It’s worth keeping an eye on the IP of the domain that redirected to Rig EK as I’m sure it will be hosting different payloads later.

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

infos

Smoke Loader- https://www.virustotal.com/#/file/faebfbfb3939abae9d566c332105bfdaa97529fe6a9fa769b3046069b0617caa/detection

XMR Miner – https://www.virustotal.com/#/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/details

Details of infection chain:

(click to enlarge!)

XMRRig.png

Full Details:

The infection chain actually came from malvertising. The webpage contained a 1px iframe which leads to Rig EK.

 compromised site
The payload was Smoke Loader which performed several connectivity checks to Microsoft domains before contacting the C2. Below you can see the first connection to Smoke Loader C2. The interesting thing about this version of Smoke Loader is it will attempt to hide Process Monitor preventing it from being maximised though you can still use task manager.
SmokeLoader1
The second connection downloads the miner. You can see in the PCAP the reference to xmrig.com.
rigminer
The miner then communicates to the address below over port 4444.
minerminercopmms
I did not see any other payloads from Smoke Loader so i will end it there.

zerophageicon2

 

Rig EK via Malvertising drops a Smoke Loader leading to a Miner and AZORult.

Summary:

Been an interesting few weeks and I haven’t been able to update but the other researchers appear to have found a few interesting things. I thought I would blog if anyone wanted a pcap to look at.

I actually found this through my normal malvertising route. After pondering and assistance the payload was determined to be Smoke Loader leading to a Miner and AZORult stealer. It’s an interesting sample! Thanks to @James_inthe_box  for looking into it deeper.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

stas

Details of infection chain:

(click to enlarge!)

RigMiner.png

Full Details:

This campaign was spotted a few days back (clicky) by @BroadAnalysis. I however found this through my usual malvertising campaign. It was only after that I realised that the IP of the domain is the same as the previous post that was reported. The payload however is different and much like the Rulan campaign it is likely the payloads will change often so it’s worth keeping an eye on this.
The chain involves a series of 302 redirects:
 30222
 The final redirect takes the client to Rig EK:
302
The payload was actually very interesting. I noticed a process injection which is Smoke Loader. I then saw the two binaries one of which was a miner and the other is AZORult stealer. I did upload the sample to Hybrid Analysis here are the results:
gege.png
Now on my lab I did not see the mining C2 which connected to 213.32.29.150:14444.
However it did change the same registry key from the sandbox analysis. Below are two examples of POST requests from the first binary believed to be Smoke Loader:
smoke
smoke2
The second binary is “Asus Gaming” that produced the zbot like POST requests to C2. This is actually AZORult:
SHA-256 2919a13b964c8b006f144e3c8cc6563740d3d242f44822c8c44dc0db38137ccb
File name Asus Gaming.exe
File size 270.5 KB
 final
UWOTM8
There’s a lot going on here! Enjoy.

zerophageicon2

 

Rig EK via Rulan drops an Infostealer

Summary:

Back again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader, Coin Miner and KINS.

This time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an infostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The C2 domains also did not trigger any ET/Snort rules.

It’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Unfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it goes down.

Details of infection chain:

(click to enlarge!)

RigInfo.png

Full Details:

Rulan has been providing various payloads over the past week or so. A coin miner and even KINS was spotted earlier this week by @nao_sec. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
rulan
Rig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“.
params
The RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap.
newkey2
newkey1
The payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid of @James_inthe_box who digged further but could not identify it.
SHA-256 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb
File name eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0
File size 288 KB

 

The payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to collect information and store it in a folder called “data“.

 

malwarex

The malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it into anything meaningful.

load

Next it began to POST data from the text files it created. Again I could not decode this data. Each text file it created it then sent to the C2 with each file reaching a size of around 3kb~.

steal

The payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer. Keep checking Twitter, it’s likely some more info will come!

zerophageicon2

 

Rig EK via Rulan drops Quant Loader (leads to Ursnif)

Summary:

It has a while since I have blogged. This is due to two things. First I found a new job which I start next month so that has taken up some of my time. Next I’ve found Rig EK activity to have greatly reduced. I did find other Rulan, Fobos and Seamless samples which I decided not to blog about as they were same old. So if I disappear after blogging this, it’s just that the EK landscape is drying up. I’ll be back if something changes!

Today however Rulan dropped Quant Loader which I believe in turn dropped an Ursnif banking trojan variant. This make s change from it’s usual Chthonic payload. Otherwise it’s the same campaign. This demonstrates the campaign is still active. I have also seen it live twice from malvertising campaigns.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Quant Loader:

https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground

 

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

QuantLoader.png

Rulan leads to Quant Loader which drops Ursnif Variant

Full Details:

Not much has changed with the Rulan campaign (apart from the payload) which is usually found from malvertising chains. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.
Rulan
Rig itself continues to change up it’s parameters.
RigParams
The RC4 key is now “akxyxuxusa“. You can use this to decrypt the payload from the pcap.
RigKey1
RigKey2
The payload was Quant Loader, named due to the firewall rule it opens for itself.
Quant
SHA-256 92e2ba2c8047648af88e89e1c7c2c07752ffb1d299674171a0836aeb9a313894
File name t0dlsidm.exe
File size 214 KB
The malware ran fine on my lab but I did put it on HA just to get a nice list of processes it ran.
HAQuant

 

The malware downloaded a binary which appeared to communicate using Tor. Exactly what this is I’m not certain but there are a few VT detections for an Ursnif variant. I have always found Ursnif and Dreambot  to request a URL containing “/images/” and a media file like a “avi” or “jpg”. Below you can see a similar request made by this module:

Ursnif

 

SHA256: 41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce
File name: Audikadp.exe
Detection ratio: 22 / 64
Kaspersky Trojan-Spy.Win32.Ursnif.twd

 

The location it was copied to is also consistent with Dreambot samples I have seen in the past.

dreambot

Here is the Hybrid Analysis report:

https://www.hybrid-analysis.com/sample/41e17ea8101b4fac481168afed74955d58c230e8df3c590ecbf66e7ed42a11ce?environmentId=100

That’s about all for now, it’s an interesting sample and it is interesting to see Rulan drop another payload other than Chthonic.

zerophageicon2

 

Rig EK Drops Bunitu, Smoke Loader, Andromeda and a Miner

Summary:

I was hunting for Rig over the weekend in the Asian region (proxy used) and found 4 different payloads. I merged these into one PCAP and began investigating the payloads and with the help of several Twitter members (mentioned down below) I got an ID on most of them. I have resolved the IP’s in the CSV and the main picture but in the PCAP you will see my proxy IP’s.

In all I found the usual Bunitu however the “small” tag was not present in the gate. I found Smoke Loader which did not run, Andromeda which did run and an unknown malware which I suspect is a cryptocurrency miner.

A good haul, enjoy!

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

  • Article on Andromeda Bot:

https://securityintelligence.com/andromeda-a-galaxy-of-pain-coming-to-a-machine-near-you/

Downloads

(in password protected zip)

  • 06-August-2017-Rig-PCAP-> Pcap (merged and proxy used)
  • 06-August-2017-Rig-CSV-> CSV of traffic for IOC’s (resolved IP’s as proxy was used)
  • 06-August-2017-Bunitu-SL-Andro-Miner-> Unfortunately I have to use FileDropper as WordPress doesn’t like my password protected zips sometimes…
  • Bunitu – 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
  • Smoke Loader – ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
  • Andromeda – 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
  • Miner – 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1

Details of infection chain:

(click to enlarge!)

quadrig

Full Details:

This PCAP contains four Rig EK flows each one dropping a different payload.
The payload is encrypted with RC4 but it is easy to decrypt as long as you know the key which can be found by viewing an unobfuscated version of the landing page. Here we can see it is “wexykukusw“:
rc4Key
The current Rig EK landing params are:
RigParams
Let’s start at the top with Bunitu Proxy trojan. Mostly the same, using decoy casino themed websites and an iframe to another domain hosted on the same IP address. Notable this campaign AKA as Fobos had always had the <small> HTTP tag but in this sample it is not present.
Robos
Below is the sample I put into VT:
SHA256: 02978385cbeffaae26f0fbca7d84a232c147533dfa813327f77e08f91f3c1185
File name: 030817Bunitu.exe
Detection ratio: 46 / 64
Microsoft TrojanProxy:Win32/Bunitu.Q!bit

This was the usual Bunitu which allows your host to become a proxy server. A DLL is dropped which runs on startup. I didn’t include this DLL but it’s what you would be looking for if you suspect a host has been compromised. Every time someone connects there is a DNS request (12.205.191.24):

Buinut

Next up is Smoke Loader. Now I had some issues here with my Wireshark as it did not seem to capture the traffic except for the download. To make things worse my lab would not run the malware and neither would HA (ran but not properly).

I know though that this was from a TDS probably Keitaro as I have been seeing this more and more lately and have seen it in the past.

https://zerophagemalware.com/2017/05/19/rig-ek-via-tds-drops-smoke-loader-leads-to-teamviewer/

I took to Twitter to ask what the sample was and got a reply from @James_inthe_box 
Smokeloader
At the time the sample only had 5 detections but now there are a few more.
SHA256: ed9fa89fbd7b2693c07c755cf1bcb1aaea1c96eb2e8bbf0721cce733bcdb2fbe
File name: a2hglnk9.exe
Detection ratio: 27 / 64

Next we have Andromeda again through Keitaro TDS which led to a decoy website and then a 302 to Rig EK. I sought the aid of @Antelox  to identify this one.

TDS

The payload was a 25kb file and appeared to be old as the hash was seen 8 months ago. The malware injects itself into MSIEXEC and then performed several POST requests which are likely patches or  modules. It remained persistent through reboots.

Andromeda

SHA256: 0133522011020f0d2a3c204c218b0855a4c3fe470b86d27633572309e5aa3bce
File name: 040817pop.exe
Detection ratio: 49 / 64

Lastly and perhaps the most interesting is a possible Cyptocurrency miner. This was through the Rulan campaign which uses a HTTP refresh and a JavaScript redirector instead of iframes.

Rulan

The payload copied itself in a “directx” folder in Microsoft roaming and added itself to startup. The command it ran did not appear to do anything however when I browsed to the IP in the command the server returned with a message saying “mining server online”.

MiningBot

There was no CNC or traffic observed on this port. It would need some dynamic analysis I think so I have passed it onto the @malwrhunterteam as I have heard they are interested in miners.

SHA256: 87497a8b09f1e602258c6c8e53c342209e2cbc6c5d69b0ab7a6db927a94092f1
File name: 060817up.exe
Detection ratio: 17 / 64

 

That’s it for this post!

 

Rig EK via malvertising drops Imminent RAT

Summary:

Today I found Rig EK via a 302 redirect. It dropped what appears to be an infostealer trojan as masquerades as a Java updater. A dat file is created which appears to increase over time and there is a lot of traffic over port 5888 indicative of command and control traffic or exfiltration of data.

UPDATE * confirmed to be Imminent RAT – https://twitter.com/James_inthe_box/status/892912148497575936

I’ve included in this post a bit about the current Rig EK params and the RC4 key which seems to change between samples.

It’s interesting to see other types of malware from Rig other than the 3 common ones I kept finding (bunitu, chthonic, dreambot).

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

The flow was found via malvertising from what I think is a TDS. A 302 eventually redirects to Rig EK.

Rig has changed it’s RC4 key making it a little more annoying to grab the payload. Here you can see it is “wexykukusw“.

Godmode

In addition here are the current params as of today:

Params

The payload was fairly large and I was not able to identify it so I’ve just called it “trojan” as it appears to pretend to be a Java Updater.

SHA256: 8d4a776e6814cf7247711c825e6bf83b1f2768f1dee8c0d896b86b68743ebeab
File name: e14tbkpm.exe
Detection ratio: 17 / 64

The malware drops another file and runs it though it appears to be legitimate software.

SHA256: 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
File name: Juscheckr.exe
Detection ratio: 0 / 64

The malware did create some unusual folders. One is a copy of itself renamed to “javaupdater.exe“. The other is a folder called “Imminent” which contains a text file that appears to be growing inside as time goes on.

Growing

The malware made requests as follows:

 DNS requests
 TCP connections
It appears to communicate to 94.140.120.149 over port 5888 likely sending the contents of the file above. Therefore it appears to have some kind of infostealing capability.
5888

 

Rig EK via JavaScript Re-director drops UrlZone Trojan Banker.

Summary:

First of apologies for the quality of this post and the image. I am not able to access my tools at the moment so had to piece it together using Paint…

Whilst looking for Magnitude I came across a Rig EK flow via a JavaScript redirector. The payload did not run on my lab or on Hybrid Analysis so I sought the aid of @Antelox who identified the sample as UrlZone – a trojan banker which has recently been seen in malspam.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article referencing UrlZone as part of “Avalanche”

https://www.us-cert.gov/ncas/alerts/TA16-336A

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

 

Full Details:

The chain begins from malvertising which leads to a website called “datingspots.co”. A HTTP refresh redirects to “datingspots.co/?”. There is also an iframe here with a suspicious URL but it did not seem to lead anywhere.

Refreshtoco

Next there is a 302 redirect to a script called “scr.php”

302

The script contains two JavaScript redirects leading to Rig EK.

redirector

Unfortunately I could not get the payload to run on my lab so I do not have any IOC’s to offer except a hash. I tried to run it in Hybrid Analysis with “High evasion” mode on but it did not run properly. It was confirmed by @Antelox to be UrlZone – a trojan banker.

SHA256: d761e6d23070cde26710566a09c847e6c9d112cc973e10a1422d94ae481056f7
File name: hgsaic3x.exe
Detection ratio: 27 / 64

I would be interested to see any IOC’s if anyone wants to analyse the sample.

Magnitude EK XML Package and changes.

Summary:

This PCAP shows two Magnitude EK flows. The first one appears to run an XML package which downloaded a 77 MB text file. The second flow appears to be new and makes references to IE-Edge. The landing page is something I have never seen before and it appears to have ran a Flash exploit.

I’ll will spend some time looking at it and update this blog post. In the meantime however take a look at the PCAP. I’d be interested to know if you recognise any exploits.

Background Information:

  • Article from RSA, although a few months old and missing some newer aspects of Magnitude, the fundamentals have not changed.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

  • A few previous Magnitude EK posts from me.

Magnitude EK drops Cerber (Scriplet changed to “.bmp”)

Magnitude EK drops “CBRB” (Cerber Ransomware)

Downloads (in password protected zip)

Details of infection chain:

(click to enlarge!)

 

 

 

MagnitudeRender

A new version of Magnitude EK makes references to IE-edge. No payload but I did not use Edge.

 

Full Details:

I will likely update this section as I learn more about what has happened. In short there appears to be many changes to Magnitude EK.

Lets start with the decoy website which is called “letsovape.com”

In the first flow we see the two Magnitgate’s. If you have seen any of my previous Magnitude EK’s you will see this is different. I will try to look at deobfuscating these.

Magnigate1

Magnigate2

Next comes the VBscript landing page which appears to be similar but again I will look into it. Here is a snapshot of part of it:

landingpage

Not entirely sure how yet but possible through the Flash exploit, Magnitude EK was able to call a JavaScript command using Rundll32 which downloaded and ran an XML package which then dropped a payload on the Desktop. This Payload despite having an .exe extention is actually a 77 MB text file seemingly filled with jibberish.

XML

Perhaps more interesting is a different version of Magnitude which I also saw. This also began with “letsovape”:

letsvape2

The landing page is something I have never seen before. It looks very interesting. I’m not sure if there are any exploits here but I do know it calls a Flash file.

letsvape

Note the header on the Flash file “IE = Edge” may indicate Edge may need to be used. I do not have this browser so could not test.

FlashFile

Lastly there are two JavaScripts which are ran which are actually Magnigate’s that appear to return to the usual chain of Magnitude events.obfus

Three Rig EK Campaigns

Summary:

First off apologies for the lack of update. I have been following a few Rig EK campaigns lately but have not really seen anything new in terms of payloads. I have also not done the usual picture, rather a small version (with one mistake in..) I’ve been very busy lately with moving career and juggling life in general.

There has been a few Rig EK changes which @Nao_sec has reported on. Things like the RC4 key changing. I’ll dig into these myself at some point.

None the less if you are looking for Rig EK hopefully this blog post may help you find a source. These three campaigns are good sources for Rig EK so happy hunting!

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

  • Article on Dreambot:

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

Downloads

(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)

refferers

Full Details:

There are three campaigns currently that are easy sources of Rig EK.

Fobos Campaign by “official” name but I call it the “Small gate” on account that the iframe always contains the “<small>” tag. These are often decoy websites with a casino or gaming theme. There is iframe either to a domain on the same IP or another IP that belongs to the threat actor. On that page there is an iframe to Rig EK. Currently it drops Bunitu proxy trojan.

Bunitu280717

HookAds is quite interesting in that the URL’s appear to be “packed”. I had to debug the script to reveal the URL. The website requests script called “popunder.php” which leads to a URL that usually has a pattern like “domain/banners/string“. Both of these domains contain a JavaScript which has to be decoded to see the target URL. I almost always get Dreambot from this campaign.

Hookads1.PNG

Hookads2.PNG

Finally there is the “Rulan” campaign which I have seen use two different redirect mechanisms. There is a HTTP Refresh which reloads the page to the URL specified and a JavaScript redirect. There are tonnes of these domains from a single IP (144.76.174.172). This always seems to drop Chthonic.

Rulan.PNG

 

Rig EK via Malvertising drops Panda Banker

Summary:

Today I found Panda Banker via a series of 302 redirects to Rig EK. The payload did not run on my lab so I sought the aid of @Antelox who identified it as Panda. I then put the sample into a sandbox where it did run so I managed to pull a few IOC’s.

It has been a while since I’ve seen Panda Banker  I’ll have to pour over the data and figure out why it evaded my lab but ran in a sandbox..

 

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Panda Banker

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

Full Details:

Found via a malvertising chain of multiple 302 redirects, Rig EK drops Panda Banker. The sample did not run on my lab. It created three files then terminated. It must have checked for something and disliked it then terminated. The sample was confirmed to be Panda by @Antelox.

SHA256: 9cdb53cc0294be1cb0699879499d17c6d450fbb5e03a6979cb7ad14cfb67c51a
File name: 16-July-2017-Rig-Malware.bin
Detection ratio: 19 / 63
Avira (no cloud) TR/AD.PandaBanker.fyxdz

Although it did not run, I did managed to put it into a sandbox which managed to run it so I have some IOC’s for traffic.

The PCAP is located here: https://www.virustotal.com/en/file/7ebd871771bfaa3eb6d3f4ffd638d709a251fd4fa487dfe0c2a9f58a7374e21c/analysis/

On my lab it created the three files below but then terminated. On the sandbox it copied itself to the path below and did the usual trojan behaviour (process injection, etc.)

Panda5

Below is port 443 HTTP POST requests which were observed to smillaopds.top.

Panda3Panda2Panda1

There was a lot more data but I’ll end with a quick summary that the sandbox gave:

Panda4