Angler EK from 185.46.11.147 sends TeslaCrypt

ASSOCIATED DOMAINS:

  • litte.ro – COMPROMISED HOST
  • 185.46.11.147 – rabe.barbarareamer.com GET /topic/87254 – ANGLER EK [TESLACRYPT]
  • 203.124.115.1 – vtechshop.net POST /wcspng.phpPOST INFECTION TRAFFIC

IMAGES:

Shown above: Injected script from compromised host

 

Shown above: Referer from compromised site to Angler Exploit host

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 2cb4bb4fddf4c36648bffb6d8b5ebd9a – 2016-03-11-litte-ro-angler.swf
    Virus Total Link
  • abaac059195afd10bf444d73e0b2bdf2 – 2016-03-11-litte-ro-angler.exe
    Virus Total Link

For more details on this variant of Angler Exploit kit see post [HERE]