Angler EK sends Likely Zeus Derivative and Zbot


ASSOCIATED DOMAINS:

  • 85.93.0.81 – moledze.tk – EITEST GATE
  • 185.141.27.2 – kma7d.gyp8t114m.top – Angler EK LANDING PAGE
  • 178.151.83.176 – comodotrl.com – GET /cgi/b59005b.bin – POST INFECTION TRAFFIC
  • 178.151.83.176 – comodotrl.com – GET /cgi/c64374i.bin – POST INFECTION TRAFFIC
  • 178.151.83.176 – comodotrl.com – POST /cgi/rem.php – POST INFECTION TRAFFIC
  • 82.146.34.18 – greenbernuo.su – GET /1/qbdd.exe – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST gate (.tk) and Angler Exploit Kit landing page (.top)

 

Shown above: Post infection traffic associated with Angler exploit

 

Shown above: Emerging Threats Rules Set showing like Zeus and Zbot traffic

 

MALICIOUS PAYLOAD DELIVERED BY ANGLER EXPLOIT KIT:

2016-05-26-Angler-EK.swf
Virus Total Link
2016-05-26-qbdd.exe –  [Renamed ywowo.exe after install]
Virus Total Link
Hybrid-Analysis Download Link