2021-02-04 (THURSDAY) - RIG EK SENDS POSSIBLE BUERLOADER
ASSOCIATED FILES:
- 2021-02-04-Rig-EK-sends-possible-BuerLoader-IOCs.txt.zip   1.8 kB   (1,756 bytes)
- 2021-02-04-Rig-EK-sends-possible-BuerLoader-IOCs.txt (3,460 bytes)
- 2021-02-04-Rig-EK-sends-possible-BuerLoader.pcap.zip   22.7 MB   (22,732,971 bytes)
- 2021-02-04-Rig-EK-sends-possible-BuerLoader.pcap (23,933,370 bytes)
- 2021-02-04-sandbox-analysis-and-decrypt-key-for-possible-BuerLoader.zip   4.6 MB   (4,569,699 bytes)
- 2021-02-04-sandbox-analysis-SSLKeysLogFile.txt (531 bytes)
- 2021-02-04-sandbox-analysis-for-possible-BuerLoader.pcap (4,784,192 bytes)
- 2021-02-04-Rig-EK-malware-and-artifacts.zip   95.1 kB   (95,106 bytes)
- 2021-02-04-Rig-EK-artifact-3.tMp-in-Temp-folder.txt (1,152 bytes)
- 2021-02-04-Rig-EK-landing-page.txt (41,212 bytes)
- 2021-02-04-Rig-EK-payload-possible-BuerLoader.exe (99,840 bytes)
NOTE:
- All zip archives on this site are password-protected. If you don't know the password, see the "about" page of this website.
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTPS traffic decrypted from Any.Run's sandbox analysis.
Shown above: Decrypted HTTPS traffic to officewestunionbank[.]com part 1.
Shown above: Decrypted HTTPS traffic to officewestunionbank[.]com part 2.
Shown above: Decrypted HTTPS traffic to officewestunionbank[.]com part 3.
Shown above: Decrypted HTTPS traffic to telete[.]in.
Shown above: Decrypted HTTPS traffic to globalsalespartscn[.]top part 1.
Shown above: Decrypted HTTPS traffic to globalsalespartscn[.]top part 2.
Click here to return to the main page.