{
	"id": "555a6a8c-b2b8-4a10-8f0d-5706da898144",
	"created_at": "2026-04-06T00:08:29.344821Z",
	"updated_at": "2026-04-10T03:21:06.470367Z",
	"deleted_at": null,
	"sha1_hash": "18f31ef0d247a551f6b32bc72ebeeece34a7b4d9",
	"title": "Rig EK via Rulan drops an Infostealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 801644,
	"plain_text": "Rig EK via Rulan drops an Infostealer\r\nPublished: 2017-09-21 · Archived: 2026-04-02 11:34:38 UTC\r\nSummary:\r\nBack again with the Rulan campaign. Recently it has changed it’s usual payload and we have seen Quant Loader,\r\nCoin Miner and KINS.\r\nThis time it is back and dropped a payload which I have struggled to ID. It has all the characteristics of an\r\ninfostealer (gathering data then sending to C2). I’ve been unable to decipher what data it is ending and why. The\r\nC2 domains also did not trigger any ET/Snort rules.\r\nIt’s interesting for sure and I’d be interested to know more about it so keep an eye on Twitter.\r\nBackground Information:\r\nA few articles on Rig exploit kit and it’s evolution:\r\nhttps://www.uperesia.com/analyzing-rig-exploit-kit\r\nhttp://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html\r\nhttp://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html\r\nDownloads\r\n(in password protected zip)\r\n21-September-2018-Rig-Infostealer-PCAP-\u003e Pcap of traffic\r\n21-September-2017-Rig-Infostealer-CSV-\u003e CSV of traffic for IOC’s\r\n21-September-2017-Infostealer-\u003e Infostealer –\r\n3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb\r\nUnfortunately  having a few issues with WordPress so the payload is on tinyupload for now. Let me know if it\r\ngoes down.\r\nDetails of infection chain:\r\n(click to enlarge!)\r\nhttps://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nPage 1 of 5\n\nFull Details:\r\nRulan has been providing various payloads over the past week or so. A coin miner and even KINS was spotted\r\nearlier this week by @nao_sec. It is still using a JS redirector and a HTTP refresh to redirect the victim to Rig EK.\r\nhttps://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nPage 2 of 5\n\nRig itself continues to change up it’s parameters this time using “opas“, “hopas” and “shops“.\r\nThe RC4 key is now “marydcetoz“. You can use this to decrypt the payload from the pcap.\r\nThe payload appeared to be an infostealer by nature. I was unable to identify it though sought the aid\r\nof @James_inthe_box who digged further but could not identify it.\r\nSHA-256 3f9fd83a014de13794d4a701883e029de802533bac37f8c4489e7e00053054bb\r\nhttps://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nPage 3 of 5\n\nFile name eb11bac9e73f7f6fed3506e28a13dacbfa3fbdc0\r\nFile size 288 KB\r\nThe payload copied itself into a folder called “ZSysRaw” and the binary was named “sysraw.exe“. It then began to\r\ncollect information and store it in a folder called “data“.\r\nThe malware began with a POST request ending with “load.php“. It looks like Base64 but I could not decode it\r\ninto anything meaningful.\r\nhttps://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nPage 4 of 5\n\nNext it began to POST data from the text files it created. Again I could not decode this data. Each text file it\r\ncreated it then sent to the C2 with each file reaching a size of around 3kb~.\r\nThe payload did not trigger any signatures (ET/Snort) though it’s behaviour is indicative of an information stealer.\r\nKeep checking Twitter, it’s likely some more info will come!\r\nSource: https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nhttps://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/"
	],
	"report_names": [
		"rig-ek-via-rulan-drops-an-infostealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434109,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18f31ef0d247a551f6b32bc72ebeeece34a7b4d9.pdf",
		"text": "https://archive.orkl.eu/18f31ef0d247a551f6b32bc72ebeeece34a7b4d9.txt",
		"img": "https://archive.orkl.eu/18f31ef0d247a551f6b32bc72ebeeece34a7b4d9.jpg"
	}
}