{
	"id": "2adce82e-400b-4daa-be42-00f378de52c3",
	"created_at": "2026-04-06T00:15:24.340202Z",
	"updated_at": "2026-04-10T13:12:52.859158Z",
	"deleted_at": null,
	"sha1_hash": "3913280c702e65115d6c5a5c2897173ff50fc214",
	"title": "Rig Exploit Kit sends Pitou.B Trojan - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6286640,
	"plain_text": "Rig Exploit Kit sends Pitou.B Trojan - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 19:51:04 UTC\r\nIntroduction\r\nAs I mentioned last week, Rig exploit kit (EK) is one of a handful of EKs still active in the wild.  Today's diary\r\nexamines another recent example of an infection caused by Rig EK on Monday 2019-06-24.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  Some of the alerts generated by this infection using Security Onion with Suricata and the\r\nEmergingThreats Pro ruleset viewed in Sguil.\r\nMalvertising campaign redirect domain\r\nEK-based malvertising campaigns have \"gate\" domains that redirect to an EK.  In this case, the gate domain was\r\nmakemoneyeasywith[.]me.  According to Domaintools, this domain was registered on 2019-06-19, and indicators\r\nof this domain redirecting to Rig EK were reported as early as 2019-06-21.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 1 of 7\n\nShown above:  makemoneyeasywith[.]me redirecting to Rig EK landing page on 2019-06-24.\r\nRig EK\r\nThe Rig EK activity I saw on 2019-06-24 was similar to Rig EK traffic I documented in an ISC diary last week. \r\nSee the images below for details.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 2 of 7\n\nShown above:  Rig EK landing page.\r\nShown above:  Rig EK sends a Flash exploit.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 3 of 7\n\nShown above:  Rig EK sends a malware payload.\r\nThe malware payload\r\nThe malware payload sent by this example of Rig EK appears to be Pitou.B.  In my post-infection activity, I saw\r\nseveral attempts at malspam, but I didn't find DNS queries for any of the mail servers associated with this spam\r\ntraffic.\r\nPrior to the spam activity, I saw traffic over TCP port 2287 which matched a signature for ETPRO TROJAN\r\nWin32/Pitou.B, and it also fit the description for Pitou.B provided by Symantec from 2016.  I didn't let my\r\ninfected Windows host run long enough to generate DNS queries for remote locations described in Symantec's\r\nTechnical Description for this Trojan.  However, Any.Run's sandbox analysis of this malware shows DNS queries\r\nsimilar to the Symantec description that happened approximately 9 to 10 minutes after the initial infection activity.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 4 of 7\n\nShown above:  Post-infection traffic over TCP port 2287.\r\nShown above:  Filtering for indications of SMTP traffic in the pcap.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 5 of 7\n\nShown above:  Using the Export Objects function in Wireshark to see successfully sent spam.\r\nShown above:  An example of spam sent from my infected Windows host.\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 6 of 7\n\nShown above:  DNS queries seen from the Any.Run analysis of this Pitou.B sample.\r\nIndicators of Compromise (IoCs)\r\nThe following are IP addresses and domains associated with this infection:\r\n185.254.190[.]200 port 80 - makemoneyeasywith[.]me - Gate domain that redirected to Rig EK\r\n188.225.26[.]48 port 80 - 188.225.26[.]48 - Rig EK traffic\r\n195.154.255[.]65 port 2287 - Encoded/encrypted traffic caused by the Pitou.B Trojan\r\nvarious IP addresses over TCP port 25 - spam traffic from the infected Windows host\r\nvarious domains in DNS queries seen from the Any.Run analysis of this Pitou.B sample\r\nThe following are files associated with this infection:\r\nSHA256 hash: 9c569f5e6dc2dd3cf1618588f8937513669b967f52b3c19993237c4aa4ac58ea\r\nFile size: 9,203 bytes\r\nFile description: Flash exploit sent by Rig EK on 2019-06-24\r\nSHA256 hash: 835873504fdaa37c7a6a2df33828a3dcfc95ef0a2ee7d2a078194fd23d37cf64\r\nFile size: 827,904 bytes\r\nFile description: Pitou.B malware sent by Rig EK on 2019-06-24\r\nFinal words\r\nA pcap of the infection traffic along with the associated malware and artifacts can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/25068\r\nhttps://isc.sans.edu/diary/rss/25068\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/25068"
	],
	"report_names": [
		"25068"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3913280c702e65115d6c5a5c2897173ff50fc214.pdf",
		"text": "https://archive.orkl.eu/3913280c702e65115d6c5a5c2897173ff50fc214.txt",
		"img": "https://archive.orkl.eu/3913280c702e65115d6c5a5c2897173ff50fc214.jpg"
	}
}