{
	"id": "3e370b38-7bf6-48a7-89b9-072fbee2d8fc",
	"created_at": "2026-04-06T00:18:35.471386Z",
	"updated_at": "2026-04-10T03:20:18.407127Z",
	"deleted_at": null,
	"sha1_hash": "f924cc480c14b5cbdcdb302b9831bbf03af9bd61",
	"title": "Malware-Traffic-Analysis.net - 2017-05-09 - Rig EK sends Bunitu",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1938971,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-05-09 - Rig EK sends Bunitu\r\nArchived: 2026-04-05 21:21:03 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-05-09-Rig-EK-sends-Bunitu.pcap.zip   462.1 kB (462,078 bytes)\r\n2017-05-09-Rig-EK-sends-Bunitu.pcap   (554,307 bytes)\r\n2017-05-09-Rig-EK-and-Bunitu-malware-and-artifacts.zip   247.8 kB (247,833 bytes)\r\n2017-05-09-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)\r\n2017-05-09-Rig-EK-flash-exploit.swf   (16,500 bytes)\r\n2017-05-09-Rig-EK-landing-page.txt   (118,254 bytes)\r\n2017-05-09-Rig-EK-payload.exe   (172,512 bytes)\r\n2017-05-09-slotdown_info.txt   (59,757 bytes)\r\n2017-05-09-slotdown3_info-1945.txt   (578 bytes)\r\nairzaxz.dll   (26,624 bytes)\r\nNOTES:\r\nI generated traffic baseed on a blog post by @Zerophage1337 about Rig EK (link) because I wanted to\r\ncatch the Rig EK malware payload.\r\nThe Rig EK payload seems to be Bunitu based on the post-infection traffic.\r\nThis is similar to a post from Zerophage on 2017-03-20 and appears to be the same campaign.\r\nhttp://malware-traffic-analysis.net/2017/05/09/index.html\r\nPage 1 of 5\n\nShown above:  Tweet by @Zerophage1337 about this activity.\r\nTRAFFIC\r\nShown above:  Script in possible gate leading to the next step.\r\nhttp://malware-traffic-analysis.net/2017/05/09/index.html\r\nPage 2 of 5\n\nShown above:  Script leading to Rig EK landing page.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nASSOCIATED DOMAINS:\r\n78.46.232[.]211 port 80 - slotdown[.]info - GET /   What appears to\r\n78.46.232[.]211 port 80 - slotdown3[.]info - GET /1945/?\r\n109.234.36[.]216 port 80 - free.420native[.]org - Rig EK\r\n209.85.144[.]100 port 443 - encrypted/encoded post-infection traffic\r\n85.25.110[.]235 port 443 - encrypted/encoded post-infection traffic\r\n217.118.19[.]171 port 443 - encrypted/encoded post-infection traffic\r\n96.44.144[.]181 port 443 - encrypted/encoded post-infection traffic\r\nDNS query for b.trabiudsfaum[.]net - resolved to 84.218.38[.]200 but no follow-up traffic\r\nDNS query for l.trabiudsfaum[.]net - resolved to 216.181.91[.]136 but no follow-up traffic\r\nhttp://malware-traffic-analysis.net/2017/05/09/index.html\r\nPage 3 of 5\n\nICMP ping requests to 52.173.193[.]166 but no response\r\nFILE HASHES\r\nRIG EK FLASH EXPLOIT:\r\nSHA256 hash:  81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1\r\nFile size:  16,500 bytes\r\nRIG EK PAYLOAD (BUNITU):\r\nSHA256 hash:  b27b370597fc8155f518dbc07f188c30ebc8e1d210f181acaf36ddb20714d64e\r\nFile location:  C:\\Users\\[Username]\\AppData\\Local\\Temp\\[random characters].exe\r\nFile size:  172,512 bytes\r\nARTIFACT FROM THE INFECTED HOST:\r\nSHA256 hash:  43be87120cbd555dc926becbe92fd7a0b2a43d1dd0418b3184d59c676c81eaf6\r\nFile location:  C:\\Users\\[Username]\\AppData\\Local\\airzaxz.dll\r\nFile size:  26,624 bytes\r\nShown above:  Malware persistent on the infected Windows host.\r\nIMAGES\r\nShown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and\r\ntcpreplay on Security Onion.\r\nhttp://malware-traffic-analysis.net/2017/05/09/index.html\r\nPage 4 of 5\n\nShown above:  Escalating the Bunitu events reveals individual IP addresses that were contacted.\r\nShown above:  Alerts from the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/05/09/index.html\r\nhttp://malware-traffic-analysis.net/2017/05/09/index.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/05/09/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f924cc480c14b5cbdcdb302b9831bbf03af9bd61.pdf",
		"text": "https://archive.orkl.eu/f924cc480c14b5cbdcdb302b9831bbf03af9bd61.txt",
		"img": "https://archive.orkl.eu/f924cc480c14b5cbdcdb302b9831bbf03af9bd61.jpg"
	}
}