Zip File containing Masked exe Sends CBT Locker Ransomware
This Zip file was found on Malwr.com. Below is the traffic associated with the infection.
ASSOCIATED IP ADDRESSES and DOMAINS:
- 220.127.116.11 – HTTPS – Germany, AS50472 Chaos Computer Club e.V.
- 18.104.22.168 – http://zsn5qtrgfpu4tmpg.onion.lt/
- 22.214.171.124 – HTTPS – Germany, AS250 AS250.net Foundation
Shown above: CBT Locker start-up location using a .pif file to point to payload. Information about .pif file extensions can be found on www.webopedia.com
PAYLOAD FROM MALICIOUS ZIP FILE:
Virus Total Link