Fallout Exploit Kit delivers suspect Remote Access Trojan (RAT)

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-25-FalloutEK-pcap.zip

 

ASSOCIATED DOMAINS:

185.220.34.245 – bitcoinsmaker.site GET /?utm_campaign=MIXppv – Redirect to Fallout EK
46.101.140.152 – torchlife4u.com/03-12-2005/5721/teriyaki?ephebic=10-02-1990- Fallout EK
193.108.118.167 Port 443 – www.topvipsr.xyz – Post Infect Traffic
38.75.137.195 Port 17555 – r.twotouchauthentication.online – Post Infect Traffic
38.75.137.14 Port 9000 – bestip.tech GET /preview – Post Infect Traffic
38.75.137.14 Port 9000 – bestip.tech GET /msg/notify/?token= – Post Infect Traffic

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[Sysmon Event 3 – Suspected process injection]
Image C:\Windows\System32\msdtc.exe
User NT AUTHORITY\SYSTEM
Protocol tcp
SourceIp 192.168.1.3
DestinationIp 193.108.118.167
DestinationHostname 167-118-108-193.clients.gthost.com
DestinationPort 443
DestinationPortName https

[Sysmon Event 3 – Suspected process injection]
Image C:\Windows\System32\wuauclt.exe
User NT AUTHORITY\SYSTEM
Protocol tcp
SourceIp 192.168.1.3
DestinationIp 38.75.137.14
DestinationHostname
DestinationPort 9000
DestinationPortName

[Sysmon Event 3 – Suspected process injection]
Image C:\Windows\System32\wbem\WmiPrvSE.exe
User NT AUTHORITY\SYSTEM
Protocol tcp
SourceIp 192.168.1.3
DestinationIp 38.75.137.195
DestinationHostname
DestinationPort 17555
DestinationPortName

 

IMAGES AND DETAILS:


Shown above: network traffic associated with Fallout EK and post infection traffic

 


Shown above: Some of the DNS queries observed during infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH FALLOUT EK:

vzXjFcAl.tmp – Original Payload
SHA256: 884b22765e0e8fa1addd9c9939b910436efd6dc601d450155656b24ac7da1b79
VirusTotal Link