SHARE
TWEET

2019/09/21 RIG EK -> Smokeloader -> Other Malware

tkanalyst Sep 21st, 2019 780 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Malvertising -> #RIGEK -> #Smokeloader
  2.  
  3. #Crysis & #Kpot & #DarkRat
  4.  
  5. [Example Payload]
  6. https://app.any.run/tasks/47c33e63-9d75-4869-8b9a-caead9759135
  7. https://app.any.run/tasks/3241402e-8a4e-4974-9e19-68a484e66903
  8. ====================================================================
  9. Main object- "rad17AB0.tmp.exe"
  10.     sha256  a0a1f4e33a3c91564bc6beaa5f47469ee4d7267a1b7aff4e11852153223f4c79   
  11.     sha1    62b6171812cf5bc4a67d38ecddf0a3eb75bbdcad   
  12.     md5 f77225b0097e989c0da690eb6bf79095   
  13. Dropped executable file
  14.     sha256  C:\Users\admin\AppData\Roaming\fthtujv  a0a1f4e33a3c91564bc6beaa5f47469ee4d7267a1b7aff4e11852153223f4c79   
  15.     sha256  C:\Users\admin\AppData\Local\Temp\F518.tmp.exe  79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1   
  16.     sha256  C:\Users\admin\AppData\Local\Temp\F901.tmp.exe  772c0bbaf5482f408fd50678dbdae5bf9ee85fd9c4327327a20b664803d20da6   
  17.     sha256  C:\Users\admin\AppData\Local\Temp\FFF7.tmp.exe  503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e   
  18.     sha256  C:\Users\admin\AppData\Local\Temp\D47F.tmp  3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244   
  19. DNS requests
  20.     domain  advertmarin48.world
  21.     domain  www.advertmarin48.world
  22.     domain  mailsmall78.club   
  23.     domain  mailserv964k.world 
  24.     domain  advertstat233.world
  25.     domain  pastebin.com   
  26. Connections
  27.     ip  198.54.117.216 
  28.     ip  192.64.119.19  
  29.     ip  185.25.50.147  
  30.     ip  5.9.26.115 
  31.     ip  213.252.247.115
  32.     ip  104.22.3.84
  33. HTTP/HTTPS requests
  34.     url http://advertmarin48.world/serverlogs29/   
  35.     url http://www.advertmarin48.world/serverlogs29/?from=@
  36.     url http://mailsmall78.club/serverlogs29/  
  37.     url http://mailserv964k.world/sky/dmx737tx.exe 
  38.     url http://mailserv964k.world/sky/crot999px.exe
  39.     url http://advertstat233.world/4rTpPY1f3zP4LAUq/conf.php   
  40.     url http://mailserv964k.world/spread.exe   
  41.     url http://pastebin.com/raw/dNqyCpKw   
  42. ====================================================================
  43. Main object- "spread.exe"
  44.     sha256  503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e   
  45.     sha1    d441fd9ef841e5befa0584ac2f51e4c7090688ab   
  46.     md5 3c91eb49b0677e64ff7e9058b38782ce   
  47. Dropped executable file
  48.     sha256  C:\Users\admin\AppData\Roaming\Microsoft\Windows\jrQDjpZPtB.exe 503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e   
  49. DNS requests
  50.     domain  pastebin.com   
  51. Connections
  52.     ip  104.22.3.84
  53.     ip  104.223.20.200 
  54. HTTP/HTTPS requests
  55.     url http://pastebin.com/raw/dNqyCpKw   
  56.     url http://104.223.20.200/request
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top