Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2019-10-07
- #Malvertising -> #RIGEK -> #Smokeloader
- #Crysis/#Dharma(#Ransomware) & #Predator & #Quasar & #MedusaHTTP & #loader
- [Example Payload]
- https://app.any.run/tasks/66b973ea-bb8f-4b5b-a39d-8b3d93f0e8b6
- [Comment]
- crot777amx.exe -> Quasar
- https://app.any.run/tasks/34be858b-78a9-40c3-a876-2475aa8fbfca
- dmx777.exe -> Crysis/Dharma(Ransomware)
- https://app.any.run/tasks/4c093898-1a1e-4e75-a942-c536a2b67b36
- pred777amx.exe -> Predator
- https://app.any.run/tasks/81db8001-92a7-48b5-bba1-72d053373732
- socks777amx.exe -> MedusaHTTP & loader(pred777amx.exe) -> Predator
- https://app.any.run/tasks/52e85b65-2d99-41e2-8ce2-07ec122b7eb7
- dos777.exe -> MedusaHTTP & loader(dmx777.exe) -> Crysis/Dharma(Ransomware) & loader(atx555mx.exe) -> Smokeloader(gab.exe) -> Dreambot
- https://app.any.run/tasks/e7f3afcb-d4c3-44e6-be15-e5be5db8def3
- ============================================================================
- Main object- "naekphc3.exe"
- sha256 f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
- sha1 5023787414c75eb4c2f432b8abae95c8bd7ab5c9
- md5 b475e2c4e285f8f7b741aac9e7e1cabf
- Dropped executable file
- sha256 C:\Windows\System32\41A3.tmp.exe 935c329c9d6147956d5733fdc5a5d09f0290b7090df20eb6f544137a10522d72
- sha256 C:\Users\admin\AppData\Local\Temp\2D7D.tmp.exe 927249fc5e703faf3e86fe03335b3a5cc4effe03da9791a41dbb7184025983e6
- sha256 C:\Users\admin\AppData\Local\Temp\37DE.tmp.exe a77fea7a9f6601dde157e962de3575cd17f488d80b1e0276332eb5012f259f17
- sha256 C:\Users\admin\AppData\Local\Temp\5C7F.tmp.exe 235ff8fef6cf9acdf6f0ae060c0c9a6675647162eda7b7b08740590724acd4fe
- sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
- sha256 C:\Users\admin\AppData\Roaming\fthtujv f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
- sha256 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif.id-7CD9E0E6.[admin@stex777.com].money 6a6c6e3a3753437d3dabb4285cde8429d669e0f97b478a07aee3c10451cf7a62
- sha256 C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll.id-7CD9E0E6.[admin@stex777.com].money cbc381edd0ef4959825785a9c0f8ba6ea0918f33165757f5606a2aa9040afb8a
- sha256 C:\Users\admin\AppData\Local\Temp\0648fb44.exe 269662d5d2d7522fa2b88be8de2a3540e1443fba1a9d6c8139177a3a5a78bd2d
- DNS requests
- domain advertmarin48.world
- domain dsmaild544x.xyz
- domain www.mailsmall78.club
- domain mailsmall78.club
- domain kxservxmar75.club
- domain bmailserv19fd.world
- domain cmailadvert15dx.world
- domain ip-api.com
- domain valiulla.ru
- domain cdnshop78.world
- Connections
- ip 5.9.26.115
- ip 192.64.119.20
- ip 138.201.51.42
- ip 198.54.117.211
- ip 213.227.154.235
- ip 5.45.117.75
- ip 45.11.19.216
- ip 54.38.92.92
- ip 64.188.13.201
- ip 104.27.182.122
- ip 104.19.197.151
- HTTP/HTTPS requests
- url http://mailsmall78.club/serverlogs29/
- url http://dsmaild544x.xyz/serverlogs29/
- url http://cdnshop78.world/forums/members/api.jsp
- url http://cmailadvert15dx.world/crot777amx.exe
- url http://kxservxmar75.club/serverlogs29/
- url http://bmailserv19fd.world/api/check.get
- url http://cmailadvert15dx.world/pred777amx.exe
- url http://213.227.154.235/sky/new/dos777.exe
- url http://www.mailsmall78.club/serverlogs29/?from=@
- url http://5.45.117.75:2012/websocket
- url http://cmailadvert15dx.world/sky/dmx777.exe
- url http://cmailadvert15dx.world/socks777amx.exe
- url http://ip-api.com/json/
Add Comment
Please, Sign In to add comment