2019/10/07 RIG EK -> Smokeloader -> OtherMalware

1. 2019-10-07
2. #Malvertising -> #RIGEK -> #Smokeloader
3.  
4. #Crysis/#Dharma(#Ransomware) & #Predator & #Quasar & #MedusaHTTP & #loader
5.  
6. [Example Payload]
7. https://app.any.run/tasks/66b973ea-bb8f-4b5b-a39d-8b3d93f0e8b6
8.  
9. [Comment]
10. crot777amx.exe -> Quasar
11. https://app.any.run/tasks/34be858b-78a9-40c3-a876-2475aa8fbfca
12.  
13. dmx777.exe -> Crysis/Dharma(Ransomware)
14. https://app.any.run/tasks/4c093898-1a1e-4e75-a942-c536a2b67b36
15.  
16. pred777amx.exe -> Predator
17. https://app.any.run/tasks/81db8001-92a7-48b5-bba1-72d053373732
18.  
19. socks777amx.exe -> MedusaHTTP & loader(pred777amx.exe) -> Predator
20. https://app.any.run/tasks/52e85b65-2d99-41e2-8ce2-07ec122b7eb7
21.  
22. dos777.exe -> MedusaHTTP & loader(dmx777.exe) -> Crysis/Dharma(Ransomware) & loader(atx555mx.exe) -> Smokeloader(gab.exe) -> Dreambot
23. https://app.any.run/tasks/e7f3afcb-d4c3-44e6-be15-e5be5db8def3
24.  
25. ============================================================================
26. Main object- "naekphc3.exe"
27. sha256 f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
28. sha1 5023787414c75eb4c2f432b8abae95c8bd7ab5c9
29. md5 b475e2c4e285f8f7b741aac9e7e1cabf
30. Dropped executable file
31. sha256 C:\Windows\System32\41A3.tmp.exe 935c329c9d6147956d5733fdc5a5d09f0290b7090df20eb6f544137a10522d72
32. sha256 C:\Users\admin\AppData\Local\Temp\2D7D.tmp.exe 927249fc5e703faf3e86fe03335b3a5cc4effe03da9791a41dbb7184025983e6
33. sha256 C:\Users\admin\AppData\Local\Temp\37DE.tmp.exe a77fea7a9f6601dde157e962de3575cd17f488d80b1e0276332eb5012f259f17
34. sha256 C:\Users\admin\AppData\Local\Temp\5C7F.tmp.exe 235ff8fef6cf9acdf6f0ae060c0c9a6675647162eda7b7b08740590724acd4fe
35. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
36. sha256 C:\Users\admin\AppData\Roaming\fthtujv f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
37. sha256 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif.id-7CD9E0E6.[admin@stex777.com].money 6a6c6e3a3753437d3dabb4285cde8429d669e0f97b478a07aee3c10451cf7a62
38. sha256 C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll.id-7CD9E0E6.[admin@stex777.com].money cbc381edd0ef4959825785a9c0f8ba6ea0918f33165757f5606a2aa9040afb8a
39. sha256 C:\Users\admin\AppData\Local\Temp\0648fb44.exe 269662d5d2d7522fa2b88be8de2a3540e1443fba1a9d6c8139177a3a5a78bd2d
40. DNS requests
41. domain advertmarin48.world
42. domain dsmaild544x.xyz
43. domain www.mailsmall78.club
44. domain mailsmall78.club
45. domain kxservxmar75.club
46. domain bmailserv19fd.world
47. domain cmailadvert15dx.world
48. domain ip-api.com
49. domain valiulla.ru
50. domain cdnshop78.world
51. Connections
52. ip 5.9.26.115
53. ip 192.64.119.20
54. ip 138.201.51.42
55. ip 198.54.117.211
56. ip 213.227.154.235
57. ip 5.45.117.75
58. ip 45.11.19.216
59. ip 54.38.92.92
60. ip 64.188.13.201
61. ip 104.27.182.122
62. ip 104.19.197.151
63. HTTP/HTTPS requests
64. url http://mailsmall78.club/serverlogs29/
65. url http://dsmaild544x.xyz/serverlogs29/
66. url http://cdnshop78.world/forums/members/api.jsp
67. url http://cmailadvert15dx.world/crot777amx.exe
68. url http://kxservxmar75.club/serverlogs29/
69. url http://bmailserv19fd.world/api/check.get
70. url http://cmailadvert15dx.world/pred777amx.exe
71. url http://213.227.154.235/sky/new/dos777.exe
72. url http://www.mailsmall78.club/serverlogs29/?from=@
73. url http://5.45.117.75:2012/websocket
74. url http://cmailadvert15dx.world/sky/dmx777.exe
75. url http://cmailadvert15dx.world/socks777amx.exe
76. url http://ip-api.com/json/