2019/09/14 RIG EK -> Smokeloader -> Crysis & Predator & Quas

1. https://app.any.run/tasks/4bac45f4-f6ab-4438-9ff9-0ced0194ff80
2.  
3. Main object- "radDC934.tmp.exe"
4. sha256 6dac7e7bfa835c94da14bb5b10a0117ccf61774f06624d1b8767aea8242b38a9
5. sha1 2dc0eed3900fa95dee964422c0129ae6b65d4f68
6. md5 841b406c713b0254c5551a4344f8ba6f
7. Dropped executable file
8. sha256 C:\Users\admin\AppData\Roaming\fthtujv 6dac7e7bfa835c94da14bb5b10a0117ccf61774f06624d1b8767aea8242b38a9
9. sha256 C:\Users\admin\AppData\Local\Temp\6CB.tmp.exe 2dd627cc695dbc98426d8bc430e8fee9bb812e258dfff155dcf3d6bad8f3af74
10. sha256 C:\Users\admin\AppData\Local\Temp\190C.tmp.exe cea419b90c0a4583355c51e2e2f1db76656db2ef7ac908af9a36d08394a282e4
11. sha256 C:\Users\admin\AppData\Local\Temp\3995.tmp.exe cc05183c9ed098b662620d311e2192cfe77fc3970c851dc58f419ec55fbd9c02
12. sha256 C:\Users\admin\AppData\Local\Temp\51D1.tmp.exe b619b5be9f183bf1bc8a689032cf9bc3ee0be7b7e5898ff2c492bd602a57277c
13. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
14. sha256 C:\Program Files\Common Files\Microsoft Shared\THEMES14\DEEPBLUE\PREVIEW.GIF.id-7CD9E0E6.[3442516480@qq.com].pdf 57a98b5196212cf9a382b24fa5be6b24a441730587c1fb03eb02d770c990c596
15. DNS requests
16. domain advertserv25.world
17. domain sdstat97tp.world
18. Connections
19. ip 5.101.181.35
20. ip 5.9.26.115
21. ip 119.207.64.144
22. ip 176.57.69.128
23. ip 5.101.191.51
24. HTTP/HTTPS requests
25. url http://advertserv25.world/logstatx77/
26. url http://sdstat97tp.world/sky/dmx444pm.exe
27. url http://sdstat97tp.world/pred111mx22.exe
28. url http://sdstat97tp.world/mp222sg.exe
29. url http://sdstat97tp.world/qq777.exe
30. url http://176.57.69.128/api/check.get
31. url http://5.101.191.51:2012/websocket