2019/10/11 RIG EK -> Smokeloader -> Nemty and more

1. 2019-10-11
2. #Malvertising -> #RIGEK -> #Smokeloader
3.  
4. #NEMTY v1.6(#Ransomware) & #Quasar &MedusaHTTP &
5.  
6. [Example Payload]
7. https://app.any.run/tasks/d662c74a-17dc-4902-bb11-cc93cfb0886f
8.  
9. /crot777amx.exe -> Quasar
10. https://app.any.run/tasks/7bcf758a-788a-4c3d-8ac1-aa8a76385785
11.  
12. /elin.exe -> NEMTY v1.6
13. https://app.any.run/tasks/3344da77-b7b9-4014-b74d-dd302c64c80c
14.  
15. /socks777amx.exe -> MedusaHTTP
16. https://app.any.run/tasks/972e4047-7e70-49eb-a185-8c5328c104ad
17.  
18. /sky/new/dos777.exe -> MedusaHTTP
19. https://app.any.run/tasks/63994f2a-c9cc-402a-8b5e-3a020fa1c72e
20.  
21. /chapo/chapo777.exe -> Unknown(Tor)
22. https://app.any.run/tasks/943eade4-da22-4041-a72a-3a078539ff67
23.  
24. [Comment]
25. /bro111.exe
26. /chapo/chapo777.exe
27. /crot777amx.exe
28. /crot777mx.dll
29. /dan777.exe
30. /dmx777amx.exe
31. /dor.exe
32. /elin.exe
33. /evi111.exe
34. /evi999.exe
35. /gab.exe
36. /greem.exe
37. /guc.exe
38. /hit777.exe
39. /hrd777.exe
40. /isb777amx.exe
41. /kam.exe
42. /pak.exe
43. /pak444.exe
44. /pred777amx.exe
45. /relax/pred999.exe
46. /skd.exe
47. /sky/dmx777.exe
48. /sky/new/dos777.exe
49. /socks777amx.exe
50. /tap.exe
51. /vnc777.exe
52. /vodka.exe
53. and more payload ...
54.  
55. [memo]
56. https://app.any.run/tasks/ab06872e-7e84-4b11-b161-b15e1a1e936c
57.  
58. ===========================================================================================================
59. Main object- "lck3dhrk.exe"
60. sha256 1be738710027bd65b5a54d085d3905faa4dcd476f5198838c3cbdb6c9a6e435c
61. sha1 1bc7d2fba7fd771e99fe44f9dddffce226d0f433
62. md5 978fe8d21f6e7f78397c5a950d1ef034
63. Dropped executable file
64. sha256 C:\Users\admin\AppData\Roaming\fthtujv 1be738710027bd65b5a54d085d3905faa4dcd476f5198838c3cbdb6c9a6e435c
65. sha256 C:\Users\admin\AppData\Local\Temp\B042.tmp.exe 809c1cba2bd47ada9f1db0f64220cf01a87fdf7d3e1947382e1623bcb1c2ec5b
66. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
67. sha256 C:\Users\admin\AppData\Roaming\local\MicrosoftVisualBasicVsa.dll 8f1965758f46265104ee27a855ead8cf3b37a3408f55e4fcbc6221dd47229f0e
68. sha256 C:\Users\admin\AppData\Local\Temp\nswB8FD.tmp\System.dll 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
69. sha256 C:\Users\admin\AppData\Local\Temp\nswB8FD.tmp\BgImage.dll e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04
70. DNS requests
71. domain csdstat14tp.world
72. domain advertpage75.com
73. domain api.db-ip.com
74. domain api.ipify.org
75. domain cdnshop78.world
76. domain bbouble.xyz
77. domain vulcan-stars.club
78. domain nemty.hk
79. Connections
80. ip 45.11.19.102
81. ip 198.23.141.107
82. ip 107.22.193.167
83. ip 5.45.127.135
84. ip 192.35.177.64
85. ip 82.146.39.206
86. ip 185.136.168.132
87. ip 104.25.2.33
88. ip 104.18.61.30
89. ip 198.23.202.49
90. HTTP/HTTPS requests
91. url http://advertpage75.com/serverstat315/
92. url http://api.ipify.org/
93. url http://api.db-ip.com/v2/free/104.218.63.76/countryName
94. url http://cdnshop78.world/forums/members/api.jsp
95. url http://198.23.202.49/sky/new/dos777.exe
96. url http://csdstat14tp.world/elin.exe
97. url http://5.45.127.135:2012/websocket
98. url http://csdstat14tp.world/sky/new/dos777.exe
99. url http://csdstat14tp.world/socks777amx.exe
100. url http://csdstat14tp.world/chapo/chapo777.exe
101. url http://csdstat14tp.world/crot777amx.exe