2019/10/17 RIG EK -> Smokeloader -> Remcos and more

1. 2019-10-17
2. #RIGEK -> #Smokeloader
3.  
4. #Remcos & #Raccoon & #Predator
5.  
6. [Example Payload]
7. https://app.any.run/tasks/a3de0c20-8ef3-46ef-957a-8532fdbd72d3
8.  
9. ========================================================================================================
10. Main object- "trwwtw.exe"
11. sha256 c5f8b335c777a16cc0ba6206da80f2618cde5638bc44de317cb8ff8451cff201
12. sha1 b5d68bfbbab0c0803a74f22a838812ca122754af
13. md5 a7b895a414565139f57ffde835d29007
14. Dropped executable file
15. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\prldap60.dll 46b005817868f91cf60baa052ee96436fc6194ce9a61e93260df5037cdfa37a5
16. sha256 C:\Users\admin\AppData\Local\Temp\CAB0.tmp.exe adf18a60c70f22aa6354677ba5dde1084e76d4b9d3c54fc4d81a3c802f256d52
17. sha256 C:\Users\admin\AppData\Local\Temp\D4F2.tmp.exe 28458a8bcd9b25caddf6513f057d4f7b44eb33d12776890510cc936f0d2c4a3e
18. sha256 C:\Users\admin\AppData\Local\Temp\DDCC.tmp.exe 9ce8ad9307f556e5335ee5f6d8739882c9320f7da90646038bbf483a5f31245f
19. sha256 C:\Users\admin\AppData\Local\Temp\C09C.tmp.exe 9d9b4c7194d4b844716396432a204671335bfebeb659427d5393b8d7110a2358
20. sha256 C:\Users\admin\AppData\Local\Temp\D5CB.tmp.exe b1a3561698b8cdc7aee2029bc28de692e3a41d98f06750edf592520fb02a18ac
21. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
22. sha256 C:\Users\admin\AppData\Roaming\u2\mailto\connectt\DbgUrtMui.dll f92e892e0ab61777ccc108d258c546c4cc4cc9034d0e766654a96fd7cbfbaabe
23. sha256 C:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\resgen.exe b8de815c5403f6e050222d3951e4ce24d2786db3e659a9bbc5c6b3e79b5127b7
24. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\MapiProxy.dll bcfb0e397df40aba8c8c5dd23c13c414345decdd3d4b2df946226be97defbf30
25. sha256 C:\Users\admin\AppData\Roaming\period\plan\frequency\clean\msddslmp.dll e457bf97dedc3a13e4d07665bb559edafde145798057d8d48cc892adc7ad1960
26. sha256 C:\Users\admin\AppData\Local\Temp\namespace\CMAccept.exe 980a535ef48369fa83fe881e232c3f12ea34c93b06178b53ee441a73d54d7f02
27. sha256 C:\Users\admin\AppData\Local\Temp\paraphrase.dll 4f590bad96336098d958609753b45183e050164e2261937a18056038c5131ce4
28. sha256 C:\Users\admin\AppData\Local\Temp\nsq9A07.tmp\System.dll 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
29. sha256 C:\Users\admin\AppData\Local\Temp\notepad.exe b56afe7165ad341a749d2d3bd925d879728a1fe4a4df206145c1a69aa233f68b
30. sha256 C:\Users\admin\AppData\Local\Temp\sqlite3.dll 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
31. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\nssdbm3.dll be3987a6cd970ff570a916774eb3d4e1edce675e70edac1baf5e2104685610b0
32. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\libEGL.dll 7b9fc6be34f43d39471c2add872d5b4350853db11cc66a323ef9e0c231542fb9
33. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\qipcap.dll 7a589024cf0eeb59f020f91be4fe7ee0c90694c92918a467d5277574ac25a5a2
34. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\softokn3.dll 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
35. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\vcruntime140.dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
36. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\ucrtbase.dll 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
37. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\AccessibleMarshal.dll d368eb240106f87188c4f2ae30db793a2d250d9344f0e0267d4f6a58e68152ad
38. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\breakpadinjector.dll 87ed943d2f06d9ca8824789405b412e770fe84454950ec7e96105f756d858e52
39. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\AccessibleHandler.dll a1a2bb03a7cfcea8944845a8fc12974482f44b44fd20be73298ffd630f65d8d0
40. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\freebl3.dll 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
41. sha256 C:\Users\admin\AppData\Roaming\fthtujv c5f8b335c777a16cc0ba6206da80f2618cde5638bc44de317cb8ff8451cff201
42. sha256 C:\Users\admin\AppData\Roaming\USER\doinstall\strFormId\logo\msdnmui.dll 8638015b2bbc5b04029749aeb78e14521b5928737ca5e03bbcc2c0ec1a47f6cf
43. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\ldif60.dll 3aabbe0aa86ce8a91e5c49b7de577af73b9889d7f03af919f17f3f315a879b0f
44. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\mozglue.dll a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
45. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\lgpllibs.dll 7f93b70257d966ea1c1a6038892b19e8360aadd8e8ae58e75ebb0697b9ea8786
46. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\IA2Marshal.dll 621f38bd19f62c9ce6826d492ecdf710c00bbdcf1fb4e4815883f29f1431dfda
47. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\mozMapi32.dll 06ef2010b738fbe99bcdebbf162473a4ee090678bb6862eeb0d4c7a8c3f225bb
48. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\ldap60.dll 2b128b3702f8509f35cad0d657c9a00f0487b93d70336df229f8588fba6ba926
49. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-locale-l1-1-0.dll 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
50. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\nss3.dll 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
51. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-synch-l1-2-0.dll 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
52. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-timezone-l1-1-0.dll 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
53. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-util-l1-1-0.dll f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33adc86
54. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-synch-l1-1-0.dll 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc41935617652820f
55. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-conio-l1-1-0.dll 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
56. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-rtlsupport-l1-1-0.dll 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df0b57
57. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-processenvironment-l1-1-0.dll 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7a483e
58. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-sysinfo-l1-1-0.dll 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c61f92
59. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-heap-l1-1-0.dll 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f2998a
60. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-processthreads-l1-1-0.dll 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a97a1d
61. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-processthreads-l1-1-1.dll 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
62. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-namedpipe-l1-1-0.dll c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f507
63. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-string-l1-1-0.dll 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9a7311
64. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\nssckbi.dll 2481da1c459a2429a933d19ad6ae514bd2ae59818246ddb67b0ef44146ced3d8
65. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-environment-l1-1-0.dll c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
66. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-multibyte-l1-1-0.dll 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
67. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-filesystem-l1-1-0.dll 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
68. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-private-l1-1-0.dll 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d8386b9
69. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-file-l2-1-0.dll c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
70. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-runtime-l1-1-0.dll c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
71. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-process-l1-1-0.dll c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
72. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-stdio-l1-1-0.dll b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
73. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-convert-l1-1-0.dll 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
74. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-heap-l1-1-0.dll f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
75. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-time-l1-1-0.dll 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
76. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-string-l1-1-0.dll 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
77. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-math-l1-1-0.dll bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
78. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\msvcp140.dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
79. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-profile-l1-1-0.dll 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07cc411c
80. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-memory-l1-1-0.dll bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed90778eca
81. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-handle-l1-1-0.dll 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd0e5
82. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-localization-l1-2-0.dll 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
83. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-file-l1-2-0.dll c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
84. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-crt-utility-l1-1-0.dll a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
85. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-libraryloader-l1-1-0.dll bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f65909ce
86. sha256 C:\Users\admin\AppData\Local\Temp\AdLibs\api-ms-win-core-interlocked-l1-1-0.dll deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d141718c
87. DNS requests
88. domain advertpage75.com
89. domain fmailadvert15dx.world
90. domain drive.google.com
91. domain doc-0o-a0-docs.googleusercontent.com
92. domain avgsupport.info
93. domain fmailserv19fd.world
94. Connections
95. ip 45.11.19.102
96. ip 198.23.141.107
97. ip 167.160.167.15
98. ip 161.117.11.163
99. ip 172.217.10.225
100. ip 45.147.228.72
101. ip 35.228.79.212
102. HTTP/HTTPS requests
103. url http://advertpage75.com/serverstat315/
104. url http://fmailadvert15dx.world/chapo/chapo777.exe
105. url http://avgsupport.info/
106. url http://fmailadvert15dx.world/elin.exe
107. url http://fmailadvert15dx.world/pred777amx.exe
108. url http://fmailserv19fd.world/api/check.get
109. url http://35.228.79.212/gate/log.php
110. url http://35.228.79.212/gate/libs.zip
111. url http://35.228.79.212/gate/sqlite3.dll
112. url http://35.228.79.212/file_handler/file.php?hash=7e43d7969229fe3b9a40ad01d95f36b5a9d8ee33&js=4e5746d2ff5676f6ee9d126343cd2a41eac60255&callback=http://35.228.79.212/gate