2019/10/04 RIG EK -> Smokeloader -> Gozi and more

1. 2019-10-04
2. #Malvertising -> #RIGEK -> #Smokeloader
3.  
4. #Gozi(#Ursnif -> #Sinkhole) -> #Dreambot & #MedusaHTTP
5.  
6. [Example Payload]
7. https://app.any.run/tasks/46a2470a-5220-46d1-91b8-97426893d661/
8.  
9. [Comment ]
10. socks777amx.exe -> MedusaHTTP
11. https://app.any.run/tasks/bfff0447-01e8-4461-8a76-5f4a25f0887f
12.  
13. crot777amx.exe -> Quasar
14. https://app.any.run/tasks/ef7ef99f-a0e2-45c6-bd43-725edba7ac9a
15.  
16. isb777amx.exe -> Gozi(Urnisf) -> Sinkhole
17. https://app.any.run/tasks/83e65903-2387-4ba5-b777-eec9503aef8e
18.  
19. gab.exe -> Gozi(Urnisf) -> Tor module -> DreamBot
20. https://app.any.run/tasks/b98c0ab1-0c9f-465c-83e2-c476ec4786c8
21.  
22. ============================================================================
23. Main object- "rad15200.tmp.exe"
24. sha256 f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
25. sha1 5023787414c75eb4c2f432b8abae95c8bd7ab5c9
26. md5 b475e2c4e285f8f7b741aac9e7e1cabf
27. Dropped executable file
28. sha256 C:\Users\admin\AppData\Roaming\fthtujv f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
29. sha256 C:\Users\admin\AppData\Local\Temp\8FD.tmp.exe 4df22cb76810803f8a3c2bfb5fb1e96d800adcce52c76fefa8c6577def2c5f99
30. sha256 C:\Users\admin\AppData\Local\Temp\21D6.tmp.exe 142716208fa4d7b05a3c763f5ce714f1e24086eafedd1b3537f5037c0f5d4ce2
31. sha256 C:\Users\admin\AppData\Local\Temp\335B.tmp.exe 2aba7530b4cfdad5bd36d94ff32a0bd93dbf8b9599e0fb00701d58a29922c75f
32. sha256 C:\Users\admin\AppData\Local\Temp\3FA1.tmp.exe 1b0c947dbcde786041258e5cb08bcdeda5eaad0d4860389f98ce90f422db01fb
33. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
34. DNS requests
35. domain advertmarin48.world
36. domain www.advertmarin48.world
37. domain mailsmall78.club
38. domain ip-api.com
39. domain zmailserv19fd.world
40. domain resolver1.opendns.com
41. domain api.ipify.org
42. domain myip.opendns.com
43. domain 222.222.67.208.in-addr.arpa
44. domain check.vivianmaierphotos.com
45. domain curlmyip.net
46. domain cdnshop78.world
47. domain www.grandrush.com
48. Connections
49. ip 198.54.117.217
50. ip 192.64.119.19
51. ip 45.147.228.215
52. ip 195.201.161.25
53. ip 5.9.26.115
54. ip 208.67.222.222
55. ip 82.118.22.167
56. ip 107.22.193.167
57. ip 66.212.29.250
58. ip 176.119.29.14
59. ip 104.19.166.93
60. ip 74.208.252.232
61. HTTP/HTTPS requests
62. url http://advertmarin48.world/serverlogs29/
63. url http://mailsmall78.club/serverlogs29/
64. url http://www.advertmarin48.world/serverlogs29/?from=@
65. url http://zmailserv19fd.world/gab.exe
66. url http://zmailserv19fd.world/socks777amx.exe
67. url http://zmailserv19fd.world/isb777amx.exe
68. url http://zmailserv19fd.world/crot777amx.exe
69. url http://ip-api.com/json/
70. url http://check.vivianmaierphotos.com/images/WimxewockvoLZ/fW0o_2Fj/R_2FpGz3Hpx28z8MHkVU8jC/RwpgJfleK8/QjuiimpRXOzMpRj4H/go9UdBrk1Trp/nqW_2FJGV_2/BKfzD7VAyr5d4j/wcE0MVrEaek4HUB7yMQQi/Xa6GaKXXu_2FKyv1/5dqZex8K_2Bynyh/Th_2B0ijjzYKeBC_2F/K41nlQTUQ/YpdT6eR_2FnaaUcPwnP_/2FPm2.gif
71. url http://195.201.161.25:2012/websocket
72. url http://curlmyip.net/
73. url http://api.ipify.org/
74. url http://cdnshop78.world/forums/members/api.jsp