2019/10/18 RIG EK -> Smokeloader and more

1. 2019-10-18
2. #RIGEK -> #Smokeloader ->
3.  
4. #Predator & #Quasar and more...
5.  
6. [Example Traffic]
7. https://app.any.run/tasks/68cb2a45-4400-4cb7-89dd-c8b8b2d33dd3
8. https://app.any.run/tasks/498a43e4-05fe-4413-afc2-842aa4d6764d
9.  
10. ============================================================================================
11. Main object- "rad30908.tmp.exe"
12. sha256 d0cb9084a6d1f4d6858c6405be84b109f1e31e18c00cd9fa1d1ec096bdca46c2
13. sha1 13955ebe445e923cd53e495ff0d9baf2eb5a451a
14. md5 4ea4d4e56b1bef1dfd88ad8ca50d6329
15. Dropped executable file
16. sha256 C:\Users\admin\AppData\Roaming\fthtujv d0cb9084a6d1f4d6858c6405be84b109f1e31e18c00cd9fa1d1ec096bdca46c2
17. sha256 C:\Users\admin\AppData\Local\Temp\CFA1.tmp.exe 72b5d4a2a293ab9872b71572444b718633d59701b243aff2a1f74442e3d0dd7f
18. sha256 C:\Users\admin\AppData\Local\Temp\DE87.tmp.exe 33133bffe7885e6e9b45fcde643522eb2e7153fc62bab503b7e7b336376eb7d4
19. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
20. DNS requests
21. domain advertpage75.com
22. domain cstarserver17km.club
23. domain csdstat14tp.club
24. domain ip-api.com
25. Connections
26. ip 45.11.19.102
27. ip 64.188.19.196
28. ip 23.106.223.160
29. ip 162.218.122.115
30. ip 69.195.146.130
31. ip 23.46.28.57
32. HTTP/HTTPS requests
33. url http://advertpage75.com/serverstat315/
34. url http://cstarserver17km.club/pred777amx.exe
35. url http://csdstat14tp.club/api/check.get
36. url http://162.218.122.115:2012/websocket
37. url http://cstarserver17km.club/crot777amx.exe
38. url http://ip-api.com/json/