2019/10/02 RIG EK -> Smokeloader -> Other Malware

1. 2019-10-02
2. #Malvertising -> #RIGEK -> #Smokeloader
3.  
4. #AZORult -> #Servhelper & #Predator & Quasar and more...
5.  
6. [Example Payload]
7. https://app.any.run/tasks/a2ef7bde-fc71-4f7e-9246-1af8f16b5e6b
8.  
9. [Smkeloader host(sdstat9624tp[.]world) Payload]
10. /bro111.exe
11. /crot777amx.exe
12. /crot777mx.dll
13. /dan777.dll
14. /dan777.exe
15. /del/del777pmx.exe
16. /dmx777amx.exe
17. /evi111.exe
18. /evi999.exe
19. /guc.exe
20. /hit777.exe
21. /hrd777.exe
22. /pak.exe
23. /pak444.exe
24. /pred777amx.exe
25. /skd.exe
26. /sky/crot999px.exe
27. /sky/dmx737tx.exe
28. /socks111.dll
29. /socks111.exe
30. /socks777.exe
31. /socks777amx.exe
32. /vnc777.exe
33. /vodka.exe
34.  
35. =============================================================================================
36.  
37. Main object- "a6blowch.exe"
38. sha256 f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
39. sha1 5023787414c75eb4c2f432b8abae95c8bd7ab5c9
40. md5 b475e2c4e285f8f7b741aac9e7e1cabf
41. Dropped executable file
42. sha256 C:\Users\admin\AppData\Roaming\fthtujv f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
43. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-file-l1-2-0.dll c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
44. sha256 C:\Users\admin\AppData\Local\Temp\2BE7.tmp.exe 9aa4bf102d44c6379961cd26cd02429a5043a55c1b4df52f92e87b3cadce69e3
45. sha256 C:\Users\admin\AppData\Local\Temp\37AF.tmp.exe 99a3fe55672bec4fc15c7e538ee568e0e81339619253348359eb2e2a91c5b0ee
46. sha256 C:\Users\admin\AppData\Local\Temp\428E.tmp.exe 277bf32b1b54aeaa9e60072428efcc453ac873103f97b086d6544bdb885d0ca4
47. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
48. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\file1[1].exe 32c6eff8649b1184f592deef4a5ad5d500df46658122cab2b428abbb5750897c
49. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\file2[1].exe 406019965f63449921bc1516412e9e3a6e4c94582f5eba9cb5a92888d6b827dd
50. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-console-l1-1-0.dll 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231
51. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-datetime-l1-1-0.dll 90fae0e7c3644a6754833c42b0ac39b6f23859f9a7cf4b6c8624820f59b9dad3
52. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-debug-l1-1-0.dll c310cc91464c9431ab0902a561af947fa5c973925ff70482d3de017ed3f73b7d
53. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-file-l1-1-0.dll 7ea06b7050f9ea2bcc12af34374bdf1173646d4e5ebf66ad690b37f4df5f3d4e
54. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-errorhandling-l1-1-0.dll a97dcca76cdb12e985dff71040815f28508c655ab2b073512e386dd63f4da325
55. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\ucrtbase.dll 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
56. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-handle-l1-1-0.dll 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd0e5
57. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-process-l1-1-0.dll c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
58. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-memory-l1-1-0.dll bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed90778eca
59. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-runtime-l1-1-0.dll c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
60. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-file-l2-1-0.dll c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
61. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-namedpipe-l1-1-0.dll c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f507
62. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-processenvironment-l1-1-0.dll 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7a483e
63. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-sysinfo-l1-1-0.dll 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c61f92
64. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-multibyte-l1-1-0.dll 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
65. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-filesystem-l1-1-0.dll 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
66. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-convert-l1-1-0.dll 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
67. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-heap-l1-1-0.dll 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f2998a
68. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-synch-l1-1-0.dll 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc41935617652820f
69. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-processthreads-l1-1-0.dll 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a97a1d
70. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-interlocked-l1-1-0.dll deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d141718c
71. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-string-l1-1-0.dll 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
72. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-timezone-l1-1-0.dll 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
73. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-profile-l1-1-0.dll 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07cc411c
74. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-util-l1-1-0.dll f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33adc86
75. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-environment-l1-1-0.dll c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
76. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-string-l1-1-0.dll 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9a7311
77. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-math-l1-1-0.dll bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
78. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-utility-l1-1-0.dll a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
79. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-synch-l1-2-0.dll 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
80. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-rtlsupport-l1-1-0.dll 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df0b57
81. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-private-l1-1-0.dll 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d8386b9
82. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-stdio-l1-1-0.dll b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
83. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-processthreads-l1-1-1.dll 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
84. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-heap-l1-1-0.dll f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
85. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-libraryloader-l1-1-0.dll bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f65909ce
86. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-time-l1-1-0.dll 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
87. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-locale-l1-1-0.dll 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
88. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-core-localization-l1-2-0.dll 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
89. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\api-ms-win-crt-conio-l1-1-0.dll 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
90. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\mozglue.dll 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
91. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\freebl3.dll 393ae7f06fe6cd19ea6d57a93dd0acd839ee39ba386cf1ca774c4c59a3bfebd8
92. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\msvcp140.dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
93. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\nss3.dll f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
94. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\nssdbm3.dll 541a293c450e609810279f121a5e9dfa4e924d52e8b0c6c543512b5026efe7ec
95. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\softokn3.dll 9a7f11c212d61856dfc494de111911b7a6d9d5e9795b0b70bbbc998896f068ae
96. sha256 C:\Users\admin\AppData\Local\Temp\DC2120D9\vcruntime140.dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
97. DNS requests
98. domain advertmarin48.world
99. domain www.advertmarin48.world
100. domain mailsmall78.club
101. domain smantex50.world
102. domain sdstat9624tp.world
103. domain crasyhost.com
104. domain moriarty.pw
105. domain voldemort.pw
106. domain ip-api.com
107. domain iplogger.org
108. Connections
109. ip 104.124.62.160
110. ip 192.64.119.19
111. ip 5.9.26.115
112. ip 45.141.102.62
113. ip 185.62.58.147
114. ip 198.54.117.217
115. ip 195.201.161.25
116. ip 45.147.228.193
117. ip 46.249.62.203
118. ip 192.35.177.64
119. ip 88.99.66.31
120. ip 8.253.164.240
121. ip 2.57.89.47
122. ip 69.195.146.130
123. HTTP/HTTPS requests
124. url http://advertmarin48.world/serverlogs29/
125. url http://www.advertmarin48.world/serverlogs29/?from=@
126. url http://mailsmall78.club/serverlogs29/
127. url http://sdstat9624tp.world/pred777amx.exe
128. url http://sdstat9624tp.world/greem.exe
129. url http://crasyhost.com/file2.exe
130. url http://sdstat9624tp.world/crot777amx.exe
131. url http://crasyhost.com/file1.exe
132. url http://crasyhost.com/file3.exe
133. url http://crasyhost.com/file4.exe
134. url http://crasyhost.com/file5.exe
135. url http://smantex50.world/api/check.get
136. url http://smantex50.world/api/gate.get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=0&p10=kW0QR+T4+qso62OqVvBbITYFlUeXoGxuIFUZ
137. url http://195.201.161.25:2012/websocket
138. url http://crasyhost.com/index.php
139. url http://ip-api.com/json/