API tools faq
paste
tkanalyst

2019/09/24 RIG EK -> Smokeloader -> Other Malware

tkanalyst
Sep 23rd, 2019
362
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.84 KB | None | 0 0
raw download clone embed print report
  1. 2019-09-24
  2. #Malvertising -> #RIGEK -> #Smokeloader
  3.  
  4. #Crysis/#Dharma(#Ransomware) & #Gozi(#Ursnif/#Dreambot) & #Danabot
  5.  
  6. [Example Payload]
  7. https://app.any.run/tasks/a1ea0079-bd7d-4811-a316-2270e600e7a7
  8. ===========================================================================
  9. Main object- "radC6C62.tmp.exe"
  10. sha256 f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
  11. sha1 5023787414c75eb4c2f432b8abae95c8bd7ab5c9
  12. md5 b475e2c4e285f8f7b741aac9e7e1cabf
  13. Dropped executable file
  14. sha256 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\A80C.tmp.exe 959fdd7c30df75a4d060abd9e4e2106936d592a09fc33747e1618c60ce21525f
  15. sha256 C:\Users\admin\AppData\Local\Temp\CC7D.tmp.dll 96703983a16e1a8ec388ea70003cd2f101a97e38b2e12a356612ae8f46d47ffa
  16. sha256 C:\Users\admin\AppData\Local\Temp\5F6E.tmp.exe 504ac8bba3e7d8921e67031c45953f00f36ed9569834b557170c55732a457027
  17. sha256 C:\Users\admin\AppData\Local\Temp\D049.tmp.exe 84b36e91505fbdfb8cf9b4f04ae8058bcfdcbcd3bb1c3a8f990f7dfff50175c2
  18. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
  19. sha256 C:\Users\admin\AppData\Roaming\fthtujv f3c96b85b957dbd3c2a835def5a58b442585adeb56da81870411c273a9a943e5
  20. sha256 C:\Users\admin\Desktop\canceronline.png.id-7CD9E0E6.[admin@stex777.com].money 80350d99e4019db36e39cad026c335e127fbdefd7400e83c30f47a2e7fff87ae
  21. sha256 C:\Users\admin\AppData\Local\Temp\nse62E7.tmp\blowfish.dll 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
  22. sha256 C:\Users\admin\AppData\Local\Temp\CRYPTBASE.dll abaeeb4b5f294d6e7b571abdcffa2124a8418c4b2f40bce565fcc024f7516072
  23. sha256 C:\Windows\help\tmp5211.dat a85466d5de5bad0b63eb2cb45c8abe48b5bde79d0c49ac0486c883549063e99c
  24. sha256 C:\Windows\help\tmp5212.dat 71c559bff629f92cf294341f57777d5971e1bbb04579b80ac645161db18bd7ed
  25. sha256 C:\Windows\system32\rfxvmt.dll 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
  26. DNS requests
  27. domain advertmarin48.world
  28. domain www.advertmarin48.world
  29. domain mailadvert219dx.world
  30. domain mailsmall78.club
  31. domain chiasun.xyz
  32. domain myip.opendns.com
  33. domain resolver1.opendns.com
  34. domain curlmyip.net
  35. domain sweetlights.at
  36. Connections
  37. ip 23.67.53.50
  38. ip 198.54.117.217
  39. ip 5.9.26.115
  40. ip 192.64.119.19
  41. ip 185.163.45.92
  42. ip 94.102.63.140
  43. ip 117.18.232.240
  44. ip 192.35.177.64
  45. ip 93.103.166.70
  46. ip 208.67.222.222
  47. ip 104.31.65.34
  48. ip 78.40.46.135
  49. HTTP/HTTPS requests
  50. url http://advertmarin48.world/serverlogs29/
  51. url http://www.advertmarin48.world/serverlogs29/?from=@
  52. url http://mailsmall78.club/serverlogs29/
  53. url http://mailadvert219dx.world/crot777mx.dll
  54. url http://mailadvert219dx.world/dmx777amx.exe
  55. url http://mailadvert219dx.world/hrd777.exe
  56. url http://mailadvert219dx.world/vodka.exe
  57. url http://sweetlights.at/images/tG8V7mbbY0JpQ1k_2F5AC/TWfsSwIZGjEDZ0al/J_2BfkwmmCTJeGz/9PbsIorVScZZijDO6B/sbzQNrouK/68Tu7M8gCdK5qOMUOury/yTMMpVJ7FtSoQmtURdn/UctmHeF7SCPp5CuSu41WD0/f3zlAhHYxIhjY/pWStPsKQ/wgltNFGg4QNzTftd9s1UTGQ/MgvCN7qP6E/vA.gif
  58. url http://sweetlights.at/images/gxOmuB_2BYWn/BvOvROJYE3t/YFm1pL_2Bf6hKp/zN0FXpXQQXdbzNFy6CK4X/_2Beig3L9acypSS0/XRL2YI2nTZjKbRT/TsHE367YTvOHq3gcDL/6thIRkqGv/CTbE3q2mwmruBeWYVZRB/_2FiqyVwG_2B4IL3kUb/HIdIgJVkWDJDWoeNmNyIVG/_2BG2Aqw64YeV/GdaUa2B9/a5wQTkUt2YNcV9GhsH4QErz/mjXRG.bmp
  59. url http://sweetlights.at/images/cOXq1Ro5mR67P9/Yld4ZB9wXt5nle92qE7xV/3vVo64bX4_2BDIwE/AdDVaSJuT7BHTBU/FJGbz3pxmeWxdKT6sH/kpm_2B0I7/Cy1yxcSC6bZ2sZThh8fb/TanP6U8pEYcS_2FszTw/SoOKBQlEeNJfZZRv1hL11B/moou2JtHC2UPQ/xQ3SA_2F/Q7dEl2ia4g6BtDk2ar1yQsw/T_2B.gif
  60. url http://sweetlights.at/images/uPMtpLLQsR9g/kPOSjROYG1r/LduQQCGcut64QD/JWpArV5xCjrkV1HDV_2FI/_2BjTIrcnFIhED87/M_2B2lBGEaLMYKG/6PuT5GOmyM1HjURpH6/KDP7YPlmJ/B3RKQnJMy9Rxw0u4xAxV/IjWE0Yq_2Fnger8_2FM/yjqROUGq_2BBXgHWIgAJFq/gngqP9_2FtX_2/FshHaU2zBXAIHs/Vmxe.jpeg
  61. url http://curlmyip.net/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!