2019/10/16 RIG EK -> Smokeloader -> Krnos and more

1. 2019-10-16
2. #RIGEK -> #Smokeloader
3.  
4. #Predator #Vidar & #Krnos and more...
5.  
6. [Example Payload]
7. https://app.any.run/tasks/52656d24-b866-416c-b703-ee0fae0e3f78
8.  
9. [File]
10. /bro111.exe
11. /chapo/chapo777.exe
12. /crot777amx.exe
13. /crot777mx.dll
14. /dan777.dll
15. /dan777.exe
16. /del/del777pmx.exe
17. /dmx777amx.exe
18. /dor.exe
19. /elin.exe
20. /evi111.exe
21. /evi999.exe
22. /gab.exe
23. /greem.exe
24. /greem/greem777.exe
25. /guc.exe
26. /hit777.exe
27. /hrd777.exe
28. /isb777amx.exe
29. /kam.exe
30. /pak.exe
31. /pak444.exe
32. /parlo.exe
33. /pred777amx.exe
34. /relax/pred999.exe
35. /skd.exe
36. /sky/dmx777.exe
37. /sky/new/dos777.exe
38. /socks111.dll
39. /socks111.exe
40. /socks777.exe
41. /socks777amx.exe
42. /tap.exe
43. /vnc777.exe
44. /vodka.exe
45. /pred777amx.exe
46. /parlo.exe
47. /sky/dmx777.exe
48. /dmx777amx.exe
49. /socks111atx.exe
50.  
51. [memo]
52. https://app.any.run/tasks/8122a4c3-bcfa-49ab-98a0-fd0d3dc97293
53.  
54. ===================================================================================
55. Main object- "epepiow2.exe"
56. sha256 9d0c61dc93121020362acb75728ec59d38c587c637431f6b309879118825a0f9
57. sha1 a251a035b2a3ef3d254102ccb5949ee628c8aaa7
58. md5 80190e9b979139152f7e4478b4ee388b
59. Dropped executable file
60. sha256 C:\ProgramData\msvcp140.dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
61. sha256 C:\Users\admin\AppData\Local\Temp\AA37.tmp.exe dae77d9bdcc2e4a61fe39c9813d7f1c8425b109f84b1f68455856c19ff9e603d
62. sha256 C:\Users\admin\AppData\Local\Temp\BA07.tmp.exe 189464e30cbebaec6a543baaf35c24a2d0f44143fc6992014c81780563c0984a
63. sha256 C:\Users\admin\AppData\Local\Temp\C284.tmp.exe 8b95bc6b9662d1d6fad89257d6720c232c1a90eea98caabc8c765965111dbd7e
64. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
65. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\freebl3[1].dll a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
66. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\mozglue[1].dll 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
67. sha256 C:\Users\admin\AppData\Roaming\fthtujv 9d0c61dc93121020362acb75728ec59d38c587c637431f6b309879118825a0f9
68. sha256 C:\ProgramData\nss3.dll e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
69. sha256 C:\ProgramData\softokn3.dll 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
70. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\vcruntime140[1].dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
71. DNS requests
72. domain fmailadvert15dx.world
73. domain advertpage75.com
74. domain ip-api.com
75. domain fsdstat14tp.world
76. domain klegrandlichgrum.com
77. Connections
78. ip 149.56.45.200
79. ip 64.188.21.164
80. ip 198.23.141.107
81. ip 45.11.19.102
82. ip 66.212.29.250
83. ip 109.24.234.220
84. ip 213.32.71.116
85. ip 91.213.233.138
86. ip 199.195.248.127
87. ip 45.114.8.161
88. ip 65.158.114.219
89. ip 23.48.248.79
90. HTTP/HTTPS requests
91. url http://advertpage75.com/serverstat315/
92. url http://fmailadvert15dx.world/pred777amx.exe
93. url http://fmailadvert15dx.world/dor.exe
94. url http://149.56.45.200:9030/tor/status-vote/current/consensus.z
95. url http://fsdstat14tp.world/api/check.get
96. url http://fmailadvert15dx.world/isb777amx.exe
97. url http://213.32.71.116:9030/tor/server/fp/322bb33f4887230b0767f54ba08a450b68d777f2+322c6e3a973bc10fc36de3037ad27bc89f14723b+3239007ce1fb2ecdfdf2067df23b949295dc5ef6.z
98. url http://149.56.45.200:9030/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e+00cce6a84e6d63a1a42e105839bc8ed5d4b16669+014e24c0cd21d2b9829e841d5ec1d3c415f866bf+01ae2de314276c82fccc3603a1c2f3238e6544c9+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+046f2d59a85fae693676a87533717c57436261c2+04d892c23d4b26d55b2669a3a7e6c67c8817172b+04ee5e1b23127d26a36f71c66810d88b0b80bb91+08394c4873c8a71be9f53593f9b4ad694bfcdb90+0964eeef3aef8442f510f8a61370657bc6e0e098+0a7208b8903dd3ff5cdfa218a3823af498ce69ce+0d12d8e72ded99ee31bb0c57789352bed0ceeeff+0d2de242ada0ed77325e3aee3a9d8c5cd07c2cf3+104dc15acfa69cf94f89e8ed0f6cdb2d298234d2+1119a89e729db65839fb232a1e0f8669b0ae84df+1188dc549fdf5e8054e1fe8c789a632cd1872f7e.z
99. url http://klegrandlichgrum.com/freebl3.dll
100. url http://klegrandlichgrum.com/522
101. url http://klegrandlichgrum.com/mozglue.dll
102. url http://klegrandlichgrum.com/softokn3.dll
103. url http://klegrandlichgrum.com/
104. url http://klegrandlichgrum.com/vcruntime140.dll
105. url http://klegrandlichgrum.com/nss3.dll
106. url http://klegrandlichgrum.com/msvcp140.dll
107. url http://ip-api.com/line/
108. url http://45.114.8.161/exit.node