2019/09/21 RIG EK -> Smokeloader -> Other Malware

1. #Malvertising -> #RIGEK -> #Smokeloader
2.  
3. #Crysis & #Kpot & #DarkRat
4.  
5. [Example Payload]
6. https://app.any.run/tasks/47c33e63-9d75-4869-8b9a-caead9759135
7. https://app.any.run/tasks/3241402e-8a4e-4974-9e19-68a484e66903
8. ====================================================================
9. Main object- "rad17AB0.tmp.exe"
10. sha256 a0a1f4e33a3c91564bc6beaa5f47469ee4d7267a1b7aff4e11852153223f4c79
11. sha1 62b6171812cf5bc4a67d38ecddf0a3eb75bbdcad
12. md5 f77225b0097e989c0da690eb6bf79095
13. Dropped executable file
14. sha256 C:\Users\admin\AppData\Roaming\fthtujv a0a1f4e33a3c91564bc6beaa5f47469ee4d7267a1b7aff4e11852153223f4c79
15. sha256 C:\Users\admin\AppData\Local\Temp\F518.tmp.exe 79b8c026d2e90a16b4a585f38be231828bc9d52255948d4a7d9248bb25e882d1
16. sha256 C:\Users\admin\AppData\Local\Temp\F901.tmp.exe 772c0bbaf5482f408fd50678dbdae5bf9ee85fd9c4327327a20b664803d20da6
17. sha256 C:\Users\admin\AppData\Local\Temp\FFF7.tmp.exe 503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e
18. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
19. DNS requests
20. domain advertmarin48.world
21. domain www.advertmarin48.world
22. domain mailsmall78.club
23. domain mailserv964k.world
24. domain advertstat233.world
25. domain pastebin.com
26. Connections
27. ip 198.54.117.216
28. ip 192.64.119.19
29. ip 185.25.50.147
30. ip 5.9.26.115
31. ip 213.252.247.115
32. ip 104.22.3.84
33. HTTP/HTTPS requests
34. url http://advertmarin48.world/serverlogs29/
35. url http://www.advertmarin48.world/serverlogs29/?from=@
36. url http://mailsmall78.club/serverlogs29/
37. url http://mailserv964k.world/sky/dmx737tx.exe
38. url http://mailserv964k.world/sky/crot999px.exe
39. url http://advertstat233.world/4rTpPY1f3zP4LAUq/conf.php
40. url http://mailserv964k.world/spread.exe
41. url http://pastebin.com/raw/dNqyCpKw
42. ====================================================================
43. Main object- "spread.exe"
44. sha256 503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e
45. sha1 d441fd9ef841e5befa0584ac2f51e4c7090688ab
46. md5 3c91eb49b0677e64ff7e9058b38782ce
47. Dropped executable file
48. sha256 C:\Users\admin\AppData\Roaming\Microsoft\Windows\jrQDjpZPtB.exe 503e352c0212844f71b57d600edc710c78a31d031f5d2101a07f500efd12c61e
49. DNS requests
50. domain pastebin.com
51. Connections
52. ip 104.22.3.84
53. ip 104.223.20.200
54. HTTP/HTTPS requests
55. url http://pastebin.com/raw/dNqyCpKw
56. url http://104.223.20.200/request