Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2019-10-10
- #Malvertising -> #RIGEK -> #Smokeloader
- #Predator & #Vidar & #Quasar & #MedusaHTTP
- [Example Payload]
- https://app.any.run/tasks/c3ab622a-8c68-42c8-aeb7-bf88226983cc
- /socks777amx.exe -> MedusaHTTP
- https://app.any.run/tasks/810c583c-b844-4df2-bb3e-bc8b62d146b9
- /relax/pred999.exe -> Predator
- https://app.any.run/tasks/92befabe-5e8a-4c3f-91ff-38a460384b2c
- /dor.exe -> Vidar
- https://app.any.run/tasks/1ec76dbc-b2b7-453e-ba26-25cd67413813
- /crot777amx.exe -> Quasar
- https://app.any.run/tasks/3417b4da-4bef-4600-9826-4aa70eb651ca
- /sky/new/dos777.exe -> MedusaHTTP
- https://app.any.run/tasks/ebf9310e-a8e7-4227-97c0-f7d06d6368f7
- /pred777amx.exe -> Predator
- https://app.any.run/tasks/53f94965-2411-4a28-8a7a-12e3c0aa72fd
- [Comment]
- /bro111.exe
- /crot777amx.exe
- /dan777.exe
- /evi111.exe
- /gab.exe
- /guc.exe
- /hit777.exe
- /hrd777.exe
- /kam.exe
- /pak.exe
- /pred777amx.exe
- /skd.exe
- /sky/dmx777.exe
- /sky/new/dos777.exe
- /socks777amx.exe
- /tap.exe
- /vnc777.exe
- and more payload ...
- ===========================================================================================================
- Main object- "36mmekun.exe"
- sha256 17b548f9c8077f8ba66b70d55c383f87f92676520e2749850e555abb4d5f80a5
- sha1 12948e36584e1677e80f78b8cc5c20576024c13f
- md5 a8cc396b6f5568e94f28ca3381c7f9df
- Dropped executable file
- sha256 C:\Users\admin\AppData\Roaming\fthtujv 17b548f9c8077f8ba66b70d55c383f87f92676520e2749850e555abb4d5f80a5
- sha256 C:\Users\admin\AppData\Local\Temp\DE73.tmp.exe 419a780b5beb0e024d733f6b1c720e812c9d2f873c6830c4064dbc8dd65af69a
- sha256 C:\Users\admin\AppData\Local\Temp\EB35.tmp.exe 8e50995a3648f58e44c1a461b7d2108ff8ac8093fca863707efe4aefa5401b58
- sha256 C:\Users\admin\AppData\Local\Temp\91F.tmp.exe 918164c75422dab65aa598b40c4d7675956257989540f20cbfd6938c1c80e11e
- sha256 C:\Users\admin\AppData\Local\Temp\1380.tmp.exe 0e9abdead9665cf438a96bbbd9870f704c760a33eaebe16a63edf0ccaef7fb9f
- sha256 C:\Users\admin\AppData\Local\Temp\20A0.tmp.exe 948b4c4dee235ccadf9485aca5e1f458ec71114bc9b6ffb5f48fb45fd22598b9
- sha256 C:\Users\admin\AppData\Local\Temp\2AF2.tmp.exe ab5f8b75cfb93bba60ce481cf7f77fcb726b9511a349cb18ddd725b7401e5ba4
- sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
- sha256 C:\ProgramData\qedar\WerFault.exe 9cc25c431a115d4c572135276fdb49545d5e2a4224629aa6b770a4cc2cf74cd8
- sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\freebl3[1].dll a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
- sha256 C:\ProgramData\mozglue.dll 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
- sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\msvcp140[1].dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
- sha256 C:\ProgramData\nss3.dll e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
- sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\softokn3[1].dll 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
- sha256 C:\ProgramData\vcruntime140.dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
- DNS requests
- domain advertpage75.com
- domain cmailserv19fd.world
- domain weimachel.net
- domain www.1loveyous.com
- domain ip-api.com
- domain api.ipify.org
- domain samp1er.com
- domain cdnshop78.world
- Connections
- ip 138.201.51.42
- ip 198.23.141.107
- ip 194.61.24.196
- ip 185.198.58.170
- ip 5.45.127.135
- ip 185.136.168.132
- ip 23.23.83.153
- ip 185.197.75.165
- HTTP/HTTPS requests
- url http://advertpage75.com/serverstat315/
- url http://cmailserv19fd.world/socks777amx.exe
- url http://cmailserv19fd.world/sky/new/dos777.exe
- url http://cmailserv19fd.world/relax/pred999.exe
- url http://cmailserv19fd.world/crot777amx.exe
- url http://cmailserv19fd.world/dor.exe
- url http://cmailserv19fd.world/pred777amx.exe
- url http://www.1loveyous.com/api/Clipper.get
- url http://weimachel.net/522
- url http://www.1loveyous.com/api/Clipper.post
- url http://www.1loveyous.com/api/check.get
- url http://weimachel.net/freebl3.dll
- url http://weimachel.net/mozglue.dll
- url http://weimachel.net/nss3.dll
- url http://weimachel.net/softokn3.dll
- url http://weimachel.net/msvcp140.dll
- url http://weimachel.net/vcruntime140.dll
- url http://weimachel.net/
- url http://5.45.127.135:2012/websocket
- url http://api.ipify.org/
- url http://cdnshop78.world/forums/members/api.jsp
Add Comment
Please, Sign In to add comment