API tools faq
paste
tkanalyst

2019/10/10 RIG EK -> Smokeloader -> Other Malware

tkanalyst
Oct 9th, 2019
755
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.50 KB | None | 0 0
raw download clone embed print report
  1. 2019-10-10
  2. #Malvertising -> #RIGEK -> #Smokeloader
  3.  
  4. #Predator & #Vidar & #Quasar & #MedusaHTTP
  5.  
  6. [Example Payload]
  7. https://app.any.run/tasks/c3ab622a-8c68-42c8-aeb7-bf88226983cc
  8.  
  9. /socks777amx.exe -> MedusaHTTP
  10. https://app.any.run/tasks/810c583c-b844-4df2-bb3e-bc8b62d146b9
  11.  
  12. /relax/pred999.exe -> Predator
  13. https://app.any.run/tasks/92befabe-5e8a-4c3f-91ff-38a460384b2c
  14.  
  15. /dor.exe -> Vidar
  16. https://app.any.run/tasks/1ec76dbc-b2b7-453e-ba26-25cd67413813
  17.  
  18. /crot777amx.exe -> Quasar
  19. https://app.any.run/tasks/3417b4da-4bef-4600-9826-4aa70eb651ca
  20.  
  21. /sky/new/dos777.exe -> MedusaHTTP
  22. https://app.any.run/tasks/ebf9310e-a8e7-4227-97c0-f7d06d6368f7
  23.  
  24. /pred777amx.exe -> Predator
  25. https://app.any.run/tasks/53f94965-2411-4a28-8a7a-12e3c0aa72fd
  26.  
  27. [Comment]
  28. /bro111.exe
  29. /crot777amx.exe
  30. /dan777.exe
  31. /evi111.exe
  32. /gab.exe
  33. /guc.exe
  34. /hit777.exe
  35. /hrd777.exe
  36. /kam.exe
  37. /pak.exe
  38. /pred777amx.exe
  39. /skd.exe
  40. /sky/dmx777.exe
  41. /sky/new/dos777.exe
  42. /socks777amx.exe
  43. /tap.exe
  44. /vnc777.exe
  45.  
  46. and more payload ...
  47.  
  48. ===========================================================================================================
  49. Main object- "36mmekun.exe"
  50. sha256 17b548f9c8077f8ba66b70d55c383f87f92676520e2749850e555abb4d5f80a5
  51. sha1 12948e36584e1677e80f78b8cc5c20576024c13f
  52. md5 a8cc396b6f5568e94f28ca3381c7f9df
  53. Dropped executable file
  54. sha256 C:\Users\admin\AppData\Roaming\fthtujv 17b548f9c8077f8ba66b70d55c383f87f92676520e2749850e555abb4d5f80a5
  55. sha256 C:\Users\admin\AppData\Local\Temp\DE73.tmp.exe 419a780b5beb0e024d733f6b1c720e812c9d2f873c6830c4064dbc8dd65af69a
  56. sha256 C:\Users\admin\AppData\Local\Temp\EB35.tmp.exe 8e50995a3648f58e44c1a461b7d2108ff8ac8093fca863707efe4aefa5401b58
  57. sha256 C:\Users\admin\AppData\Local\Temp\91F.tmp.exe 918164c75422dab65aa598b40c4d7675956257989540f20cbfd6938c1c80e11e
  58. sha256 C:\Users\admin\AppData\Local\Temp\1380.tmp.exe 0e9abdead9665cf438a96bbbd9870f704c760a33eaebe16a63edf0ccaef7fb9f
  59. sha256 C:\Users\admin\AppData\Local\Temp\20A0.tmp.exe 948b4c4dee235ccadf9485aca5e1f458ec71114bc9b6ffb5f48fb45fd22598b9
  60. sha256 C:\Users\admin\AppData\Local\Temp\2AF2.tmp.exe ab5f8b75cfb93bba60ce481cf7f77fcb726b9511a349cb18ddd725b7401e5ba4
  61. sha256 C:\Users\admin\AppData\Local\Temp\D47F.tmp 3a98d10a2792713d8368920cb139323aae576bee3ca70f5ab23f91af4f2bb244
  62. sha256 C:\ProgramData\qedar\WerFault.exe 9cc25c431a115d4c572135276fdb49545d5e2a4224629aa6b770a4cc2cf74cd8
  63. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\freebl3[1].dll a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
  64. sha256 C:\ProgramData\mozglue.dll 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
  65. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\msvcp140[1].dll 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
  66. sha256 C:\ProgramData\nss3.dll e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
  67. sha256 C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\softokn3[1].dll 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
  68. sha256 C:\ProgramData\vcruntime140.dll c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
  69. DNS requests
  70. domain advertpage75.com
  71. domain cmailserv19fd.world
  72. domain weimachel.net
  73. domain www.1loveyous.com
  74. domain ip-api.com
  75. domain api.ipify.org
  76. domain samp1er.com
  77. domain cdnshop78.world
  78. Connections
  79. ip 138.201.51.42
  80. ip 198.23.141.107
  81. ip 194.61.24.196
  82. ip 185.198.58.170
  83. ip 5.45.127.135
  84. ip 185.136.168.132
  85. ip 23.23.83.153
  86. ip 185.197.75.165
  87. HTTP/HTTPS requests
  88. url http://advertpage75.com/serverstat315/
  89. url http://cmailserv19fd.world/socks777amx.exe
  90. url http://cmailserv19fd.world/sky/new/dos777.exe
  91. url http://cmailserv19fd.world/relax/pred999.exe
  92. url http://cmailserv19fd.world/crot777amx.exe
  93. url http://cmailserv19fd.world/dor.exe
  94. url http://cmailserv19fd.world/pred777amx.exe
  95. url http://www.1loveyous.com/api/Clipper.get
  96. url http://weimachel.net/522
  97. url http://www.1loveyous.com/api/Clipper.post
  98. url http://www.1loveyous.com/api/check.get
  99. url http://weimachel.net/freebl3.dll
  100. url http://weimachel.net/mozglue.dll
  101. url http://weimachel.net/nss3.dll
  102. url http://weimachel.net/softokn3.dll
  103. url http://weimachel.net/msvcp140.dll
  104. url http://weimachel.net/vcruntime140.dll
  105. url http://weimachel.net/
  106. url http://5.45.127.135:2012/websocket
  107. url http://api.ipify.org/
  108. url http://cdnshop78.world/forums/members/api.jsp
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!