Samplecheck5000

Malware updated 7 months ago (2024-05-04T20:18:25.770Z)

Download STIX

Preview STIX

SampleCheck5000 (SC5k) is a malicious software, or malware, developed as a lightweight downloader by OilRig. This malware is notable for its use of legitimate cloud service APIs such as Microsoft Graph OneDrive, Outlook, and the Office Exchange Web Services (EWS) for command and control (C&C) communication and data exfiltration. The malware, which is a C#/.NET application, represents the first in a series of downloaders developed by OilRig that exploit legitimate cloud services for their C&C operations. In the Outer Space campaign, OilRig utilized a simple yet previously undocumented C#/.NET backdoor named Solar, alongside a new downloader, SampleCheck5000 (SC5k). SC5k specifically uses the Microsoft Office Exchange Web Services API for C&C communication. This innovative use of legitimate APIs makes the malware difficult to detect and block, as it blends in with regular network traffic. The primary function of SampleCheck5000 (SC5k) is to download and execute additional OilRig tools. It achieves this by creating draft messages in the compromised email account and hiding backdoor commands within these drafts. This sophisticated method of operation allows SC5k to remain undetected while carrying out its harmful activities, making it a significant threat to cybersecurity.

Description last updated: 2024-05-04T19:18:03.112Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sc5k is a possible alias for Samplecheck5000. SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The OilRig Threat Actor is associated with Samplecheck5000. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of	Unspecified	2

Source Document References

Information about the Samplecheck5000 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Iranian Nation-State Actor OilRig Targets Israeli Organizations
CERT-EU	a year ago	How this Israeli Backdoor written in C#/.NET can be used to hack into any company
ESET	a year ago	OilRig’s persistent attacks using cloud service-powered downloaders
CERT-EU	a year ago	OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes