S1168 SampleCheck5000
SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. 21
| Item | Value |
|---|---|
| ID | S1168 |
| Associated Names | SC5k |
| Type | MALWARE |
| Version | 1.1 |
| Created | 25 November 2024 |
| Last Modified | 22 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| SC5k | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SampleCheck5000 can use the Exchange Web Services API for C2 communication.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | SampleCheck5000 can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SampleCheck5000 can call cmd.exe to execute C2 command line strings.21 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SampleCheck5000 can log the output from C2 commands in an encrypted and compressed format on disk prior to exfiltration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SampleCheck5000 can decode and decrypt command line strings and files received through C2.21 |
| enterprise | T1567 | Exfiltration Over Web Service | SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.21 |
| enterprise | T1105 | Ingress Tool Transfer | SampleCheck5000 can download additional payloads to compromised hosts.21 |
| enterprise | T1680 | Local Storage Discovery | SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID.1 |
| enterprise | T1082 | System Information Discovery | SampleCheck5000 can create unique victim identifiers by using the compromised system’s computer name.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve C2 commands and payloads placed in Draft messages.21 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 2 |
References
-
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. ↩↩↩↩↩↩↩↩