S1168: SampleCheck5000
SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. [1][2]
Analyst context for executives and security teams
SampleCheck5000 matters because ATT&CK describes it as a Windows downloader used to retrieve and execute additional payloads. For leaders, the risk is not the downloader alone; it is the follow-on access it can enable, including command execution, tool transfer, discovery, staging, archiving, and possible exfiltration over web services based on ATT&CK relationships.
Executive priority
Prioritize this as a validation point for Windows endpoint visibility, outbound web traffic governance, and incident response readiness. The ATT&CK relationships connect SampleCheck5000 to OilRig and the Outer Space campaign, including targeting of Israeli organizations in that campaign, but local exposure depends on your environment and telemetry. Executives should ask whether SOC teams can prove detection and investigation coverage for downloader behavior, legitimate-looking web service communications, and rapid follow-on payload execution.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the related techniques: Windows Command Shell execution, web-protocol command and control, bidirectional communication through external web services, ingress tool transfer, deobfuscation or decoding, system and local storage discovery, local staging, archive creation, and exfiltration over web services. Because ATT&CK provides no official detection text for this malware object, teams should build coverage from the mapped behaviors rather than from the malware name alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child-process relationships
- File creation and modification events for downloaded payloads, staged data, decoded content, and archives
- Network telemetry for outbound HTTP/S or other web-protocol traffic from Windows hosts
- Proxy, DNS, firewall, and TLS metadata for unusual external web service communication patterns
- EDR alerts or behavioral logs for tool transfer, payload execution, and suspicious archive utility usage
Detection direction
- Do not rely only on signatures for SampleCheck5000; ATT&CK notes multiple variants and provides no official detection guidance.
- Correlate outbound web traffic with new file writes and subsequent process execution on Windows endpoints.
- Tune for suspicious Windows command shell use where it is linked to downloads, decoding, staging, archiving, or discovery activity.
- Review allowlisted cloud or web services carefully, because related ATT&CK techniques include bidirectional communication and exfiltration over web services.
- Account for false positives from legitimate software deployment, administration scripts, backup tools, compression utilities, and normal cloud service usage.
Mitigation priorities
- Confirm endpoint logging and EDR coverage on Windows systems before attempting malware-specific detection engineering.
- Restrict and monitor unnecessary outbound web access, especially from servers and sensitive workstations.
- Apply least privilege and application control where feasible to reduce unauthorized command shell execution, payload execution, and archive utility abuse.
- Harden egress controls and web proxy inspection policies for unapproved web services while preserving business-required access.
- Prepare IR playbooks for downloader cases that include scoping follow-on payloads, reviewing external communications, and searching for staged or archived data.
Analyst notes and limits
ATT&CK identifies SampleCheck5000 as a downloader used by OilRig, including during the Outer Space campaign, and maps it to behaviors spanning execution, command and control, discovery, collection, and exfiltration-related techniques. The most useful defensive approach is behavior-led validation across endpoint, network, and web-service telemetry.
The supplied ATT&CK object has no official detection section, no aliases, and no object-level tactics. The malware platform is listed as Windows, while several related techniques have broader ATT&CK platform listings; environment-specific validation is required before asserting coverage or exposure.
SampleCheck5000
SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | SampleCheck5000 can create unique victim identifiers by using the compromised system’s volume ID.[2] |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve C2 commands and payloads placed in Draft messages.[1][2] |
| Enterprise | T1105 | Ingress Tool Transfer | SampleCheck5000 can download additional payloads to compromised hosts.[1][2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SampleCheck5000 can decode and decrypt command line strings and files received through C2.[1][2] |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | SampleCheck5000 can gzip compress files uploaded to a shared mailbox used for C2 and exfiltration.[2] |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SampleCheck5000 can call cmd.exe to execute C2 command line strings.[1][2] |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SampleCheck5000 can use the Exchange Web Services API for C2 communication.[2] |
| Enterprise | T1082 | System Information Discovery | SampleCheck5000 can create unique victim identifiers by using the compromised system’s computer name.[2] |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SampleCheck5000 can log the output from C2 commands in an encrypted and compressed format on disk prior to exfiltration.[2] |
| Enterprise | T1567 | Exfiltration Over Web Service | SampleCheck5000 can use the Microsoft Office Exchange Web Services API to access an actor-controlled account and retrieve files for exfiltration.[1][2] |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
C0042: Outer Space
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f72ea77a6feb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Campaigns Sep 2023
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Open source URL -
[2]
ESET OilRig Downloaders DEC 2023
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Open source URL -
[3]
SC5k
(Citation: ESET OilRig Campaigns Sep 2023)
-
[4]
mitre-attack S1168Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.