Malware Analysis Report

2025-08-11 06:18

Sample ID 230415-dzrgmsed51
Target SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe
SHA256 306839eeb37080b5d6e7d32ab0b261995877e9d143e91d1d1e06cdf636bcea28
Tags
smokeloader pub4 backdoor trojan rhadamanthys collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

306839eeb37080b5d6e7d32ab0b261995877e9d143e91d1d1e06cdf636bcea28

Threat Level: Known bad

The file SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub4 backdoor trojan rhadamanthys collection stealer

Rhadamanthys

SmokeLoader

Detect rhadamanthys stealer shellcode

Downloads MZ/PE file

Executes dropped EXE

Accesses Microsoft Outlook profiles

Program crash

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

outlook_win_path

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-15 03:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-15 03:27

Reported

2023-04-15 03:29

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"

Network

N/A

Files

memory/1364-55-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/1364-57-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/1232-56-0x0000000001C50000-0x0000000001C66000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-15 03:27

Reported

2023-04-15 03:29

Platform

win10v2004-20230221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2EEF.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe
PID 3128 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe
PID 3128 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe
PID 2536 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe C:\Windows\system32\dllhost.exe
PID 2536 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe C:\Windows\system32\dllhost.exe
PID 2536 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe C:\Windows\system32\dllhost.exe
PID 2536 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2EEF.exe C:\Windows\system32\dllhost.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.457078.5822.1990.exe"

C:\Users\Admin\AppData\Local\Temp\2EEF.exe

C:\Users\Admin\AppData\Local\Temp\2EEF.exe

C:\Windows\system32\dllhost.exe

"C:\Windows\system32\dllhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 696

Network

Country Destination Domain Proto
US 117.18.232.240:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 aapu.at udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
US 52.182.143.208:443 tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
IT 179.43.155.247:80 179.43.155.247 tcp
KR 211.119.84.111:80 aapu.at tcp
US 8.8.8.8:53 247.155.43.179.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
PA 179.43.142.201:80 catalog.s.download.windowsupdate.com tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 201.142.43.179.in-addr.arpa udp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp
PA 179.43.142.201:80 179.43.142.201 tcp
KR 211.119.84.111:80 aapu.at tcp
KR 211.119.84.111:80 aapu.at tcp

Files

memory/1456-134-0x0000000000950000-0x0000000000959000-memory.dmp

memory/3128-135-0x0000000000430000-0x0000000000446000-memory.dmp

memory/1456-136-0x0000000000400000-0x00000000007FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2EEF.exe

MD5 125d1cf1adccdd7c0e0058f02d7dcfc4
SHA1 31ae25eb8cc617c94335773eb0261614554d9e19
SHA256 a499e4d7f71cb83c442b02f45dc986a42c6fef18ffc0efb9a54287671e063cc2
SHA512 e9e0b496e8ae722c58952dae5dc3f0942b1b87f2792741c05106792ae9249a44b6689560cf1e8cb87bb32ac26a375aa6f249643c0093e4d205ddd733da02d601

C:\Users\Admin\AppData\Local\Temp\2EEF.exe

MD5 125d1cf1adccdd7c0e0058f02d7dcfc4
SHA1 31ae25eb8cc617c94335773eb0261614554d9e19
SHA256 a499e4d7f71cb83c442b02f45dc986a42c6fef18ffc0efb9a54287671e063cc2
SHA512 e9e0b496e8ae722c58952dae5dc3f0942b1b87f2792741c05106792ae9249a44b6689560cf1e8cb87bb32ac26a375aa6f249643c0093e4d205ddd733da02d601

memory/2536-147-0x0000000000960000-0x000000000098E000-memory.dmp

memory/2536-148-0x0000000000400000-0x000000000080F000-memory.dmp

memory/2536-151-0x0000000000990000-0x00000000009AC000-memory.dmp

memory/2536-152-0x0000000000990000-0x00000000009AC000-memory.dmp

memory/2536-153-0x00000000009B0000-0x00000000009CA000-memory.dmp

memory/2536-154-0x0000000000990000-0x00000000009AC000-memory.dmp

memory/4696-155-0x0000013EEED10000-0x0000013EEED11000-memory.dmp

memory/2536-156-0x00000000009B0000-0x00000000009CA000-memory.dmp

memory/4696-157-0x0000013EEF020000-0x0000013EEF027000-memory.dmp

memory/4696-158-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp

memory/4696-159-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp

memory/4696-161-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp

memory/2536-162-0x0000000000990000-0x00000000009AC000-memory.dmp

memory/2536-160-0x0000000000400000-0x000000000080F000-memory.dmp

memory/4696-163-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp

memory/4696-164-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp

memory/4696-165-0x00007FF486CA0000-0x00007FF486D9A000-memory.dmp