Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-ehc4cscchk
Target 0x000a0000000155f3-115.dat
SHA256 ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
Tags
smokeloader redline livetraffic backdoor discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701

Threat Level: Known bad

The file 0x000a0000000155f3-115.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic backdoor discovery infostealer spyware stealer trojan

SmokeLoader

RedLine

Smokeloader family

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:56

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:56

Reported

2023-12-11 03:58

Platform

win7-20231020-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B136.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B136.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Temp\B136.exe
PID 1212 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Temp\B136.exe
PID 1212 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Temp\B136.exe
PID 1212 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Temp\B136.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe

"C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe"

C:\Users\Admin\AppData\Local\Temp\B136.exe

C:\Users\Admin\AppData\Local\Temp\B136.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp

Files

memory/536-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/536-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1212-1-0x00000000029D0000-0x00000000029E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B136.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2792-12-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2792-17-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2792-18-0x00000000073E0000-0x0000000007420000-memory.dmp

memory/2792-20-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2792-21-0x00000000073E0000-0x0000000007420000-memory.dmp

memory/2792-23-0x0000000074450000-0x0000000074B3E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:56

Reported

2023-12-11 03:58

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C1C.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2C1C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C1C.exe
PID 3148 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C1C.exe
PID 3148 wrote to memory of 756 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C1C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe

"C:\Users\Admin\AppData\Local\Temp\0x000a0000000155f3-115.exe"

C:\Users\Admin\AppData\Local\Temp\2C1C.exe

C:\Users\Admin\AppData\Local\Temp\2C1C.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4628-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3148-1-0x0000000002980000-0x0000000002996000-memory.dmp

memory/4628-3-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C1C.exe

MD5 9ce9632a15e6e421086935ffcf07e0d0
SHA1 f20d9f068b9e66e5803a89aea0dff07a4b0a7206
SHA256 6acd253808324e67e8d100796a024f260f3f1969787655f0e68fbf82636bdfaa
SHA512 d9d869a894e4a863ee92c7eef8b0de320664f0508f2911c61105e53b233ed742f2e91aef3cc9801275bfa5a6af7144fd32bd0da4d68ace601de7eb55af7016bb

C:\Users\Admin\AppData\Local\Temp\2C1C.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/756-12-0x0000000003030000-0x000000000306C000-memory.dmp

memory/756-17-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/756-18-0x0000000008550000-0x0000000008AF4000-memory.dmp

memory/756-19-0x0000000008060000-0x00000000080F2000-memory.dmp

memory/756-20-0x00000000081D0000-0x00000000081E0000-memory.dmp

memory/756-21-0x0000000008120000-0x000000000812A000-memory.dmp

memory/756-23-0x0000000009570000-0x0000000009B88000-memory.dmp

memory/756-25-0x000000000ADF0000-0x000000000AE02000-memory.dmp

memory/756-24-0x000000000AF00000-0x000000000B00A000-memory.dmp

memory/756-26-0x000000000AE50000-0x000000000AE8C000-memory.dmp

memory/756-27-0x000000000AE90000-0x000000000AEDC000-memory.dmp

memory/756-28-0x000000000B880000-0x000000000B8E6000-memory.dmp

memory/756-29-0x00000000081D0000-0x00000000081E0000-memory.dmp

memory/756-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/756-31-0x00000000081D0000-0x00000000081E0000-memory.dmp

memory/756-32-0x00000000081D0000-0x00000000081E0000-memory.dmp

memory/756-33-0x000000000B010000-0x000000000B1D2000-memory.dmp

memory/756-34-0x000000000C930000-0x000000000CE5C000-memory.dmp