Malware Analysis Report

2025-03-15 05:16

Sample ID 231218-1jhacsfcd4
Target b6495a9c6a890740db6f41bf37af8427.exe
SHA256 816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Tags
smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7

Threat Level: Known bad

The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat spyware stealer

ZGRat

SmokeLoader

Detect ZGRat V1

RedLine payload

RedLine

Smokeloader family

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 21:40

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 21:40

Reported

2023-12-18 21:43

Platform

win7-20231215-en

Max time kernel

27s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\601A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71E6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\Temp\601A.exe
PID 1232 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\Temp\601A.exe
PID 1232 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\Temp\601A.exe
PID 1232 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\Temp\601A.exe
PID 1232 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\71E6.exe
PID 1232 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\71E6.exe
PID 1232 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\71E6.exe
PID 1232 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\71E6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\601A.exe

C:\Users\Admin\AppData\Local\Temp\601A.exe

C:\Users\Admin\AppData\Local\Temp\71E6.exe

C:\Users\Admin\AppData\Local\Temp\71E6.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218214107.log C:\Windows\Logs\CBS\CbsPersist_20231218214107.cab

C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp" /SL5="$8011E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
BG 91.92.254.7:80 91.92.254.7 tcp

Files

memory/2144-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1232-1-0x0000000002D50000-0x0000000002D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\601A.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2968-14-0x0000000000280000-0x00000000002D2000-memory.dmp

memory/2968-19-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2968-20-0x0000000004F80000-0x0000000004FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71E6.exe

MD5 3a2b41a7c6533ce1fe64e0de785a3606
SHA1 f1cce22001bac89786882014007284abe7add91f
SHA256 382444e71250c4c180b70bdfeefe7862adf8bfff16cc01b4f35dc8988011b365
SHA512 738b29c7b7074e0fb974398cbb7840c1f54a51b42474513a77ce6adecf9239ad4ef3416fc07755167622f2490cdd6fac866f7042c82e5ff5307513ee7d2be980

C:\Users\Admin\AppData\Local\Temp\71E6.exe

MD5 488e2e1c7a75e7cbbcb12415856088bd
SHA1 ae9681e95d9059757339c19f4070675109a4bf5f
SHA256 8a0180a5f2fb2e8fdde2b97a16a3a9c844d86737ebb0c7725b364e033ccd949e
SHA512 c2531b38b21ac90e16c610742cd8cb8e9c8b31fd5cf40491db9f005b290845a473365e43d5e6dc348587bb6c0538817915752d3412fae49f669280c6f18fc355

memory/2804-28-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2804-29-0x0000000000A90000-0x0000000001882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0eb3563d14250c3de0f5caa51741b49
SHA1 953f645eeef8a2e2c11e06e02181e79318350cdd
SHA256 e453daebfd9e5bd84253292a9e165091325fa38871bd94bec9dba26a5addba94
SHA512 6d23504ae05e7b64e5a0d2e61f20a2d7be7a89d5e893faa0313c5c817b704ef6451fa4db163c6b32130422dfdf020c4db6c39659baac64057ade353fdd699508

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 53052d8e690e4f56178c3b2fe16be4aa
SHA1 8c8bceb51998ac6175a33793819ac27221a53858
SHA256 65ea49e2d44ece1383724a15b41915fc73857037e475d31470de476ed2e2846a
SHA512 38f4206869c4d0a2eeb83a604db4315a5f5fc3789dca5c97aa86324acb2494cbcc9b94b03341748c154b94fa1212be8f937936dfc2c45249d1c7fd3a11e5abd0

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 e4d311f881641d0ddf3fae3101231496
SHA1 dae143270faa27135ae494b4fe56ca51de4db3d0
SHA256 b6ef9e872e89b81439c5f974598c4a3ac1a07f09e125a285cfabaebb5dd137f0
SHA512 dd45a8772edfe769c1a899e3b24abe80b10255b361f03d53773fd8d30a2d699eec394862aff46a13ea4637be088b42cb49f41ee75f6e3641ce2447c166457cb6

\Users\Admin\AppData\Local\Temp\nso730F.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 31cf2cbe22d0f52698e9c42ee09d123b
SHA1 06b90ef13847c74cadd60de479e1affc1b59dec2
SHA256 380316038a439396b3d637205014d45fae3be05c4f7e53b4476563f376642bd5
SHA512 e224ccbd0ab3a5b1a44ea1705e92ac8b805f58684ed8d76357e4eab1fafb12b5f87dec28bb71162a11d2a7974a2886beb888597811386fd8146f3d4f555ca175

memory/2196-62-0x0000000002660000-0x0000000002A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 27f29d39b97caa9fa1bdf3e891e0df89
SHA1 e60b25d660ab4c2bf1b5e0c0853e8974bb6c4f03
SHA256 e4ada19c51ae9eda3976160332fceb8e367c2413ba2b7f9c6258c982a84571a0
SHA512 336ee99e9ae98740bafc4e3e1446633614d35e5852050be3d3a6972bba4ac1fdd3cec6685f60f82b4a80725be2f0d1fc7d5c5eec55feabd3b47d8d6f0036b14d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3064126fbd6ba09f5b220683ffd85167
SHA1 aa117440fbb895ff8c0fc20d66808589f84de509
SHA256 219d77b16d9071242346104ceaae807093ea7a26d09afdc062615a4c6c0e5c2b
SHA512 a5bd8d62646696a2d5932e36fd35471b101b02a1bd6ec3b22e13bf47986e59a058de0539c59e016404c7e9523470a8dfd77e538621da6039cec4f4701eb18b00

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1d0309071e482167458e948743145a4e
SHA1 6447ad780151c06f3abbc6af7c2f7cfe75e5b0ae
SHA256 0c706e27070feb04639f4d293328528635b52ffa066341e651b7f06a64e156cd
SHA512 4db32cc298ef37e19499c25d4f1662a192501330a141de2d94e36e9e10b9c2db6e09ee3cb1960f79d3afcb3d2531160228ead22f7da14fe51512636c2166b26b

memory/2780-69-0x0000000000270000-0x0000000000370000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c754702fbf0b61c65963df019fabe65a
SHA1 7c8dc8067ea55902ae1a862368ec5fde46e9071e
SHA256 ea0dccb5c61975f52375c4e8682dd6e0e29c9776e6479846a8cc1966601182e3
SHA512 e421f7567b308424d4a03cf03ebeaf5ab06f853a0c5dc037ea6089818bb91057838371eb4ceeefe51dda998c44ab96c41a80ebd4810fb91b15593373a30c5636

memory/1248-75-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2196-84-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/2196-85-0x0000000002A60000-0x000000000334B000-memory.dmp

memory/1248-81-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp

MD5 d44822bcbc005ceac5612592ec50d185
SHA1 ea7cc85c4d50ed6bfe2c0caad63cc437846c2e1d
SHA256 7e68d089bb84a2e973a3dc0cb346f81c8acf0dbec5dabfa3687c00f357cf2447
SHA512 114b9dbcf0b806cc2485ff983340f8f515fa4371572f94ca66ab16235863f9f70127b60fbd0a597de9ee9e452d5a3163c04d16aaa810b9fd1ea512a6eee2845a

\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp

MD5 a8da133492615125da2a3d00bf5c1045
SHA1 be39f6a290f2a6d2af3225496dff563f72533345
SHA256 0f4a3e56b027046da80653e698b911bca7359b82da6a39ab86a3d720c3d4af35
SHA512 bd53e9ce786dd8e6def633d0d62ad72ec3d370a572bc824a24b52fdecaf1ff73b1269eaf2b474eb8aaa6c0eaef407ba00a828f4dd1a7e3d030159ff2e7583ae2

\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/1652-116-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2968-115-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2232-114-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2196-113-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4e6f7fd52f6b54f4eda25550ce804e2a
SHA1 6a7f842255102dd5455b609413053e8484baf4f0
SHA256 9069aad48fc30312844f2299f7c760864d41598497e92d9217bb583431ab03e2
SHA512 7bc71c53180c97b27a0e7ad0f98bb10a2370e858150570109bc851aebd9446457fee3c1311827ff111d734b0170e75c0640af5c4c24c18795354b226b66473e3

\??\c:\users\admin\appdata\local\temp\is-of46u.tmp\tuc3.tmp

MD5 4454bf8ed7fdfce1858e02666b647798
SHA1 3867bc16ec55e94536c349183a14eb812a45be8e
SHA256 5a2dac61cbaa1cd45d9be24b4b2bff4aaccd21be0defd8e1b2e7b8211e11d0e6
SHA512 0e58557f274e5d4fd7336e5da5ff77539cbc7916d5c9d5a2ca98d8d2b1b156e733e616872aefc806a9272ef6740ac80482d3893432c95ad5c5b8fdadf1f64a5c

\Users\Admin\AppData\Local\Temp\nso730F.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 4d8f6d8c384fddd094ba3cf19caaa7b0
SHA1 c4694db3f10e1a61a028299f315f57899d0834fc
SHA256 be3b6ce6304ecab69d5cb6a1102b8349742a24b50e3c5bff65c1c7b91e6a9aa4
SHA512 c24c67a4fbff0d3dc8960dfaf3eb29e534ea00dbb5ca43032e8ca334b5edee8e9ea892072d8d739ae26ee9f495042e1f678ab4766f358cd29e9e413c3e8868b0

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 d3780b5a6857a2f430453c9cccb4934b
SHA1 8086fb18c1285b46b2809c945de804ffc92c95ad
SHA256 38221aea59dd2198e88515d6414285ddc45d4509280629a799bc05f96491d18c
SHA512 04fc99bc423c7e98755c8b302800c60b0ddd6999a0eefe275bdfc6f473d7184a2b73f87d4ff910325022cf999f00299a02a08742030ce1fc0288e10417bea96e

memory/2796-78-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-74-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2780-73-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 75f26ecc4aa932c2b41c87a162254988
SHA1 30d44c14068a36749711d21f45a4150853ce7f1a
SHA256 a4773fdc76a19af352c9478ce2aefc33c44a33c9c5b530e4301b34e8db9c1943
SHA512 c9ef2f3001e76202aa84207faf0ec9075313e14167c40b2ad16ae7aa56dce25e562d0534e44d6158393506cdc761dfb428bcd324dcf69f2bc65915304b1ecac7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 21:40

Reported

2023-12-18 21:43

Platform

win10v2004-20231215-en

Max time kernel

43s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DF5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2055.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DDF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DF5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF5.exe
PID 3532 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF5.exe
PID 3532 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF5.exe
PID 3532 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\2055.exe
PID 3532 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\2055.exe
PID 3532 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\2055.exe
PID 3532 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DDF.exe
PID 3532 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DDF.exe
PID 3532 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DDF.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\DF5.exe

C:\Users\Admin\AppData\Local\Temp\DF5.exe

C:\Users\Admin\AppData\Local\Temp\2055.exe

C:\Users\Admin\AppData\Local\Temp\2055.exe

C:\Users\Admin\AppData\Local\Temp\4DDF.exe

C:\Users\Admin\AppData\Local\Temp\4DDF.exe

C:\Users\Admin\AppData\Local\Temp\54F4.exe

C:\Users\Admin\AppData\Local\Temp\54F4.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\5B00.exe

C:\Users\Admin\AppData\Local\Temp\5B00.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.216.56.97:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 97.56.216.52.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp

Files

memory/2732-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3532-1-0x0000000003250000-0x0000000003266000-memory.dmp

memory/2732-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF5.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/4576-12-0x0000000000DF0000-0x0000000000E42000-memory.dmp

memory/4576-17-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/4576-18-0x0000000005A60000-0x0000000006004000-memory.dmp

memory/4576-19-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/4576-20-0x0000000005710000-0x0000000005720000-memory.dmp

memory/4576-22-0x0000000005510000-0x000000000551A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2055.exe

MD5 4af4821575a5d1a30b9440bdca98fee1
SHA1 faff50383e70e3dcf115957e5000a234e6bf4260
SHA256 71731fbefdfb580a796b3e0ffeb7d6c67085a94337ca919e260e05a58307ccbe
SHA512 8467ee35cc9b3309ea68195ee2099e79a069dc8a9c3a2137d18314ee2eef7bcfa46a3adba4623777992d2910a893d737811333143001d02998685873278cd5ec

C:\Users\Admin\AppData\Local\Temp\2055.exe

MD5 e0ff312834ef285e2ee9fd299ee27090
SHA1 cf82f1c6cccef771e0ceb3674d06ee1c0a8b19b5
SHA256 b2d45d0d41c49a1875ea68b4d44a2f9de926c93b96e1ed9f9c7946bcc9692f1e
SHA512 cfdb0dbb1e1462616380ace0a79eb95af5a9180365f706d34aa26158dba730ff7695fdcb115d6b826771344d12010d2e56054a81466fa769364c890e711bbd5e

memory/4692-26-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/4692-27-0x0000000000B70000-0x000000000100E000-memory.dmp

memory/4692-28-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

memory/4692-29-0x0000000005B60000-0x0000000005B70000-memory.dmp

memory/4576-30-0x0000000006EC0000-0x00000000074D8000-memory.dmp

memory/4576-31-0x00000000069F0000-0x0000000006AFA000-memory.dmp

memory/4576-33-0x0000000006930000-0x0000000006942000-memory.dmp

memory/4576-34-0x0000000006990000-0x00000000069CC000-memory.dmp

memory/4576-35-0x0000000006B00000-0x0000000006B4C000-memory.dmp

memory/4576-36-0x0000000009040000-0x00000000090A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4DDF.exe

MD5 051584e416f087f2ddb6a86613a4abd3
SHA1 688043766dead4fdf768773747ceb51c76b741f9
SHA256 64f7d4dc637f63b36ec9ef1390e7c7a62afce7ad9e5bc3fe353452b6d85136de
SHA512 f6a3394502e507036f180348db4072dec212a9f562000fb6bf81bfa4eb89fa5d1652543ca8d7337b6f05ece0ca5310144e24792c0f1d5d3882a5b6a545452394

C:\Users\Admin\AppData\Local\Temp\4DDF.exe

MD5 05ae62360af7d5a5122b59f7a5f9ada3
SHA1 d8d6dae7b38ed3af4ad094b003bdea492ed63084
SHA256 6bc0a740f6fc5c7f7bffbfed16d2f8e9f2f4ea330776783184be13a36713fd2e
SHA512 295f1c4764c7384a17de2df1576cad1a5ba1a50c860aad5b26825e432c37c6dd8183511ae8e88d6846a5ec0a0438bf8724af968e3d17f193329f1137e57b70dd

memory/1380-41-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/1380-42-0x00000000000D0000-0x0000000000EC2000-memory.dmp

memory/4692-45-0x00000000064D0000-0x0000000006698000-memory.dmp

memory/4576-44-0x0000000009680000-0x0000000009842000-memory.dmp

memory/4576-46-0x0000000009D80000-0x000000000A2AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 871db998a8700fd580735670d88fecaa
SHA1 b1de43abd9ade26df518d3ef9616ff5b20c74d7c
SHA256 0b2c67b6940dea56d46e01d8c9f90cb34c4503b1e615953984b28c31d676dd49
SHA512 7a4e7807296ae7b78a892efe28e1ef0772a08bb51d3908c345bce0de33008be7a47822ee5aed752df3bb654857c36d7ec3bcf455f304fcfec8f0cd648f5ced28

C:\Users\Admin\AppData\Local\Temp\54F4.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 188f7bf02b58635ee0b36c1f6a32516e
SHA1 8eab48a6db6799538e51d1dff36b589b5554be7c
SHA256 464ea7724549f8ddacb022ce9d006cdcfec7d01f8402a145990e7b1b0e0d0ff3
SHA512 a606230b14c9bce8a3002956adbcf98aac58ef5027851c78f40f05690b4da5d2d3dc4feffaf00e2103aaff663df328b0b3e22a5c63eb81e6ec0051503f5293a9

memory/4692-58-0x00000000077A0000-0x0000000007932000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 113a2741c2da0b1c673cfef03ca0350a
SHA1 8383832179ecf7f21f7c9b06e9f58c036bb27477
SHA256 59834c1f952f1407feff5e62f5fa1b1a4e0ae229800b47791cd0f3fdd61d8835
SHA512 1b8b7c10057fc38600c068b29a5d7e871feb062a8ab758c3ccf4a393893dd0e123016d0d699124e485c19db995ba34e5f8565282daa0aa52b540ae534824eeba

memory/4692-75-0x0000000005BD0000-0x0000000005BE0000-memory.dmp