Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-1lcgwsfce2
Target b6495a9c6a890740db6f41bf37af8427.exe
SHA256 816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Tags
smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7

Threat Level: Known bad

The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat rat

Detect ZGRat V1

SmokeLoader

ZGRat

Smokeloader family

RedLine

RedLine payload

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 21:43

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 21:43

Reported

2023-12-18 21:46

Platform

win7-20231215-en

Max time kernel

29s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7214.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82E7.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\7214.exe
PID 1068 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\7214.exe
PID 1068 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\7214.exe
PID 1068 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\7214.exe
PID 1068 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\82E7.exe
PID 1068 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\82E7.exe
PID 1068 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\82E7.exe
PID 1068 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\82E7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\7214.exe

C:\Users\Admin\AppData\Local\Temp\7214.exe

C:\Users\Admin\AppData\Local\Temp\82E7.exe

C:\Users\Admin\AppData\Local\Temp\82E7.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp" /SL5="$30192,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218214423.log C:\Windows\Logs\CBS\CbsPersist_20231218214423.cab

Network

Country Destination Domain Proto
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
BG 91.92.254.7:80 91.92.254.7 tcp

Files

memory/1732-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1068-1-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/1732-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7214.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2740-14-0x0000000000200000-0x0000000000252000-memory.dmp

memory/2740-19-0x0000000074920000-0x000000007500E000-memory.dmp

memory/2740-20-0x0000000004EC0000-0x0000000004F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\82E7.exe

MD5 b7adb2d9dd7d210ab9e095d0bea22afa
SHA1 b8424ce4817117bd2030f3d6fe6b6365821447da
SHA256 2188db29d9de04f5184f24329080cd6a2a06c1179fb2e5921b20ec237fb51b64
SHA512 4172e3dae37b1bf3d791efef6e53633daca838c4344f74227a996241dd404d4cd2b8f26c4e4fee0d77c82b5dd29cc15abbb2a2fded5fbc4b518b13d170d179cf

C:\Users\Admin\AppData\Local\Temp\82E7.exe

MD5 b7cb717d4c784906f0e4474da06bd22c
SHA1 c364e88016b395e0619672494ba31c8031be1302
SHA256 5d3c518aee5598b752004a729671a1b052129f80570d4d8268767fa32018e9ee
SHA512 8746fb1359b745fc82ae7fef1b5c47704cad698a0ed89caba53f0620523a16414df751042b3a4e3e30243a43cb2e680b1a92ad07b0b2a022073e3e2cfe7447a5

memory/2688-27-0x0000000074920000-0x000000007500E000-memory.dmp

memory/2688-28-0x0000000000B00000-0x00000000018F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 75af3a3b1cfaae063b7f32d4639b2b3f
SHA1 5874cf182aa1143a238e0301c86929f9c398c714
SHA256 6758a5fa5ea739cc64fb38c583aa2d1b0e034061fb94bc4a09460c22bbb90ad6
SHA512 99b9474fe4309f510e99cb67c4ddbb553cfdc7ec858d3d9e8b20697f794fb541248bb5b730d125a335ceda888afdf3a8335b9153c451074d2fd27f0138269d15

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

\Users\Admin\AppData\Local\Temp\nsy840F.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 924e868f1abb2b14cb69c26700782a41
SHA1 d4a4cb00d4260635a758a9a33d1cd5d6c18d25da
SHA256 f1aaef54cc87829bce1139097d8507aa11943c5f0ad8f158d9e633fcc4be16f7
SHA512 26e7cc196f9e5fc809757d4b1af7776d661b3d12a915ff921d6a134f2f804355b0259f26e7ed1bdc4624908b01c08a81019f781a00c6eca9ba31433f45b535a1

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 bdc1657a837ea51e5c0d61f002806b19
SHA1 f62395f543e541dfb6624c22802fd69401b969a6
SHA256 f44a9b30cad3dbad881d92a77674001c3b26fa53e54fdcc0342dd3bce57bdaff
SHA512 f8e231c9c9f8764a0d106088cf7fc91c6696d175cc9ec8c9315ac8dcafda3c31cd98a64fe279ea46c76a327497af10ecd98c8162dcd51c699e9fae73e4de3e78

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 17cf5014cce2072440efc10994bfb5a0
SHA1 30781a829aa089dbee1bec24a17d1944d5fb32d0
SHA256 99d87b64a9c0ae6e0e365200545157deac69c6e5cbc699afa6b4e690d6ce3cb2
SHA512 8951941a0fb0b6b8e8322b4839b6090b48d6f16a9f952078b248a2281152f3f21ac3a06e05160a65acc241f8cfb24ad38cbff92816258711721f9127c4853af7

memory/2880-61-0x0000000002600000-0x00000000029F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa954867d3496af19454c6dff3ec264c
SHA1 22af3c1b56141a08e4be16908df46c41c875ae01
SHA256 124f44e6c2ff0fe9170e867712ee2f199c0cdef08299f0d4762f2d9cf2a52995
SHA512 5e448b9306910bffec05d99721dc45713debe2bb6d91569b39271d534124478710397752feac1af2d30bacf0451b689ee95abfd4d3d559587785e44a774cf780

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 883c896896a318945411d14639d42f67
SHA1 1668fa1bb3f57aaf9997550d347e98b8e2488837
SHA256 fc23ddc27029813b25b8ed5cb27629870737e347ac0735dcf99008b1448c8393
SHA512 a2f8d119a7693994e389aba4956d0592757d083d851bfba7cac7d7b916d48143d7ef0024675191844f3501d4dacd3d4aaac9a478a19fafc97b5d9c8eb6b19721

\Users\Admin\AppData\Local\Temp\nsy840F.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 8fd8220395e46fdc821f50dd580edd62
SHA1 23999287941e9911c01b11c4586d2a78d3aaedb5
SHA256 73d1480f6c6738cffddcbb906357dd8630a198508f9a54b19e03a60414127194
SHA512 d9e325f1dc963bf6bef796d9f7f3f31984f01638e2ff74a5fdb47a5988dc5b7145d7d5108f4155eb861d1b9ee8a4e5473da9e2f697ef4b2e52b027c872e5b8f4

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4cc67d701332f4073eef6b14e10aca34
SHA1 09142752bab88528c78041835d5b3abb9d187f02
SHA256 6cb6be78220ea7ebe0941fb8e3b746e908562a97d0b2a9db8af5281cc7e80fe9
SHA512 dd53b3d8efcf929bbd6d5b6e068ae3fd9d9aebe3ec175620347f6bd2fe20c29cedc8c93c04555b9fabdb1c603fef82a8f37e018787060f18c2bde33adb58adf2

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 de41391fdc8881b555ea47c1d45c6967
SHA1 8852d9e04d70369a68814cf0d32ceb84989bae49
SHA256 8a439286edd10f413fa6e2aded42e41a26f4c90567bb7506fe5749464ec7a487
SHA512 54d2217fb08dba08b9edc6a0e8e751283ad94b68b8a556764e494e6823b8d0056f178c5db23a8fb284af95a38b3d9246c1e2752de9e5aed28e55b1019c9c43bc

memory/2880-76-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/3036-79-0x00000000003A0000-0x00000000003A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2c88363923fcbcc8bd0b769cd8d51310
SHA1 ca232fc3af1c03a908cf9cc63b092f9bca2122bf
SHA256 05dd63b27edbf347f9a0b2a50742fc0bda38d2df94d56aaa4782841619a15ccc
SHA512 627972a348ed7870b52dfac62c41c2f16c409fd1656873ce23c57a2c7c8a881b0a7a4b7185750c6b094b26299f638188ee2a375e8fa84c0c6c0224c59bfcd8f2

memory/2688-91-0x0000000074920000-0x000000007500E000-memory.dmp

memory/1636-92-0x0000000000400000-0x0000000000409000-memory.dmp

memory/856-89-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 6945c5c2f8ee59e2f4bf2b31431867f0
SHA1 8e6cdac42aa6fffc3f22cc9f74b0fe04db8c5605
SHA256 0e5046291d31af1020e62cd61ebf6a7dbb52c890d733c11c54b5eef6f5271ea9
SHA512 0a2c8477e33b2a95908b23b0f3b1e59ce18405693c76e0c96996160b0af7b84a943314c286b961268303f1355da4e9f3d422b0e426a69d609ac7fc0ebaed8311

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 06e776038e63406e82f42668326b6862
SHA1 c480d27594660803050933d6944297e65c5bab03
SHA256 dd323f84e9ca41accce2ba41dbcc686d2996367839d0dfa07bedee09e85b1b07
SHA512 e30153a0b8866ea53dbdc977fad4c1487e3297c4abd9349cc971fced977f2f1a93c158289a187c7f160fb408a737e06b138932a5c342b4e5802a2f624cea17ad

memory/2880-95-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp

MD5 81d00652e9352de3509e297d8d709550
SHA1 a47414777cd62c8b8e55e66812130602261e1538
SHA256 fbf1fcf95ad72dfbebd18fdaae127bed7cdf198da97066de44bdde67d136f6f7
SHA512 4fd08212a0f29b56302f80bffcf9c3bd4a45c6edc7272b0c149019460f713574194d2c60179bce2512d3ce62343ecf43a04b8e1589e46ae96c6ad0ed817cc6b3

\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/1912-104-0x0000000000240000-0x0000000000241000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-4c4dc.tmp\tuc3.tmp

MD5 52dd9ae16a082b91a87c49b0d11f6b23
SHA1 98aec1ef3c24afe9ce3860df658715db50ed3c1a
SHA256 14a4aba613a33bf7867634d807d4aeaf7b6e956f6f44ec9ad0b94b4060456118
SHA512 be4158513da779850855202356e4c6fef986c854549a0527671d58e1ab290d16a17644693f58a28b1753696611d027cf2de6ed92fdda3dc9ee3b4905dd659a77

C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp

MD5 50dda1eee45a83bdfabda3819fa92dc9
SHA1 0afb18b5162f1aa60fe73479910362268d1a38e9
SHA256 688c28718a637c28f9283a62c32b96cb94377f9cdcf2ef294cbe1388f5a64806
SHA512 b32c4f6d5246a89abf40e05e4d44debb124750f076bc2a96696766c99b86b45a92744354286a1f7253841ab76c8e736162c2d583422a7ebe8ad61618d67cb969

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 558e3a9e5fe2b7b30c722095672292b9
SHA1 e8ed08278fb40de985ee6b0cbbed606d0a1f6b38
SHA256 97964cb442a8450825d046232b89c59fac71fc8765f0fd314e79fcd8bd087810
SHA512 6ef9f9ffc62a4d6a6a4430a485a96792deb2b47f74a8fe04f11074497f065802c5ae91cb82ed3e671433d46c6b649c0a351201bfd3086c2384ac3362f71c58b5

memory/2880-80-0x0000000002A00000-0x00000000032EB000-memory.dmp

memory/1636-84-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b98b6b8a9f883ff433f6d6e21f0fad52
SHA1 48040db14e2403d7a0a80c52dfbf5ce98f7aab6c
SHA256 ad7fa0062d5f8b057714e505ac06bf31348545bae8a5d06fdb78e16e86cb42ee
SHA512 d892d893284524125767b732fe5bd8e8d17bb862fad0f01a8585a5376641f8698ff1b606eaef4bb45825bb319ece9d4c20000f62a9a6017b5a001cfbcfe35038

memory/1636-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3036-77-0x0000000000230000-0x0000000000330000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 21:43

Reported

2023-12-18 21:46

Platform

win10v2004-20231215-en

Max time kernel

46s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\50CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63E6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9008.exe N/A

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 404 N/A N/A C:\Users\Admin\AppData\Local\Temp\50CB.exe
PID 3520 wrote to memory of 404 N/A N/A C:\Users\Admin\AppData\Local\Temp\50CB.exe
PID 3520 wrote to memory of 404 N/A N/A C:\Users\Admin\AppData\Local\Temp\50CB.exe
PID 3520 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\63E6.exe
PID 3520 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\63E6.exe
PID 3520 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\63E6.exe
PID 3520 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\9008.exe
PID 3520 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\9008.exe
PID 3520 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\9008.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe

"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"

C:\Users\Admin\AppData\Local\Temp\50CB.exe

C:\Users\Admin\AppData\Local\Temp\50CB.exe

C:\Users\Admin\AppData\Local\Temp\63E6.exe

C:\Users\Admin\AppData\Local\Temp\63E6.exe

C:\Users\Admin\AppData\Local\Temp\9008.exe

C:\Users\Admin\AppData\Local\Temp\9008.exe

C:\Users\Admin\AppData\Local\Temp\98D3.exe

C:\Users\Admin\AppData\Local\Temp\98D3.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.29.234:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 234.29.5.3.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

memory/388-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/388-3-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3520-1-0x0000000002E10000-0x0000000002E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50CB.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/404-12-0x0000000000FE0000-0x0000000001032000-memory.dmp

memory/404-17-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/404-18-0x0000000005C10000-0x00000000061B4000-memory.dmp

memory/404-19-0x0000000005700000-0x0000000005792000-memory.dmp

memory/404-20-0x0000000005990000-0x00000000059A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63E6.exe

MD5 b778158238cdb356a7c824beed2664cd
SHA1 9ad751830075e8a3ac5e853ef44ca93c109c4c42
SHA256 a23553baba26deb2aee37c3ec599b22909e798c0a410bc9f0f98542e6fad969c
SHA512 6727fc0837f20b5c601dd51e8470d857bc76589d2f772fc38819b243a641631baf93442f06b28c426079afd457921c709f82ecca5d3dfa2cbbd175a64fa7aab3

C:\Users\Admin\AppData\Local\Temp\63E6.exe

MD5 184a2aec7d833f38cf5cb84db4cc8e9c
SHA1 bba50c0fe181fa4cea697e22c9e2353c028711b0
SHA256 0867c2792002d0a1e9eb0632ba53c9492f38433db7e8842ce59eba10e76ec57d
SHA512 15c85bcc733f88b2806bcd70129d951b8bc45c00c3866138d7385538d6d8e91fd914c1402b68eff90a9c53b9fa8cc5b437e706bd0dc1cb42d2900763f0825349

memory/1596-25-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/404-26-0x0000000005890000-0x000000000589A000-memory.dmp

memory/1596-27-0x0000000000210000-0x00000000006AE000-memory.dmp

memory/1596-28-0x0000000005160000-0x00000000051FC000-memory.dmp

memory/404-29-0x0000000006CE0000-0x00000000072F8000-memory.dmp

memory/1596-30-0x0000000005330000-0x0000000005340000-memory.dmp

memory/404-31-0x0000000008560000-0x000000000866A000-memory.dmp

memory/404-32-0x0000000006B10000-0x0000000006B22000-memory.dmp

memory/404-33-0x0000000006B70000-0x0000000006BAC000-memory.dmp

memory/404-34-0x0000000006BC0000-0x0000000006C0C000-memory.dmp

memory/404-36-0x00000000091A0000-0x0000000009206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9008.exe

MD5 ca21455eb583d8d3a099950b679083b8
SHA1 a5e0c9847660ca038dcac9b999dc3183ee3b8a62
SHA256 9cb36dc35b07b07b322f31eeb73de0c6d47ebca50313582c2314df3a187f2cbe
SHA512 8f39dba121c02aea8cf10abb41b62fa7f9fc7b44436d783c820681ad44fe32e60714c952c2e72927a8d815ee7b9e5f05fbb6ed9cdbb7ad796eb12bf620e585d9

C:\Users\Admin\AppData\Local\Temp\9008.exe

MD5 c2aede0ca02d53b357a44e36c88cff41
SHA1 3d85c162138dc37685a8fabd9775631463a876e2
SHA256 ff1b9dc4127ca36f675fbcdc5ddef34aca9741cf83cbfe510b2606ef20e9ab2c
SHA512 45dc994f430ecf1364b6aaba94d1a24b8b341618d6279d9c1259fb1a3c532d1a3dd3557ae69553817fdc0077a7910290b1c8cb4d05b8192d6634afa3328238a5

memory/3912-41-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/1596-42-0x0000000005BC0000-0x0000000005D88000-memory.dmp

memory/3912-43-0x0000000000130000-0x0000000000F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98D3.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

memory/404-51-0x0000000005990000-0x00000000059A0000-memory.dmp

memory/1596-50-0x0000000006D90000-0x0000000006F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 40692d84079c65f1a27f012dccdb8072
SHA1 4b91929b58bb592a93ad13aded5a463543a0966e
SHA256 9d09bb8ad9e4be89a80cc6460c03671a2cb1f716cea6e632b50d5dcd4338af94
SHA512 bb673a97450c2598ad78edb6cd371b38cb11487984a81636b3f82c85491ecc046ce984a370a581c70148792c21e85946c45a3a96adb86309d9a9fb355da18a5f