Malware Analysis Report

2025-03-15 05:17

Sample ID 231218-3ljmbafgb2
Target b333502d7915bbd0911087435549fd31.exe
SHA256 df09728a6383db0b8bb9f28a04ccd0c358e3f525c1d340c94d481fe8c97b4adb
Tags
redline smokeloader livetraffic up3 backdoor infostealer trojan zgrat 666 discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df09728a6383db0b8bb9f28a04ccd0c358e3f525c1d340c94d481fe8c97b4adb

Threat Level: Known bad

The file b333502d7915bbd0911087435549fd31.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader livetraffic up3 backdoor infostealer trojan zgrat 666 discovery rat spyware stealer

SmokeLoader

RedLine payload

Smokeloader family

ZGRat

RedLine

Detect ZGRat V1

Downloads MZ/PE file

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 23:36

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 23:36

Reported

2023-12-18 23:38

Platform

win7-20231215-en

Max time kernel

28s

Max time network

61s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6529.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\6529.exe
PID 1136 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\6529.exe
PID 1136 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\6529.exe
PID 1136 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\6529.exe
PID 1136 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\788B.exe
PID 1136 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\788B.exe
PID 1136 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\788B.exe
PID 1136 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\788B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe

"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"

C:\Users\Admin\AppData\Local\Temp\6529.exe

C:\Users\Admin\AppData\Local\Temp\6529.exe

C:\Users\Admin\AppData\Local\Temp\788B.exe

C:\Users\Admin\AppData\Local\Temp\788B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp" /SL5="$B0118,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218233632.log C:\Windows\Logs\CBS\CbsPersist_20231218233632.cab

C:\Users\Admin\AppData\Local\Temp\800B.exe

C:\Users\Admin\AppData\Local\Temp\800B.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:80 api.ipify.org tcp
BG 91.92.254.7:80 91.92.254.7 tcp

Files

memory/2956-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2956-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1136-1-0x0000000002D30000-0x0000000002D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6529.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2768-14-0x0000000000270000-0x00000000002C2000-memory.dmp

memory/2768-19-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2768-20-0x00000000004B0000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\788B.exe

MD5 725aed39d183d02126c33fa967f20a15
SHA1 e5a2b5af28faaf9bba011f5a23b05f795ed3e57c
SHA256 7dcfd89566be780eed24403d3525237ae4ddb65c3e781771c5c5ef07dd8622a0
SHA512 25e12f63397a3b8e368059776b163ac874e6727d94cfd3c1a48ccd96f11a61011946d2599667a00438cbc3b2b3f53802e77e4944108f55f4949bba063fa8187b

C:\Users\Admin\AppData\Local\Temp\788B.exe

MD5 bafc3a00205620e87674e44812e735d7
SHA1 f451866e8b53a9dc19dcb04de51e0674744cf739
SHA256 491c5b0f041e35eab6e2daff307f05edfa4c3eb4cadbb994808f823e29d89511
SHA512 4fe344a8c876bdadfe39f536f4c3edbfa4b3eda08ea5ca963c275972670072e9a12fed32b520c858cb69f24b082a66fb745c49ac60f8461869554c12ca4c2210

memory/2732-28-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2732-29-0x0000000000CE0000-0x0000000001AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 590fed46197e0cf3d4f5de6198046ba0
SHA1 69e2b969ccc8fe46953a7c78649b491979f19d82
SHA256 a4c8ffbe8e69ef10ef0559a0eac1ed37c70144d03a64413f5696ad08c8863725
SHA512 d0465694287cfc0db5f436e95796b3b712cb06cbfae12dea63a5fb67a0433269dc9e6841b3e11fb3f9f0a4ef22999afaa790b94ae15f9e290d00cf06de73a915

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 8a6c5942ca2a116d0ecd4a1581249024
SHA1 27b1a8b2a1b63548effea4f4af6ef9a5ee9fb0c6
SHA256 84fb114d38fa540485af6ab7c26576465f319da7615c1aad8206b6af218b3795
SHA512 27b86fea5eb2eeedd84f7569a1c468e59655fd7e1efae83247b759260d0fc883ac4afa803b5675492a324bb6c33376ca358573dbd7a2f82331c79fcb07101bf3

\Users\Admin\AppData\Local\Temp\nso79C3.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 8efd10517b244be1e9823598fd1064dd
SHA1 6b1907fde87ecd45d7499a2c67459acbc3851f60
SHA256 0da86d3a8f0dcb8ec9e83b2a728adea630441ab7a7e74a712e76c08c338dee1e
SHA512 63e53d2f5f75a9c365ccdb6e5ca5122d0cf99d0a6c4cefd901ac1c117d726f3282808a3c68d76ec623a4921d5a86685676b40dbababfc81c63b79583ed23de10

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b7852328f0472435cc5b825a59d4106b
SHA1 569de491ea4caf23013a8b5ddc5c61bd2355fd3b
SHA256 e1da6b19e68d55bfe20198d51be1d9364edb9485652c082b6e04beba63750080
SHA512 d46f233f4fe0a98b61b36a8c67a7af6a41bbf744e5c7c5953202fed927c62a2a849fe85b48cee329b4d2f4235c83a105a4976e682eda1076454c44ab52f514a0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c4ac162c472df49b72d70d7300d525b4
SHA1 ea32ec77b7a359c2f64277868bffe507cea960d3
SHA256 25bbdc4b18fdc307f410972cb0e154c17a62d3f28001680ae6ab07fc9fb48398
SHA512 0e4e4da4e3ee4a12556e75c00db109177ebf3ca6f95f0548f738bc491e03e3c9ff90e75fc1605680fbd11f20a30f0e39884bbeb34d9a225a11544abfe92923b7

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 22e856a31d351769a20175d76885a7a4
SHA1 99f4664d3730659d103e4523a78d7f52e51f00cd
SHA256 e1c6aab4309495a3dc499a3664a8ffce685e29754a146bad86a1eacb83e7723e
SHA512 8689708af076f1555600dada7d26672160204d1f04455511174098ce351db2b95cc24b3308559e7b829d8b3703bd1ee62b26fb587c8a896e63cf106ef480343a

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c49612730cd659854c1765f433a2e73c
SHA1 011217a69068c89c80037e71deab52ef8198a00f
SHA256 174e8a0b7b93f6b3037c827e80f4f5895f868c3c3da0042be28712ed1ef1c65f
SHA512 2e289f23dee4ace4f9d51dad151bc6b8cdf3c61655fd9d156d27cbc070ca0fbaea8d283e7a510433fc41bf9799b94a9405dd8a5c5da266688f3f06286efd0f2e

memory/2732-71-0x00000000746A0000-0x0000000074D8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 8c117fb339d72646ba3d78ec53b2fa66
SHA1 1eaefe2d23cf8f6944adfa6c08e13be3428b5c83
SHA256 05a772dc390416f522036d33ab7dca7568387d276521f8b2e3d597a35101384a
SHA512 25f8f565dc7784b2dcb652d604ec07b83185666a27e9e69548069f417c4b72de5e4fc56d56d7cbf6ee9d882dcdc5974cf9ddbb5ecf820b4500a821d6e22763a5

memory/2948-70-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1244-62-0x0000000002830000-0x0000000002C28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 92ca2d993473f3049394cc183e58a2fe
SHA1 9ec1192c250f8fe9951acd5e5986ced53cea3219
SHA256 4a45a6b65a1cdb3c1bc4b04b24a6b40ac22c47fe42202178ecb7b842aab9208c
SHA512 afcae58626229dd07d8104fd536a1550f58a59c2f2451c475c9ef576f4a8afe92658b0c4546272a1835881e7eb2a3ce76ad995befa1e172934c2d87447cbe1c6

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a79a7522238303c575638d02da904bdd
SHA1 bb945a0cc4a85092428dd893aedeaebe239e98cb
SHA256 3bf49798905162ff2539651f8b767689c5c0a0b1f81022f02a19e24d8f532e38
SHA512 c9a7579aaa06918b976e8a3fe891a52a691ef29021044c510acdc227f591f9434329d9e742d892653cc61c72476a0d15037a748e4efc949ff58a0781993b4525

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 4c454b9b8e14cc85c5574325ab530dc5
SHA1 e91f1b7d1ca624cfc6f055ecd110396db491b5a2
SHA256 578b3ccac47d6d8d67fe5e06ab580a8aeb41afd302fa51ca109a8869da7dd83f
SHA512 7038d277b39e8faa01abdf0727d86c74d7a1d93e9a5a4e32bec460f227a7cc7f37fa5fbb73ad888ff0888492916871cf0c5dd85da9844f3af58c2260c9eee1fc

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 80b0e2eb66024840a74640de53777e5e
SHA1 2a58361112b6669a416024508d084824beffce44
SHA256 6785708e6b04b7a3d24c9853ed0e784ace03c7fbb7c1f07104b1398fdc459abc
SHA512 e235ae2053de7a4bd10d1f915446fee5b74fa560bf30fdbf745eb87c3f7fd3843dccc61f300039bf9293345618dbdd7913474d0837a566e12d0bb2a54d30ef8d

\Users\Admin\AppData\Local\Temp\nso79C3.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2844-85-0x0000000000970000-0x0000000000A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp

MD5 e2bbe2ff3a975baf7e2ed94b4760519a
SHA1 842fae703269a343986b7fb77cf0862dd404c62e
SHA256 5019563a037e4b6541aafc29c88af7500e8b7b3bf4e7dda726930ff1d6db9b05
SHA512 ba08082d2c5ee85fc8461482bf56a371736af709d30e493f37ee430a56d7cf01111a36645dc65350f426762cf29161bcfa00d632bdc2119326e6fe8e7404cf17

memory/2844-90-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1244-96-0x0000000002C30000-0x000000000351B000-memory.dmp

memory/2484-94-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1020-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1020-97-0x0000000000400000-0x0000000000409000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-qsbm8.tmp\tuc3.tmp

MD5 1b2854540f25867b739031919305c0b8
SHA1 19782ad63276161f7a6d2bf201bc16dad0749766
SHA256 ee8361b693a16e91518733deb225fc4e05b85f51b285cf6cda77f6821aa50526
SHA512 9ef955d9fd887a0a8d0e39197b5a12089c441ba4e7328473c05eb1deec01064855beae0beb6b53741405a1b1a0950fe2d3931d187d2115ac947884e31646380c

\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1020-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1244-114-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2160-101-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp

MD5 ae3d3fae806bf6c98761b11790b0a0ea
SHA1 2b523094d7b2e121ed755d9b0b4b75fd713c344f
SHA256 93eb1543f77ecb3e38e0261b10ce402e3472124cebaa8e680579addafd2479f8
SHA512 f33c4322bf9880d7a5dcce2b7f5fef4be3d23d7a7ddfaae951a5f03cb03e81826697ad1ee2d9e94a290d76bba749a19abe6579c21c2010d807bd3b0012526f23

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9fc43b3decc3b0d6b0e49c4c624834b2
SHA1 590caa2697a8095c2560056dae3d308566630d06
SHA256 183f8abd02fad3f81652a9310a5431d7d3e466d395a728d37b2a4fd7cf29d82c
SHA512 57a4dabcfd35e78e85e170f58aa2a53fc6fbdee74182ce6c5aa63ef94e642db65513f8c7e6310e34b7d5f62855cbb75eeb46b76e96c72cb9a90006a6bfd2a468

memory/1244-84-0x0000000002830000-0x0000000002C28000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 23:36

Reported

2023-12-18 23:38

Platform

win10v2004-20231215-en

Max time kernel

39s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F3A7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2FE7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F3A7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3A7.exe
PID 3552 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3A7.exe
PID 3552 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3A7.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5.exe
PID 3552 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5.exe
PID 3552 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FE7.exe
PID 3552 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FE7.exe
PID 3552 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\2FE7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe

"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"

C:\Users\Admin\AppData\Local\Temp\F3A7.exe

C:\Users\Admin\AppData\Local\Temp\F3A7.exe

C:\Users\Admin\AppData\Local\Temp\3C5.exe

C:\Users\Admin\AppData\Local\Temp\3C5.exe

C:\Users\Admin\AppData\Local\Temp\2FE7.exe

C:\Users\Admin\AppData\Local\Temp\2FE7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Users\Admin\AppData\Local\Temp\37F6.exe

C:\Users\Admin\AppData\Local\Temp\37F6.exe

C:\Users\Admin\AppData\Local\Temp\3E8F.exe

C:\Users\Admin\AppData\Local\Temp\3E8F.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.85.108:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 108.85.217.52.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3552-1-0x00000000028F0000-0x0000000002906000-memory.dmp

memory/4572-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F3A7.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/3124-12-0x00000000001A0000-0x00000000001F2000-memory.dmp

memory/3124-17-0x0000000075180000-0x0000000075930000-memory.dmp

memory/3124-18-0x0000000005190000-0x0000000005734000-memory.dmp

memory/3124-19-0x0000000004CC0000-0x0000000004D52000-memory.dmp

memory/3124-20-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3124-21-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C5.exe

MD5 63fc8fdcdac9bcbc11a2d6e7f254101e
SHA1 fb0e56a9a57b9e477c6914abeaaa0e660fc3509e
SHA256 6c7d17d9e24d0f5f17d69170ddfa999a11aeab30738b555bad52603d68e15811
SHA512 1d6e24a0a73b7c64c2639045944fdb53c07e9183d1cef1bf3d011ce10c3341a1c5653375899c87bba070d84585455f467812d1ac3716c35de2525f278ca58fe4

C:\Users\Admin\AppData\Local\Temp\3C5.exe

MD5 85eea05f6f09b8e6c628d22b52a9bc68
SHA1 c0a31fd14e974948e59b783f3d63972fe33dcbf9
SHA256 06b8e22b62ec1453cdb38befb979a0565baea42ec1e1249b14eb0368cc65802e
SHA512 ef4d5b73cfdc917c1a6982be6a3c191eb91eef62415380ffbb79f6f430ef4431fbf3ee1e133534d48a1c180fbeaa86af32f667c3eb29a8da650999ab34a3cd4f

memory/1608-27-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1608-26-0x0000000000070000-0x000000000050E000-memory.dmp

memory/1608-28-0x0000000005080000-0x000000000511C000-memory.dmp

memory/3124-29-0x00000000062B0000-0x00000000068C8000-memory.dmp

memory/1608-31-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3124-32-0x0000000007B30000-0x0000000007C3A000-memory.dmp

memory/3124-33-0x0000000006170000-0x0000000006182000-memory.dmp

memory/3124-34-0x00000000061D0000-0x000000000620C000-memory.dmp

memory/3124-35-0x0000000006220000-0x000000000626C000-memory.dmp

memory/3124-36-0x0000000008770000-0x00000000087D6000-memory.dmp

memory/3124-37-0x0000000008B70000-0x0000000008BC0000-memory.dmp

memory/3124-38-0x0000000008D90000-0x0000000008F52000-memory.dmp

memory/3124-39-0x0000000009490000-0x00000000099BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2FE7.exe

MD5 f95880c575df6f8c0141558b55f36892
SHA1 7d91d24fab8089112aa32b823ee9447a2f2f074b
SHA256 6a8905ff3cbfd4f997c0f36d8d07a14293924ee662b51a39ad7b4ac45037b9e8
SHA512 30aa67424807c6b53138c126f6c1ab8fa3ea47714e50b04f8d56f0cb24e3eb9c26591a6d3ba8e7951059fef112890198082cb993fd98567807c14242449d07e5

C:\Users\Admin\AppData\Local\Temp\2FE7.exe

MD5 718733b13df8469f430bc86b91e1946c
SHA1 bd381c596389c398d5fbe243fb6122da950d055b
SHA256 9e9300fa34e75bf113ef34699de103a98042fb97618a690a900d92e91bda85a0
SHA512 99f98ffd9f9aacf2813050aec8b56dbb28e6fba273466e718d1e90ab412ec0d430f2c57231aef836018e7aa2b948de767d212ed1cd2620bea242d5d508c40005

memory/2436-44-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1608-45-0x0000000005A40000-0x0000000005C08000-memory.dmp

memory/2436-46-0x00000000006E0000-0x00000000014D2000-memory.dmp

memory/1608-47-0x0000000006D10000-0x0000000006EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1608-54-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1608-53-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1608-55-0x0000000005140000-0x0000000005150000-memory.dmp

memory/1608-56-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1608-57-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1660-59-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3124-60-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1608-61-0x0000000005150000-0x0000000005160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37F6.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

memory/1608-70-0x0000000075180000-0x0000000075930000-memory.dmp

memory/1608-71-0x0000000007480000-0x0000000007580000-memory.dmp

memory/1608-69-0x0000000007480000-0x0000000007580000-memory.dmp

memory/1608-66-0x0000000005150000-0x0000000005160000-memory.dmp

memory/1660-72-0x0000000075180000-0x0000000075930000-memory.dmp