blackmoon | ab48643a0b614c89f0c8486b58980577657be7479de0ffafeb10f45ead1c1027

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

12.3MB
MD5

2784c804b909d689fb2723e292357ca5
SHA1

4fcace4a9b260ada92690fbc2a64a94a4161f767
SHA256

ab48643a0b614c89f0c8486b58980577657be7479de0ffafeb10f45ead1c1027
SHA512

08dc330f9698e1f8d42ccd1632636cebd7f25e71858e6dfce688bb497809a5db7110c63cbd68f8ba6043a8f9a07c6459effec31682192fe716beebe94aa7110c
SSDEEP

196608:o3XTYQmknGzwHaOtVPHd9swFBubKLtchEYX2AxFpx4g1JoHZiDzDhpyT4t2:4ujzwV3BubKyeapug7ciDzDhpyTv

Score

10^/10

blackmoon mimikatz banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral1/memory/4716-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/memory/4716-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon
behavioral1/files/0x000700000002410d-6.dat	family_blackmoon
behavioral1/memory/2704-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/4716-0-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/memory/4716-4-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz
behavioral1/files/0x000700000002410d-6.dat	mimikatz
behavioral1/memory/2704-8-0x0000000000400000-0x0000000000A6E000-memory.dmp	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
2704	ectgats.exe
2520	ectgats.exe

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	97	117.50.11.11	1536	nslookup.exe
Destination IP	109	117.50.22.22	6088	nslookup.exe
Destination IP	151	208.67.222.222	1468	nslookup.exe
Destination IP	200	208.67.220.220	2972	nslookup.exe
Destination IP	113	208.67.222.222	2968	nslookup.exe
Destination IP	114	208.67.220.220	5952	nslookup.exe
Destination IP	129	208.67.222.222	3800	nslookup.exe
Destination IP	146	117.50.11.11	548	nslookup.exe
Destination IP	152	208.67.222.222	1468	nslookup.exe
Destination IP	43	117.50.22.22	5520	nslookup.exe
Destination IP	82	208.67.220.220	5516	nslookup.exe
Destination IP	124	117.50.11.11	1128	nslookup.exe
Destination IP	127	117.50.22.22	4580	nslookup.exe
Destination IP	133	208.67.220.220	4132	nslookup.exe
Destination IP	172	117.50.22.22	5528	nslookup.exe
Destination IP	62	117.50.11.11	3092	nslookup.exe
Destination IP	64	117.50.22.22	1180	nslookup.exe
Destination IP	116	208.67.220.220	5952	nslookup.exe
Destination IP	155	208.67.220.220	4872	nslookup.exe
Destination IP	164	117.50.11.11	5984	nslookup.exe
Destination IP	175	208.67.222.222	4628	nslookup.exe
Destination IP	178	208.67.220.220	6024	nslookup.exe
Destination IP	191	117.50.11.11	4784	nslookup.exe
Destination IP	40	117.50.11.11	5260	nslookup.exe
Destination IP	48	208.67.222.222	916	nslookup.exe
Destination IP	168	117.50.11.11	5984	nslookup.exe
Destination IP	176	208.67.222.222	4628	nslookup.exe
Destination IP	189	117.50.11.11	4784	nslookup.exe
Destination IP	196	208.67.222.222	3736	nslookup.exe
Destination IP	218	208.67.222.222	2520	ectgats.exe
Destination IP	65	117.50.22.22	1180	nslookup.exe
Destination IP	126	117.50.22.22	4580	nslookup.exe
Destination IP	144	117.50.11.11	548	nslookup.exe
Destination IP	173	117.50.22.22	5528	nslookup.exe
Destination IP	198	208.67.220.220	2972	nslookup.exe
Destination IP	199	208.67.220.220	2972	nslookup.exe
Destination IP	213	117.50.11.11	2520	ectgats.exe
Destination IP	216	117.50.22.22	2520	ectgats.exe
Destination IP	49	208.67.222.222	916	nslookup.exe
Destination IP	81	208.67.222.222	5504	nslookup.exe
Destination IP	137	208.67.220.220	4132	nslookup.exe
Destination IP	162	117.50.11.11	5984	nslookup.exe
Destination IP	174	208.67.222.222	4628	nslookup.exe
Destination IP	211	117.50.11.11	6016	nslookup.exe
Destination IP	150	208.67.222.222	1468	nslookup.exe
Destination IP	110	117.50.22.22	6088	nslookup.exe
Destination IP	115	208.67.220.220	5952	nslookup.exe
Destination IP	130	208.67.222.222	3800	nslookup.exe
Destination IP	131	208.67.222.222	3800	nslookup.exe
Destination IP	134	208.67.220.220	4132	nslookup.exe
Destination IP	190	117.50.11.11	4784	nslookup.exe
Destination IP	193	117.50.22.22	6112	nslookup.exe
Destination IP	46	117.50.22.22	5520	nslookup.exe
Destination IP	50	208.67.220.220	4032	nslookup.exe
Destination IP	59	117.50.11.11	3092	nslookup.exe
Destination IP	107	117.50.11.11	1536	nslookup.exe
Destination IP	128	117.50.22.22	4580	nslookup.exe
Destination IP	148	117.50.22.22	4856	nslookup.exe
Destination IP	154	208.67.220.220	4872	nslookup.exe
Destination IP	195	208.67.222.222	3736	nslookup.exe
Destination IP	51	208.67.220.220	4032	nslookup.exe
Destination IP	84	208.67.220.220	5516	nslookup.exe
Destination IP	123	117.50.11.11	1128	nslookup.exe
Destination IP	217	208.67.222.222	1456	nslookup.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ectgats.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ectgats.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ectgats.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ectgats.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sisagtst\ectgats.exe	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\sisagtst\ectgats.exe	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ectgats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6076	PING.EXE
1348	cmd.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000002410d-6.dat	nsis_installer_2

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ectgats.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ectgats.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ectgats.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ectgats.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ectgats.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ectgats.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ectgats.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ectgats.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6076	PING.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	2704	ectgats.exe
Token: SeDebugPrivilege	2520	ectgats.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
2704	ectgats.exe
2520	ectgats.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1348	4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4716 wrote to memory of 1348	4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 4716 wrote to memory of 1348	4716	2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	87
PID 1348 wrote to memory of 6076	1348	cmd.exe	89
PID 1348 wrote to memory of 6076	1348	cmd.exe	89
PID 1348 wrote to memory of 6076	1348	cmd.exe	89
PID 1348 wrote to memory of 2704	1348	cmd.exe	97
PID 1348 wrote to memory of 2704	1348	cmd.exe	97
PID 1348 wrote to memory of 2704	1348	cmd.exe	97
PID 2520 wrote to memory of 4892	2520	ectgats.exe	99
PID 2520 wrote to memory of 4892	2520	ectgats.exe	99
PID 2520 wrote to memory of 4892	2520	ectgats.exe	99
PID 4892 wrote to memory of 5036	4892	cmd.exe	101
PID 4892 wrote to memory of 5036	4892	cmd.exe	101
PID 4892 wrote to memory of 5036	4892	cmd.exe	101
PID 2520 wrote to memory of 1800	2520	ectgats.exe	103
PID 2520 wrote to memory of 1800	2520	ectgats.exe	103
PID 2520 wrote to memory of 1800	2520	ectgats.exe	103
PID 1800 wrote to memory of 2576	1800	cmd.exe	105
PID 1800 wrote to memory of 2576	1800	cmd.exe	105
PID 1800 wrote to memory of 2576	1800	cmd.exe	105
PID 2520 wrote to memory of 956	2520	ectgats.exe	106
PID 2520 wrote to memory of 956	2520	ectgats.exe	106
PID 2520 wrote to memory of 956	2520	ectgats.exe	106
PID 956 wrote to memory of 5260	956	cmd.exe	108
PID 956 wrote to memory of 5260	956	cmd.exe	108
PID 956 wrote to memory of 5260	956	cmd.exe	108
PID 2520 wrote to memory of 5052	2520	ectgats.exe	111
PID 2520 wrote to memory of 5052	2520	ectgats.exe	111
PID 2520 wrote to memory of 5052	2520	ectgats.exe	111
PID 5052 wrote to memory of 5520	5052	cmd.exe	113
PID 5052 wrote to memory of 5520	5052	cmd.exe	113
PID 5052 wrote to memory of 5520	5052	cmd.exe	113
PID 2520 wrote to memory of 4464	2520	ectgats.exe	114
PID 2520 wrote to memory of 4464	2520	ectgats.exe	114
PID 2520 wrote to memory of 4464	2520	ectgats.exe	114
PID 4464 wrote to memory of 916	4464	cmd.exe	116
PID 4464 wrote to memory of 916	4464	cmd.exe	116
PID 4464 wrote to memory of 916	4464	cmd.exe	116
PID 2520 wrote to memory of 5932	2520	ectgats.exe	117
PID 2520 wrote to memory of 5932	2520	ectgats.exe	117
PID 2520 wrote to memory of 5932	2520	ectgats.exe	117
PID 5932 wrote to memory of 4032	5932	cmd.exe	119
PID 5932 wrote to memory of 4032	5932	cmd.exe	119
PID 5932 wrote to memory of 4032	5932	cmd.exe	119
PID 2520 wrote to memory of 1420	2520	ectgats.exe	120
PID 2520 wrote to memory of 1420	2520	ectgats.exe	120
PID 2520 wrote to memory of 1420	2520	ectgats.exe	120
PID 1420 wrote to memory of 2236	1420	cmd.exe	122
PID 1420 wrote to memory of 2236	1420	cmd.exe	122
PID 1420 wrote to memory of 2236	1420	cmd.exe	122
PID 2520 wrote to memory of 1152	2520	ectgats.exe	123
PID 2520 wrote to memory of 1152	2520	ectgats.exe	123
PID 2520 wrote to memory of 1152	2520	ectgats.exe	123
PID 1152 wrote to memory of 1328	1152	cmd.exe	125
PID 1152 wrote to memory of 1328	1152	cmd.exe	125
PID 1152 wrote to memory of 1328	1152	cmd.exe	125
PID 2520 wrote to memory of 3192	2520	ectgats.exe	126
PID 2520 wrote to memory of 3192	2520	ectgats.exe	126
PID 2520 wrote to memory of 3192	2520	ectgats.exe	126
PID 3192 wrote to memory of 3092	3192	cmd.exe	128
PID 3192 wrote to memory of 3092	3192	cmd.exe	128
PID 3192 wrote to memory of 3092	3192	cmd.exe	128
PID 2520 wrote to memory of 4104	2520	ectgats.exe	129

C:\Users\Admin\AppData\Local\Temp\2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_2784c804b909d689fb2723e292357ca5_amadey_cloudeye_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\sisagtst\ectgats.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6076
- - C:\Windows\sisagtst\ectgats.exe
    C:\Windows\sisagtst\ectgats.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2704

C:\Windows\sisagtst\ectgats.exe
C:\Windows\sisagtst\ectgats.exe
1⤵
- Executes dropped EXE
- Unexpected DNS network traffic destination
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 8.8.8.8
    3⤵
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5932
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A aj.0x0x0x0x0.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4104
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:744
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A xs.0x0x0x0x0.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 8.8.8.8
    3⤵
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
  2⤵
  PID:396
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5788
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:6088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ui.0x0x0x0x0.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    PID:5952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:528
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 8.8.8.8
    3⤵
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1408
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A qb.1c1c1c1c.best 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 8.8.8.8
    3⤵
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5300
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A ce.1c1c1c1c.club 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5556
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 1.1.1.1
    3⤵
    PID:5332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
  2⤵
  PID:5316
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5736
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    PID:5528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A jz.1c1c1c1c.xyz 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 8.8.8.8
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 1.1.1.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5160
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5744
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 117.50.22.22
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 117.50.22.22
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3840
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.heroherohero.info 208.67.220.220
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.heroherohero.info 208.67.220.220
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 8.8.8.8
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 8.8.8.8
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 1.1.1.1
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 1.1.1.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.11.11
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5892
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.11.11
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 117.50.22.22
  2⤵
  PID:5136
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 117.50.22.22
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A bk.kingminer.club 208.67.222.222
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A bk.kingminer.club 208.67.222.222
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sisagtst\ectgats.exe

Filesize
12.4MB

MD5
7fc1000846411252be986c0d91c94640

SHA1
4db5726c4fccb16027e7bfaebae004257c57dd0b

SHA256
33c3596dc41729df2291e5c995bb1d00cf3d1d9533d23f8c9aafd79c3f03e4ae

SHA512
245066bfb310e5c83da663bfb36a2fdfd75d71fad8a4ab2e046ed1370393c4c6fa6d1bdc8cea3c7c1f7d8d5123a6298ff0723329fb0b6d441726bc9ec9bb162c

Download Submit
memory/2704-8-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/4716-0-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/4716-4-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download