Analysis

  • max time kernel
    104s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:02

General

  • Target

    2025-07-04_ce38c0d6b68d7a370f98a2cb75b1681d_amadey_elex_rhadamanthys_smoke-loader_stop_tofsee.exe

  • Size

    1.0MB

  • MD5

    ce38c0d6b68d7a370f98a2cb75b1681d

  • SHA1

    452b777e797a25bdfde6f673eb9df569e710183b

  • SHA256

    9927197a93d932e9686892f3c6596cea43906bc78ee3b11a75fc1ca476ea770c

  • SHA512

    d79a64a392ccb492623f0e02f5e38abb7bff18fff45b69ff1b97716942b4512849aed9dc34234549b50c9ffcf9990c9ec939b49ae78685f149b7ab59fc1cb76c

  • SSDEEP

    24576:oW+UCHPb9+EzWkx0JqsaS2ROXm5lEoRwODTIUwp7:v+fpslqRO25WoGODTPE7

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 5 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ce38c0d6b68d7a370f98a2cb75b1681d_amadey_elex_rhadamanthys_smoke-loader_stop_tofsee.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ce38c0d6b68d7a370f98a2cb75b1681d_amadey_elex_rhadamanthys_smoke-loader_stop_tofsee.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      "C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe"
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:3220
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:212

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\360\360Safe\deepscan\ZhuDongFangYu.exe

          Filesize

          1.0MB

          MD5

          ce38c0d6b68d7a370f98a2cb75b1681d

          SHA1

          452b777e797a25bdfde6f673eb9df569e710183b

          SHA256

          9927197a93d932e9686892f3c6596cea43906bc78ee3b11a75fc1ca476ea770c

          SHA512

          d79a64a392ccb492623f0e02f5e38abb7bff18fff45b69ff1b97716942b4512849aed9dc34234549b50c9ffcf9990c9ec939b49ae78685f149b7ab59fc1cb76c

        • C:\b77eca8a96ea76dc187791135e6117a4\2010_x64.log.html

          Filesize

          86KB

          MD5

          052e2feb69c6ce2c8e895b0679b38f9b

          SHA1

          3b2b308840539d604520da2ac2855fc55b2d1a4e

          SHA256

          462f6cfb96948024dd246ea0c6ed1162cb3aca59391f8a1b353fdee360fc4889

          SHA512

          76fe05a1c8c6217f74857043baa543bcc3e464f1b29e7b053ae7f6fc6c045f974c392398932f17465e453209deba31d47765900a7c03b56c4267ddfbab79b758

        • memory/212-36-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

        • memory/3220-15-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

        • memory/3220-420-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

        • memory/3220-572-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

        • memory/4444-0-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

        • memory/4444-1-0x0000000000454000-0x0000000000455000-memory.dmp

          Filesize

          4KB

        • memory/4444-14-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB