Overview

overview

10

Static

static

a10386e62a...cf.exe

windows7-x64

10

a10386e62a...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2023 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a10386e62ad4e91a86c164a0288564cf.exe

  • Size

    207KB

  • MD5

    a10386e62ad4e91a86c164a0288564cf

  • SHA1

    6135151cbb13013b07510bab11df7006d930f49f

  • SHA256

    259d03eb1abf679421dfaac9e04881e82385aeea11a168aecb25101d0e65070b

  • SHA512

    bbeec805e9882357758ab2271aa765b9628a986d0864b9a0f7967d1ba90fae45982b69db7deae2bfdef0ff0ed6720b6b688a9acdae2dcd1c445711ad0cc82d6b

  • SSDEEP

    3072:jXt5qNx67uPiuFbdMa59LT6dpN+VxuJdJMIsn/cU8xwHmapb:bqx67uPiunLT6IqPMxzzp

Score
10/10
rhadamanthyssmokeloaderbackdoorstealertrojan

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 2 IoCs
  • Detects Smokeloader packer 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10386e62ad4e91a86c164a0288564cf.exe
    "C:\Users\Admin\AppData\Local\Temp\a10386e62ad4e91a86c164a0288564cf.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:632
  • C:\Users\Admin\AppData\Local\Temp\B923.exe
    C:\Users\Admin\AppData\Local\Temp\B923.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B923.exe
    Filesize

    349KB

    MD5

    2e58f23422076cc03f492c0c9ca6ce14

    SHA1

    883c51ea2768488cbdabfb5969349c8d41072c36

    SHA256

    d3308f8b8905c046fa48a7a828b1047511709ad9c7d9b7d4e67ec94083e76c39

    SHA512

    27208c19cf0c540877230cc97834348cf11465b0fc1e751576cbc70cb9469ac01b7835ed30afd06468665461c447afc375c5210158782ea16fcb5aaf9975194f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B923.exe
    Filesize

    349KB

    MD5

    2e58f23422076cc03f492c0c9ca6ce14

    SHA1

    883c51ea2768488cbdabfb5969349c8d41072c36

    SHA256

    d3308f8b8905c046fa48a7a828b1047511709ad9c7d9b7d4e67ec94083e76c39

    SHA512

    27208c19cf0c540877230cc97834348cf11465b0fc1e751576cbc70cb9469ac01b7835ed30afd06468665461c447afc375c5210158782ea16fcb5aaf9975194f

    Download Submit

  • memory/632-132-0x0000000002C28000-0x0000000002C39000-memory.dmp

    Filesize

    68KB

    Download

  • memory/632-133-0x0000000002BE0000-0x0000000002BE9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/632-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

    Filesize

    39.6MB

    Download

  • memory/632-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

    Filesize

    39.6MB

    Download

  • memory/1316-139-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1316-140-0x000000000108E000-0x0000000001091000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1316-141-0x0000000000E20000-0x0000000000E3D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1316-142-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1316-143-0x0000000000E20000-0x0000000000E3D000-memory.dmp

    Filesize

    116KB

    Download