Malware Analysis Report

2025-01-02 09:29

Sample ID 230126-vk9hcaee37
Target file.exe
SHA256 4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d
Tags
lgoogloader rhadamanthys downloader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4640e5b9817fd35d92b0d0687003576c75fd4e0df34bcfa0008c6ca3450a8f6d

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

lgoogloader rhadamanthys downloader stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects LgoogLoader payload

LgoogLoader

Rhadamanthys

Detect rhadamanthys stealer shellcode

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-26 17:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-26 17:04

Reported

2023-01-26 17:06

Platform

win7-20221111-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 vufunhhihjaoueenfclms8.o3yc9sxi0hsjteqcg93blo6bvyjgmo udp

Files

memory/1780-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

memory/1780-55-0x000000000DAA0000-0x000000000DDCE000-memory.dmp

memory/1780-56-0x0000000000810000-0x000000000099C000-memory.dmp

memory/1780-57-0x000000000DAA0000-0x000000000DDCE000-memory.dmp

memory/1780-58-0x0000000000810000-0x000000000099C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-26 17:04

Reported

2023-01-26 17:06

Platform

win10v2004-20220812-en

Max time kernel

91s

Max time network

126s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2372 created 2436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\taskhostw.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 4864 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 528

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 vufunhhihjaoueenfclms8.o3yc9sxi0hsjteqcg93blo6bvyjgmo udp
N/A 20.42.73.24:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2372-132-0x00000000029B0000-0x0000000002B3C000-memory.dmp

memory/2372-133-0x000000000F320000-0x000000000F64E000-memory.dmp

memory/2372-134-0x000000000F320000-0x000000000F64E000-memory.dmp

memory/4864-136-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4864-135-0x0000000000000000-mapping.dmp

memory/4864-138-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4864-139-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4864-140-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4864-141-0x00000000005F0000-0x00000000005F9000-memory.dmp

memory/4864-142-0x0000000000610000-0x000000000061D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240579250.dll

MD5 7f179879ed169f8d23cc45eb8b614223
SHA1 f9eca73b9ce26c80c5f2ea52c9927233550e0bba
SHA256 0bf6b31919f7896b2945415957fe61040e1f17bb9b0482c01ee3c12d598feb94
SHA512 42a4ce55bc08d1621b732368c9a7be3f65deb0675894ca546189b86b954bef8e45824eabaad32c9e2c48ca1deeae1c6d294c7118d38ecc26f2dee22d11fdd458

memory/2252-144-0x0000000000500000-0x0000000000535000-memory.dmp

memory/2252-145-0x0000000000000000-mapping.dmp

memory/2252-146-0x0000000000500000-0x0000000000535000-memory.dmp

memory/2252-147-0x0000000000883000-0x0000000000886000-memory.dmp

memory/2252-148-0x00000000022A0000-0x00000000022BD000-memory.dmp

memory/2252-149-0x00000000028A0000-0x00000000038A0000-memory.dmp

memory/2372-150-0x00000000029B0000-0x0000000002B3C000-memory.dmp

memory/2372-151-0x000000000F320000-0x000000000F64E000-memory.dmp

memory/2252-152-0x0000000000500000-0x0000000000535000-memory.dmp

memory/2252-153-0x00000000022A0000-0x00000000022BD000-memory.dmp

memory/2372-154-0x00000000029B0000-0x0000000002B3C000-memory.dmp