Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 08:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
5.0MB
-
MD5
d384b4d1d761853f01257a96d02e8300
-
SHA1
d33265591eedddf7d7af5a932bc8e4e4a2229e6c
-
SHA256
ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317
-
SHA512
7b6be8dbcb0875f6c16f28a8594cdfe895902b09252b4631c4181baedaa4bf9159920f045f254f4c51be34aa9ad70e6a2c3630cd4d0e4dd6a046998b67e108bb
-
SSDEEP
98304:adFwHQR3l8sa3HlTKPGmrI2TpY8g26sTYlt4b8nXE:arR7a3lTKualK8g2/Tm4z
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2960-158-0x0000000002790000-0x00000000027AD000-memory.dmp family_rhadamanthys -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
file.exedescription pid process target process PID 5092 created 2556 5092 file.exe taskhostw.exe -
Loads dropped DLL 9 IoCs
Processes:
file.exengentask.exepid process 5092 file.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe 4676 ngentask.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io 12 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 2960 fontview.exe 2960 fontview.exe 2960 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 5092 set thread context of 4676 5092 file.exe ngentask.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4848 4676 WerFault.exe ngentask.exe 3064 4676 WerFault.exe ngentask.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
file.exepid process 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe 5092 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fontview.exedescription pid process Token: SeShutdownPrivilege 2960 fontview.exe Token: SeCreatePagefilePrivilege 2960 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 5092 wrote to memory of 4676 5092 file.exe ngentask.exe PID 5092 wrote to memory of 4676 5092 file.exe ngentask.exe PID 5092 wrote to memory of 4676 5092 file.exe ngentask.exe PID 5092 wrote to memory of 4676 5092 file.exe ngentask.exe PID 5092 wrote to memory of 4676 5092 file.exe ngentask.exe PID 5092 wrote to memory of 2960 5092 file.exe fontview.exe PID 5092 wrote to memory of 2960 5092 file.exe fontview.exe PID 5092 wrote to memory of 2960 5092 file.exe fontview.exe PID 5092 wrote to memory of 2960 5092 file.exe fontview.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 13243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 13443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4676 -ip 46761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240557875.dllFilesize
335KB
MD5f8d36091acfdc104254d90a91588d569
SHA13ac92b58e3378a6d88349cf8549ba8334a90b608
SHA2567765a84991c1fc872740ffbcb1bc0563e4edc31fcf02ce9341fa1f316c6efdc4
SHA512fc2f2bac554997593468cef0fcbd6c0b24e00852ba199b9cedb4c5c4af52eb6874e15e346953d2f47c31b05f18eec1f0865495187be943cd1fcf27ed4fb8a5f1
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\Users\Admin\AppData\Local\Temp\LocalSimbagu2DsmmGCkr\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
memory/2960-147-0x0000000000C00000-0x0000000000C35000-memory.dmpFilesize
212KB
-
memory/2960-160-0x0000000000C00000-0x0000000000C35000-memory.dmpFilesize
212KB
-
memory/2960-157-0x0000000000D53000-0x0000000000D56000-memory.dmpFilesize
12KB
-
memory/2960-145-0x0000000000C00000-0x0000000000C35000-memory.dmpFilesize
212KB
-
memory/2960-146-0x0000000000000000-mapping.dmp
-
memory/2960-158-0x0000000002790000-0x00000000027AD000-memory.dmpFilesize
116KB
-
memory/2960-159-0x0000000002C90000-0x0000000003C90000-memory.dmpFilesize
16.0MB
-
memory/4676-140-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/4676-138-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/4676-137-0x0000000000000000-mapping.dmp
-
memory/4676-156-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/4676-141-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/4676-143-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/4676-142-0x0000000000400000-0x000000000077D000-memory.dmpFilesize
3.5MB
-
memory/5092-132-0x0000000002CA0000-0x0000000003153000-memory.dmpFilesize
4.7MB
-
memory/5092-133-0x000000000C5E0000-0x000000000E901000-memory.dmpFilesize
35.1MB
-
memory/5092-134-0x000000000C5E0000-0x000000000E901000-memory.dmpFilesize
35.1MB
-
memory/5092-135-0x0000000002CA0000-0x0000000003153000-memory.dmpFilesize
4.7MB
-
memory/5092-136-0x000000000C5E0000-0x000000000E901000-memory.dmpFilesize
35.1MB
-
memory/5092-161-0x0000000002CA0000-0x0000000003153000-memory.dmpFilesize
4.7MB