Malware Analysis Report

2025-01-02 09:19

Sample ID 230220-e585bahb6v
Target 899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073
SHA256 899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073
Tags
lgoogloader rhadamanthys downloader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073

Threat Level: Known bad

The file 899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073 was found to be: Known bad.

Malicious Activity Summary

lgoogloader rhadamanthys downloader stealer

Detects LgoogLoader payload

LgoogLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

Rhadamanthys

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-20 04:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-20 04:32

Reported

2023-02-20 04:35

Platform

win10v2004-20220812-en

Max time kernel

85s

Max time network

147s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5044 created 2468 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\system32\taskhostw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 5044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\SysWOW64\fontview.exe
PID 5044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\SysWOW64\fontview.exe
PID 5044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\SysWOW64\fontview.exe
PID 5044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe C:\Windows\SysWOW64\fontview.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe

"C:\Users\Admin\AppData\Local\Temp\899d409c8baf0c5b6ab18f435a752d4ab4749e628c4fb442edfe22fae5fcf073.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1276

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 irut7kviyq7.xnoy2yzcmqnfijkmtup8tstv2h0y udp
NL 95.101.78.82:80 tcp
NL 104.80.225.205:443 tcp
US 52.182.143.208:443 tcp
US 8.248.5.254:80 tcp
US 8.248.5.254:80 tcp

Files

memory/5044-132-0x000000000323A000-0x00000000033A9000-memory.dmp

memory/5044-133-0x000000000E4E0000-0x000000000E7DD000-memory.dmp

memory/5044-134-0x000000000E4E0000-0x000000000E7DD000-memory.dmp

memory/4704-135-0x0000000000000000-mapping.dmp

memory/4736-136-0x0000000000000000-mapping.dmp

memory/4736-137-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4736-139-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4736-140-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4736-141-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4736-142-0x0000000001480000-0x0000000001489000-memory.dmp

memory/4736-144-0x0000000001820000-0x000000000182D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240551140.dll

MD5 8596736c157f4e9d597e640b5fd272c2
SHA1 52c13d50177761027cf834200909cb8871e2bfc0
SHA256 7788d59ce9a3935ac67aadd1d6da93feb8a6c2c4ee8b53fba51b93a8f42b3a7a
SHA512 ceb67ced3657617fbe6485642e92c44e672fc39f4c1770a92323bccee636aebeea3b788b9297787db1bb0945e194f2aa245e7f02743207577eca160488ca7d37

memory/1640-145-0x00000000012B0000-0x00000000012E3000-memory.dmp

memory/1640-146-0x0000000000000000-mapping.dmp

memory/1640-147-0x00000000012B0000-0x00000000012E3000-memory.dmp

memory/5044-148-0x000000000323A000-0x00000000033A9000-memory.dmp

memory/5044-149-0x000000000E4E0000-0x000000000E7DD000-memory.dmp

memory/1640-150-0x00000000012B0000-0x00000000012E3000-memory.dmp

memory/1640-151-0x00000000013A8000-0x00000000013C2000-memory.dmp

memory/1640-152-0x0000000002E70000-0x0000000002E8C000-memory.dmp

memory/1640-153-0x0000000002F20000-0x0000000003F20000-memory.dmp

memory/1640-154-0x00000000012B0000-0x00000000012E3000-memory.dmp

memory/1640-155-0x00000000013A8000-0x00000000013C2000-memory.dmp

memory/1640-156-0x0000000002E70000-0x0000000002E8C000-memory.dmp

memory/5044-157-0x000000000323A000-0x00000000033A9000-memory.dmp