Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2023 15:20
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
384KB
-
MD5
be6ead5fba6e45225d2c869c593c091e
-
SHA1
51b1f2a3ba54d0f675694831a7c9c509093c3399
-
SHA256
72ffef4d565a07136b07f1c8c4518f159c0d3afdfae4e7736963f17eb35b0b59
-
SHA512
32e0cfe77acf48e76c01ce50115a6288f2e5f1bb57532f96fced385aa5025fcd4d8b29ae83a0d06cbfb27aee3b58aa9cbedf86e68196c205e1c2e562ee213147
-
SSDEEP
6144:XiexrddlUFwKfSO2pKvYc9/5aLiqoKDv:XdTlmsQYcl0Jr
Malware Config
Extracted
colibri
1.4.0
http://wqfegrbjiskfmas.top/gate.php
http://interferenceatmobile.xyz/gate.php
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2208-138-0x0000000002310000-0x000000000232C000-memory.dmp family_rhadamanthys behavioral2/memory/2208-139-0x0000000002310000-0x000000000232C000-memory.dmp family_rhadamanthys behavioral2/memory/2208-141-0x0000000002310000-0x000000000232C000-memory.dmp family_rhadamanthys behavioral2/memory/2208-148-0x0000000002310000-0x000000000232C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Executes dropped EXE 1 IoCs
Processes:
F273.tmp.exepid process 3884 F273.tmp.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1572 2208 WerFault.exe tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
tmp.exedllhost.exepid process 2208 tmp.exe 2208 tmp.exe 1504 dllhost.exe 1504 dllhost.exe 1504 dllhost.exe 1504 dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tmp.exedescription pid process target process PID 2208 wrote to memory of 1504 2208 tmp.exe dllhost.exe PID 2208 wrote to memory of 1504 2208 tmp.exe dllhost.exe PID 2208 wrote to memory of 1504 2208 tmp.exe dllhost.exe PID 2208 wrote to memory of 1504 2208 tmp.exe dllhost.exe -
outlook_office_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 7002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2208 -ip 22081⤵
-
C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe"C:\Users\Admin\AppData\Local\Temp\F273.tmp.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F273.tmp.exeFilesize
877KB
MD55fd30bde601c8d7b3d1486650d44f7cf
SHA186578f815e67293885878be187d61ed7f1fa573e
SHA256207ccbaf358bed54df98aed79b7a7ed243392b550f5d5bf4d1a72ca7fbe56c52
SHA5126bb7e60af4bf5a58054c42534967caf1c3f6652ec658741a52f3ed153e27717f6cec0df34daee2e76bb6d7358b6f40679b4a2d96ff974eb8b5eeae618be7e97b
-
C:\Users\Admin\AppData\Local\Temp\F273.tmp.exeFilesize
877KB
MD55fd30bde601c8d7b3d1486650d44f7cf
SHA186578f815e67293885878be187d61ed7f1fa573e
SHA256207ccbaf358bed54df98aed79b7a7ed243392b550f5d5bf4d1a72ca7fbe56c52
SHA5126bb7e60af4bf5a58054c42534967caf1c3f6652ec658741a52f3ed153e27717f6cec0df34daee2e76bb6d7358b6f40679b4a2d96ff974eb8b5eeae618be7e97b
-
memory/1504-151-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-149-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-156-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-152-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-142-0x00000285473D0000-0x00000285473D1000-memory.dmpFilesize
4KB
-
memory/1504-150-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-144-0x00000285474F0000-0x00000285474F7000-memory.dmpFilesize
28KB
-
memory/1504-145-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/1504-146-0x00007FF4D2790000-0x00007FF4D288A000-memory.dmpFilesize
1000KB
-
memory/2208-147-0x0000000000400000-0x000000000059F000-memory.dmpFilesize
1.6MB
-
memory/2208-148-0x0000000002310000-0x000000000232C000-memory.dmpFilesize
112KB
-
memory/2208-139-0x0000000002310000-0x000000000232C000-memory.dmpFilesize
112KB
-
memory/2208-143-0x0000000002360000-0x0000000002362000-memory.dmpFilesize
8KB
-
memory/2208-134-0x00000000022E0000-0x000000000230E000-memory.dmpFilesize
184KB
-
memory/2208-141-0x0000000002310000-0x000000000232C000-memory.dmpFilesize
112KB
-
memory/2208-138-0x0000000002310000-0x000000000232C000-memory.dmpFilesize
112KB
-
memory/2208-135-0x0000000000400000-0x000000000059F000-memory.dmpFilesize
1.6MB
-
memory/2208-140-0x0000000002330000-0x000000000234A000-memory.dmpFilesize
104KB
-
memory/3884-157-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3884-158-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB