Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 18:40
Static task
static1
Behavioral task
behavioral1
Sample
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
Resource
win10v2004-20230220-en
General
-
Target
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
-
Size
328KB
-
MD5
aee31f8b7afa6a4bbf9f7a7473e638d3
-
SHA1
801ffca9b94ae2740abf307cea114abc106aaa56
-
SHA256
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895
-
SHA512
f4bd2d45740e796a398bd8b4cb4e7492820d645270531f497f3167800f8c042bcc7f43b9992bb11939669da9f02c4b0d5dcb4200b09b64f0b9602dba7bf6d43a
-
SSDEEP
6144:2laWWuXL1Od/qAQSsldolm8ctEUOJVqdA5pujRw:YpXZOxqAQSsldz8cRO3t5Sm
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4884-138-0x0000000002340000-0x000000000235C000-memory.dmp family_rhadamanthys behavioral1/memory/4884-140-0x0000000002340000-0x000000000235C000-memory.dmp family_rhadamanthys behavioral1/memory/4884-143-0x0000000002340000-0x000000000235C000-memory.dmp family_rhadamanthys behavioral1/memory/4884-151-0x0000000002340000-0x000000000235C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exepid process 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4540 4884 WerFault.exe 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exedllhost.exepid process 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe 2616 dllhost.exe 2616 dllhost.exe 2616 dllhost.exe 2616 dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exedescription pid process target process PID 4884 wrote to memory of 2616 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe dllhost.exe PID 4884 wrote to memory of 2616 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe dllhost.exe PID 4884 wrote to memory of 2616 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe dllhost.exe PID 4884 wrote to memory of 2616 4884 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe dllhost.exe -
outlook_office_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe"C:\Users\Admin\AppData\Local\Temp\4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 7002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4884 -ip 48841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2616-149-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-154-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-146-0x0000025CED050000-0x0000025CED057000-memory.dmpFilesize
28KB
-
memory/2616-147-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-153-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-152-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-148-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmpFilesize
1000KB
-
memory/2616-144-0x0000025CECD40000-0x0000025CECD41000-memory.dmpFilesize
4KB
-
memory/4884-138-0x0000000002340000-0x000000000235C000-memory.dmpFilesize
112KB
-
memory/4884-135-0x0000000000400000-0x0000000000714000-memory.dmpFilesize
3.1MB
-
memory/4884-140-0x0000000002340000-0x000000000235C000-memory.dmpFilesize
112KB
-
memory/4884-143-0x0000000002340000-0x000000000235C000-memory.dmpFilesize
112KB
-
memory/4884-134-0x0000000002310000-0x000000000233E000-memory.dmpFilesize
184KB
-
memory/4884-150-0x0000000000400000-0x0000000000714000-memory.dmpFilesize
3.1MB
-
memory/4884-151-0x0000000002340000-0x000000000235C000-memory.dmpFilesize
112KB
-
memory/4884-142-0x0000000002370000-0x000000000238A000-memory.dmpFilesize
104KB
-
memory/4884-141-0x0000000002370000-0x000000000238A000-memory.dmpFilesize
104KB
-
memory/4884-145-0x0000000002370000-0x000000000238A000-memory.dmpFilesize
104KB