rhadamanthys | f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

Resubmissions

05/04/2023, 07:25

230405-h87mfaed2x 10

04/04/2023, 22:20

230404-183btscc4v 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfgtbvh.exe
Size

237KB
MD5

51b3cddd75069bda9deb36fd539442e2
SHA1

a5183c20f329a3ea3726ce2c8300b0f2654ab531
SHA256

f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9
SHA512

50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c
SSDEEP

6144:DL3v+mWnRzxvqRYwqgft1rSVsMAdaV/BaW:D7v+myRtqRYRgX20di/F

Score

10^/10

rhadamanthys smokeloader pub4 backdoor collection stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral2/memory/4156-151-0x0000000002440000-0x000000000245C000-memory.dmp	family_rhadamanthys
behavioral2/memory/4156-152-0x0000000002440000-0x000000000245C000-memory.dmp	family_rhadamanthys
behavioral2/memory/4156-154-0x0000000002440000-0x000000000245C000-memory.dmp	family_rhadamanthys
behavioral2/memory/4156-164-0x0000000002440000-0x000000000245C000-memory.dmp	family_rhadamanthys
behavioral2/memory/4156-169-0x0000000002480000-0x000000000249C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4156	EC0A.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfgtbvh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfgtbvh.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cfgtbvh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	cfgtbvh.exe
3532	cfgtbvh.exe
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found
2780	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3532	cfgtbvh.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4156	2780	Process not Found	90
PID 2780 wrote to memory of 4156	2780	Process not Found	90
PID 2780 wrote to memory of 4156	2780	Process not Found	90
PID 4156 wrote to memory of 4760	4156	EC0A.exe	91
PID 4156 wrote to memory of 4760	4156	EC0A.exe	91
PID 4156 wrote to memory of 4760	4156	EC0A.exe	91
PID 4156 wrote to memory of 4760	4156	EC0A.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe
"C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3532

C:\Users\Admin\AppData\Local\Temp\EC0A.exe
C:\Users\Admin\AppData\Local\Temp\EC0A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\system32\dllhost.exe
  "C:\Windows\system32\dllhost.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EC0A.exe

Filesize
332KB

MD5
b0d324176fa2559bfeb2e8d6ce117d58

SHA1
8967469bcca172d5a15b9aeed141a3e970ba2abf

SHA256
39492cb6b44ab5111fc433cfb989e5dea977a23773660e2dede758746549454d

SHA512
9c3edbd5ed28ef054b70b2184fb659305cadb4150db04a9effb12774240e1a2b5c20c66e0b0fe3594a0890e3bc7573075d8f8850923d734b9eaa631c7836656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC0A.exe

Filesize
332KB

MD5
b0d324176fa2559bfeb2e8d6ce117d58

SHA1
8967469bcca172d5a15b9aeed141a3e970ba2abf

SHA256
39492cb6b44ab5111fc433cfb989e5dea977a23773660e2dede758746549454d

SHA512
9c3edbd5ed28ef054b70b2184fb659305cadb4150db04a9effb12774240e1a2b5c20c66e0b0fe3594a0890e3bc7573075d8f8850923d734b9eaa631c7836656c

Download Submit
memory/2780-135-0x0000000002C70000-0x0000000002C86000-memory.dmp

Filesize
88KB

Download
memory/3532-134-0x0000000002520000-0x0000000002529000-memory.dmp

Filesize
36KB

Download
memory/3532-136-0x0000000000400000-0x00000000007EF000-memory.dmp

Filesize
3.9MB

Download
memory/4156-147-0x0000000002410000-0x000000000243E000-memory.dmp

Filesize
184KB

Download
memory/4156-148-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4156-151-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/4156-152-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/4156-153-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/4156-154-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/4156-169-0x0000000002480000-0x000000000249C000-memory.dmp

Filesize
112KB

Download
memory/4156-163-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4156-156-0x0000000000960000-0x0000000000963000-memory.dmp

Filesize
12KB

Download
memory/4156-168-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4156-164-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/4760-157-0x0000016D231B0000-0x0000016D231B7000-memory.dmp

Filesize
28KB

Download
memory/4760-161-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-162-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-160-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-159-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-165-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-158-0x00007FF4E67E0000-0x00007FF4E68DA000-memory.dmp

Filesize
1000KB

Download
memory/4760-155-0x0000016D22EA0000-0x0000016D22EA1000-memory.dmp

Filesize
4KB

Download