Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14/04/2023, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe
Resource
win10-20230220-en
General
-
Target
1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe
-
Size
423KB
-
MD5
8aa3b8f3bfe27c28a62d9cff03b9320e
-
SHA1
581cf8b925b2321b9a27f615787454d682942f07
-
SHA256
1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d
-
SHA512
7ef7860c1e9c62c4d51bc54b7333e285cc031df36ee4e76d2223eec26acee2044cf8363cc0a44a022168da69e8cc988d8b76850c21c0c752cef8f9641134e540
-
SSDEEP
6144:7wNxDechb6OnPlIFtpMt65h/P+FdD6qYfOcXApVUIxCWxi:7wXeIpnPlStph1PMD6PXDn
Malware Config
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/3640-124-0x0000000000AB0000-0x0000000000ACC000-memory.dmp family_rhadamanthys behavioral1/memory/3640-125-0x0000000000AB0000-0x0000000000ACC000-memory.dmp family_rhadamanthys behavioral1/memory/3640-127-0x0000000000AB0000-0x0000000000ACC000-memory.dmp family_rhadamanthys behavioral1/memory/3640-136-0x0000000000AB0000-0x0000000000ACC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 4640 dllhost.exe 4640 dllhost.exe 4640 dllhost.exe 4640 dllhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3640 wrote to memory of 4640 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 66 PID 3640 wrote to memory of 4640 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 66 PID 3640 wrote to memory of 4640 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 66 PID 3640 wrote to memory of 4640 3640 1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe 66 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe"C:\Users\Admin\AppData\Local\Temp\1fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4640
-