Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2023, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe
Resource
win10v2004-20230220-en
General
-
Target
80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe
-
Size
351KB
-
MD5
dd92fadb1366eeefbfad93998b731223
-
SHA1
4b14337001a0f7a861d93654c1b185932ba575aa
-
SHA256
80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3
-
SHA512
fcfa44082098f3dfdeb2ea0a54653d50f632f89e792a0edef58d2737dd17bb2bb2b4714bd03324421524c337d896dbf408cd0eeef7783ea9376705572d7be0c9
-
SSDEEP
6144:stN90xWixziSqsI3MuVXZcknsD04oxSQU/dXxi:stsxVQSqscMuM0vD3
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/3088-173-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/3088-174-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/3088-176-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys behavioral1/memory/3088-183-0x0000000000880000-0x000000000089C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3088 82BD.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4596 3088 WerFault.exe 92 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe 3040 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3040 80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3152 wrote to memory of 3088 3152 Process not Found 92 PID 3152 wrote to memory of 3088 3152 Process not Found 92 PID 3152 wrote to memory of 3088 3152 Process not Found 92 PID 3088 wrote to memory of 2796 3088 82BD.exe 93 PID 3088 wrote to memory of 2796 3088 82BD.exe 93 PID 3088 wrote to memory of 2796 3088 82BD.exe 93 PID 3088 wrote to memory of 2796 3088 82BD.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe"C:\Users\Admin\AppData\Local\Temp\80c36406fe9a8324d37956f431da269a69b7a484de1da5f5a9bb443511000fb3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3040
-
C:\Users\Admin\AppData\Local\Temp\82BD.exeC:\Users\Admin\AppData\Local\Temp\82BD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 7042⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3088 -ip 30881⤵PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD58aa3b8f3bfe27c28a62d9cff03b9320e
SHA1581cf8b925b2321b9a27f615787454d682942f07
SHA2561fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d
SHA5127ef7860c1e9c62c4d51bc54b7333e285cc031df36ee4e76d2223eec26acee2044cf8363cc0a44a022168da69e8cc988d8b76850c21c0c752cef8f9641134e540
-
Filesize
423KB
MD58aa3b8f3bfe27c28a62d9cff03b9320e
SHA1581cf8b925b2321b9a27f615787454d682942f07
SHA2561fc88500422917840f534cba0275b2d13a9b78ec791e445b7c6e53fa88fc351d
SHA5127ef7860c1e9c62c4d51bc54b7333e285cc031df36ee4e76d2223eec26acee2044cf8363cc0a44a022168da69e8cc988d8b76850c21c0c752cef8f9641134e540