Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2023, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe
Resource
win10v2004-20230221-en
General
-
Target
5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe
-
Size
351KB
-
MD5
125bd43136a2cd9a67bc303038d67c13
-
SHA1
92a33b34af7a7d012120275cc4ce265e47984e04
-
SHA256
5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603
-
SHA512
dc747b3773892c33d9c89f0a1968e1642483b7155b385edb77e92a149d96ffdb1bc9c2c2919c1bba2de75f3eedc21dfa9037198681f9cab34e3c6453c2499686
-
SSDEEP
3072:ufapCAa/zybPg1w0yOBg+c11Nc3tdZDKTJDfbudGAg7lGsQOdHNqhiUPI4pMsJcP:PpIyjKw8Vc1e64MkzwNqAUN9XhWOTi
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
resource yara_rule behavioral1/memory/4196-152-0x0000000000AA0000-0x0000000000ABC000-memory.dmp family_rhadamanthys behavioral1/memory/4196-154-0x0000000000AA0000-0x0000000000ABC000-memory.dmp family_rhadamanthys behavioral1/memory/4196-161-0x0000000000AA0000-0x0000000000ABC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4196 16C4.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1420 4196 WerFault.exe 89 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1736 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe 1736 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found 3124 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3124 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1736 5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3124 Process not Found Token: SeCreatePagefilePrivilege 3124 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3124 wrote to memory of 4196 3124 Process not Found 89 PID 3124 wrote to memory of 4196 3124 Process not Found 89 PID 3124 wrote to memory of 4196 3124 Process not Found 89 PID 4196 wrote to memory of 1268 4196 16C4.exe 90 PID 4196 wrote to memory of 1268 4196 16C4.exe 90 PID 4196 wrote to memory of 1268 4196 16C4.exe 90 PID 4196 wrote to memory of 1268 4196 16C4.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe"C:\Users\Admin\AppData\Local\Temp\5f23eb72d5651967c1fc91f4dbcc8baf9383801d28ab0e463824d55108abd603.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1736
-
C:\Users\Admin\AppData\Local\Temp\16C4.exeC:\Users\Admin\AppData\Local\Temp\16C4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:1268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 7122⤵
- Program crash
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4196 -ip 41961⤵PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5275a529eb263287899c1524c3f27db6a
SHA1f767a1bf6f2175a040e9066b4dc1675f7f5c77e8
SHA25631ee3c05d4163ff7d0682efca21c44fdbfb3c0a9dce58c665893b38ba9d16356
SHA512e93f8594296915775e8789f7f297d57cc5e66f6f258f9c9aba134445b6def1461f990c7d6440c9bd3ceaeff1a26af39490c0aee6f50a850c24696ce6cc2ec154
-
Filesize
424KB
MD5275a529eb263287899c1524c3f27db6a
SHA1f767a1bf6f2175a040e9066b4dc1675f7f5c77e8
SHA25631ee3c05d4163ff7d0682efca21c44fdbfb3c0a9dce58c665893b38ba9d16356
SHA512e93f8594296915775e8789f7f297d57cc5e66f6f258f9c9aba134445b6def1461f990c7d6440c9bd3ceaeff1a26af39490c0aee6f50a850c24696ce6cc2ec154