Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2023, 04:25
Static task
static1
Behavioral task
behavioral1
Sample
a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe
Resource
win10v2004-20230221-en
General
-
Target
a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe
-
Size
351KB
-
MD5
ba811b8357bf79af703ed5a7c50f44e4
-
SHA1
1fbfa51ce0370b13a20d7b5c35f938a6b925da87
-
SHA256
a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426
-
SHA512
7b4997e42325308c81a5049a10a5aecde6455a11aee8224c05d03bdc0bf1436b3b99da3ff7df9e4b12dfc338735c45135e91b276a1b382f009b74c5b9a23c90e
-
SSDEEP
3072:caNCAkzztSfIBIOCkflzgG04b8chS66O7NPdrbuqx0w1AXqTHrZ9TwPOrK/42SvQ:XN++SZCcn04k+II0wkqTLZpXTi
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/832-186-0x0000000000990000-0x00000000009AC000-memory.dmp family_rhadamanthys behavioral1/memory/832-187-0x0000000000990000-0x00000000009AC000-memory.dmp family_rhadamanthys behavioral1/memory/832-189-0x0000000000990000-0x00000000009AC000-memory.dmp family_rhadamanthys behavioral1/memory/832-196-0x0000000000990000-0x00000000009AC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 832 2049.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 412 832 WerFault.exe 90 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4356 a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe 4356 a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found 3244 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3244 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4356 a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found Token: SeShutdownPrivilege 3244 Process not Found Token: SeCreatePagefilePrivilege 3244 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3244 wrote to memory of 832 3244 Process not Found 90 PID 3244 wrote to memory of 832 3244 Process not Found 90 PID 3244 wrote to memory of 832 3244 Process not Found 90 PID 832 wrote to memory of 1756 832 2049.exe 91 PID 832 wrote to memory of 1756 832 2049.exe 91 PID 832 wrote to memory of 1756 832 2049.exe 91 PID 832 wrote to memory of 1756 832 2049.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe"C:\Users\Admin\AppData\Local\Temp\a9353c9a335015483da3fa4f603006b11d3a56ef655919067fef8a1d62da1426.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4356
-
C:\Users\Admin\AppData\Local\Temp\2049.exeC:\Users\Admin\AppData\Local\Temp\2049.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:1756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 7322⤵
- Program crash
PID:412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 832 -ip 8321⤵PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
423KB
MD5cb2ba6d4940dc8abede20595ac94b3ea
SHA1dbbc0e0723d92f12dce9a724624c36b40c545f0d
SHA256cbcfd42a6ec669bf0f770a837ea751aa342b21256c6186e19d9931d47ca1ffef
SHA51202702f91de518d5f318d01aba51faeac99bc4e94e7edf3dd978a55724eed24b12510c450860ef2b6610b648bbbc9741f97501814aa2861af44f80bf994a735b2
-
Filesize
423KB
MD5cb2ba6d4940dc8abede20595ac94b3ea
SHA1dbbc0e0723d92f12dce9a724624c36b40c545f0d
SHA256cbcfd42a6ec669bf0f770a837ea751aa342b21256c6186e19d9931d47ca1ffef
SHA51202702f91de518d5f318d01aba51faeac99bc4e94e7edf3dd978a55724eed24b12510c450860ef2b6610b648bbbc9741f97501814aa2861af44f80bf994a735b2