Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2023, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe
Resource
win10v2004-20230220-en
General
-
Target
73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe
-
Size
352KB
-
MD5
005a01ca85dd07925406bc75012374fc
-
SHA1
ea867e76596ca39b5f71d2c2e0ae64de75bd1b7d
-
SHA256
73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1
-
SHA512
fae49acb01c90cf855a79813e6e3ffc90434245cd2cb7b1f9a7d9a753241a025486dc637d99bb91faeaaef5b047eb486bf05ebf05f90f972e3349a341d06aa99
-
SSDEEP
6144:/2pCM5m2yZbIAot2b6lo8DfPr4jyduZVB7we4:/2Do2yFIAot2boo8jrIiUVB7t4
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/448-174-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/448-175-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/448-177-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys behavioral1/memory/448-184-0x0000000002430000-0x000000000244C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 448 5D91.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4208 448 WerFault.exe 91 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4052 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe 4052 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found 1040 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1040 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4052 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found Token: SeShutdownPrivilege 1040 Process not Found Token: SeCreatePagefilePrivilege 1040 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1040 wrote to memory of 448 1040 Process not Found 91 PID 1040 wrote to memory of 448 1040 Process not Found 91 PID 1040 wrote to memory of 448 1040 Process not Found 91 PID 448 wrote to memory of 2000 448 5D91.exe 92 PID 448 wrote to memory of 2000 448 5D91.exe 92 PID 448 wrote to memory of 2000 448 5D91.exe 92 PID 448 wrote to memory of 2000 448 5D91.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe"C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4052
-
C:\Users\Admin\AppData\Local\Temp\5D91.exeC:\Users\Admin\AppData\Local\Temp\5D91.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 6362⤵
- Program crash
PID:4208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 448 -ip 4481⤵PID:4432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5bc19b47e06fc27425839ca0346c78aef
SHA1423a177b539878ce4edced3e207dcdb95b392427
SHA256c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c
SHA51256d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d
-
Filesize
424KB
MD5bc19b47e06fc27425839ca0346c78aef
SHA1423a177b539878ce4edced3e207dcdb95b392427
SHA256c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c
SHA51256d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d