Analysis Overview
SHA256
73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1
Threat Level: Known bad
The file 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1 was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
SmokeLoader
Detect rhadamanthys stealer shellcode
Downloads MZ/PE file
Executes dropped EXE
Accesses Microsoft Outlook profiles
Program crash
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_win_path
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-15 13:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-15 13:45
Reported
2023-04-15 13:48
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5D91.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1040 wrote to memory of 448 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe |
| PID 1040 wrote to memory of 448 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe |
| PID 1040 wrote to memory of 448 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe |
| PID 448 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe | C:\Windows\system32\dllhost.exe |
| PID 448 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe | C:\Windows\system32\dllhost.exe |
| PID 448 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe | C:\Windows\system32\dllhost.exe |
| PID 448 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\5D91.exe | C:\Windows\system32\dllhost.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe
"C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe"
C:\Users\Admin\AppData\Local\Temp\5D91.exe
C:\Users\Admin\AppData\Local\Temp\5D91.exe
C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 448 -ip 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 162.19.139.184:2222 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| US | 20.189.173.6:443 | tcp | |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 113.21.239.189.in-addr.arpa | udp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| IT | 179.43.155.247:80 | 179.43.155.247 | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 247.155.43.179.in-addr.arpa | udp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| MX | 189.239.21.113:80 | aapu.at | tcp |
| PA | 179.43.142.201:80 | catalog.s.download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 201.142.43.179.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| PA | 179.43.142.201:80 | 179.43.142.201 | tcp |
| NL | 173.223.113.164:443 | tcp |
Files
memory/4052-134-0x0000000000950000-0x0000000000959000-memory.dmp
memory/1040-135-0x0000000000E80000-0x0000000000E96000-memory.dmp
memory/4052-136-0x0000000000400000-0x00000000007FD000-memory.dmp
memory/1040-142-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-143-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-144-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-145-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-146-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-147-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-148-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-149-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-150-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-151-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-152-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-153-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-154-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-155-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-156-0x0000000007460000-0x0000000007470000-memory.dmp
memory/1040-158-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-160-0x00000000074D0000-0x00000000074E0000-memory.dmp
memory/1040-161-0x00000000074D0000-0x00000000074E0000-memory.dmp
memory/1040-159-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-157-0x00000000074D0000-0x00000000074E0000-memory.dmp
memory/1040-162-0x00000000074D0000-0x00000000074E0000-memory.dmp
memory/1040-163-0x00000000074D0000-0x00000000074E0000-memory.dmp
memory/1040-164-0x00000000074D0000-0x00000000074E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D91.exe
| MD5 | bc19b47e06fc27425839ca0346c78aef |
| SHA1 | 423a177b539878ce4edced3e207dcdb95b392427 |
| SHA256 | c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c |
| SHA512 | 56d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d |
C:\Users\Admin\AppData\Local\Temp\5D91.exe
| MD5 | bc19b47e06fc27425839ca0346c78aef |
| SHA1 | 423a177b539878ce4edced3e207dcdb95b392427 |
| SHA256 | c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c |
| SHA512 | 56d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d |
memory/448-170-0x0000000002400000-0x000000000242E000-memory.dmp
memory/448-171-0x0000000000400000-0x000000000080F000-memory.dmp
memory/448-174-0x0000000002430000-0x000000000244C000-memory.dmp
memory/448-175-0x0000000002430000-0x000000000244C000-memory.dmp
memory/448-176-0x0000000002450000-0x000000000246A000-memory.dmp
memory/448-177-0x0000000002430000-0x000000000244C000-memory.dmp
memory/2000-178-0x0000021135A40000-0x0000021135A41000-memory.dmp
memory/448-179-0x0000000002480000-0x0000000002482000-memory.dmp
memory/2000-180-0x0000021135D50000-0x0000021135D57000-memory.dmp
memory/2000-181-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/2000-182-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/448-183-0x0000000000400000-0x000000000080F000-memory.dmp
memory/448-184-0x0000000002430000-0x000000000244C000-memory.dmp
memory/2000-185-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/2000-186-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/2000-187-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/2000-188-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp
memory/1040-189-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-190-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-191-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-192-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-193-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-194-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-196-0x0000000008550000-0x0000000008552000-memory.dmp
memory/1040-197-0x0000000003250000-0x0000000003260000-memory.dmp
memory/1040-195-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-198-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-199-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-200-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-201-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-202-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-203-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-204-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-205-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-206-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-207-0x0000000003250000-0x0000000003259000-memory.dmp
memory/1040-208-0x0000000003250000-0x0000000003260000-memory.dmp
memory/1040-209-0x0000000008550000-0x0000000008552000-memory.dmp
memory/1040-210-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-211-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-212-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-213-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-214-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-215-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-216-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-217-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-218-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-219-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-220-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-221-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-222-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-223-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-224-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-225-0x0000000002FB0000-0x0000000002FC0000-memory.dmp
memory/1040-226-0x0000000002950000-0x0000000002952000-memory.dmp
memory/1040-227-0x00000000029B0000-0x00000000029C0000-memory.dmp
memory/1040-228-0x00000000029B0000-0x00000000029C0000-memory.dmp
memory/1040-229-0x00000000029B0000-0x00000000029C0000-memory.dmp