Malware Analysis Report

2025-08-10 12:29

Sample ID 230415-q2qdksfg6x
Target 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1
SHA256 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1
Tags
rhadamanthys smokeloader pub4 backdoor collection stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1

Threat Level: Known bad

The file 73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1 was found to be: Known bad.

Malicious Activity Summary

rhadamanthys smokeloader pub4 backdoor collection stealer trojan

Rhadamanthys

SmokeLoader

Detect rhadamanthys stealer shellcode

Downloads MZ/PE file

Executes dropped EXE

Accesses Microsoft Outlook profiles

Program crash

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-15 13:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-15 13:45

Reported

2023-04-15 13:48

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5D91.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe
PID 1040 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe
PID 1040 wrote to memory of 448 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe
PID 448 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe C:\Windows\system32\dllhost.exe
PID 448 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe C:\Windows\system32\dllhost.exe
PID 448 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe C:\Windows\system32\dllhost.exe
PID 448 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\5D91.exe C:\Windows\system32\dllhost.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\dllhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe

"C:\Users\Admin\AppData\Local\Temp\73abcf36bebe7fe725dd0ac7b7dfafe13572b6dcc3f3e6ca8b9c1329b43648a1.exe"

C:\Users\Admin\AppData\Local\Temp\5D91.exe

C:\Users\Admin\AppData\Local\Temp\5D91.exe

C:\Windows\system32\dllhost.exe

"C:\Windows\system32\dllhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 162.19.139.184:2222 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 aapu.at udp
MX 189.239.21.113:80 aapu.at tcp
US 20.189.173.6:443 tcp
MX 189.239.21.113:80 aapu.at tcp
US 8.8.8.8:53 113.21.239.189.in-addr.arpa udp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
IT 179.43.155.247:80 179.43.155.247 tcp
MX 189.239.21.113:80 aapu.at tcp
US 8.8.8.8:53 247.155.43.179.in-addr.arpa udp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
MX 189.239.21.113:80 aapu.at tcp
PA 179.43.142.201:80 catalog.s.download.windowsupdate.com tcp
US 8.8.8.8:53 201.142.43.179.in-addr.arpa udp
US 209.197.3.8:80 tcp
PA 179.43.142.201:80 179.43.142.201 tcp
NL 173.223.113.164:443 tcp

Files

memory/4052-134-0x0000000000950000-0x0000000000959000-memory.dmp

memory/1040-135-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/4052-136-0x0000000000400000-0x00000000007FD000-memory.dmp

memory/1040-142-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-143-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-144-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-145-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-146-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-147-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-148-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-149-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-150-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-151-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-152-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-153-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-154-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-155-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-156-0x0000000007460000-0x0000000007470000-memory.dmp

memory/1040-158-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-160-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1040-161-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1040-159-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-157-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1040-162-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1040-163-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/1040-164-0x00000000074D0000-0x00000000074E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D91.exe

MD5 bc19b47e06fc27425839ca0346c78aef
SHA1 423a177b539878ce4edced3e207dcdb95b392427
SHA256 c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c
SHA512 56d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d

C:\Users\Admin\AppData\Local\Temp\5D91.exe

MD5 bc19b47e06fc27425839ca0346c78aef
SHA1 423a177b539878ce4edced3e207dcdb95b392427
SHA256 c90741a043ee54880a939009935f65d458437c3f25ef66d0388a1b8083aec99c
SHA512 56d7a24efcf34883cec2ae32625109c9e65e0396d21de0b5530d455b10e9942ae4cd06e77f2162622d29148ce3e925710362ab9c35ea26cce80e05655529874d

memory/448-170-0x0000000002400000-0x000000000242E000-memory.dmp

memory/448-171-0x0000000000400000-0x000000000080F000-memory.dmp

memory/448-174-0x0000000002430000-0x000000000244C000-memory.dmp

memory/448-175-0x0000000002430000-0x000000000244C000-memory.dmp

memory/448-176-0x0000000002450000-0x000000000246A000-memory.dmp

memory/448-177-0x0000000002430000-0x000000000244C000-memory.dmp

memory/2000-178-0x0000021135A40000-0x0000021135A41000-memory.dmp

memory/448-179-0x0000000002480000-0x0000000002482000-memory.dmp

memory/2000-180-0x0000021135D50000-0x0000021135D57000-memory.dmp

memory/2000-181-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/2000-182-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/448-183-0x0000000000400000-0x000000000080F000-memory.dmp

memory/448-184-0x0000000002430000-0x000000000244C000-memory.dmp

memory/2000-185-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/2000-186-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/2000-187-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/2000-188-0x00007FF4F9750000-0x00007FF4F984A000-memory.dmp

memory/1040-189-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-190-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-191-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-192-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-193-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-194-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-196-0x0000000008550000-0x0000000008552000-memory.dmp

memory/1040-197-0x0000000003250000-0x0000000003260000-memory.dmp

memory/1040-195-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-198-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-199-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-200-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-201-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-202-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-203-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-204-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-205-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-206-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-207-0x0000000003250000-0x0000000003259000-memory.dmp

memory/1040-208-0x0000000003250000-0x0000000003260000-memory.dmp

memory/1040-209-0x0000000008550000-0x0000000008552000-memory.dmp

memory/1040-210-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-211-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-212-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-213-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-214-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-215-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-216-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-217-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-218-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-219-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-220-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-221-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-222-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-223-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-224-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-225-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1040-226-0x0000000002950000-0x0000000002952000-memory.dmp

memory/1040-227-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/1040-228-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/1040-229-0x00000000029B0000-0x00000000029C0000-memory.dmp