Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/04/2023, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe
Resource
win10-20230220-en
General
-
Target
bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe
-
Size
351KB
-
MD5
b3350a62587b816d7d408882f427baa2
-
SHA1
7a67223262176ed27a0ba583d4cf587404b8834e
-
SHA256
bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c
-
SHA512
a0b173757effeb3f545621240d30268dc5616a814bf9e1a917d7fc8769bca995f8132c806f96fdf580532c266e00e16ac69c5d9b156af28b8efc43b911d2fc58
-
SSDEEP
6144:WbUpCMVT5IqSAddRYX3aF4y6EfBzIZLU8we4:WoD15I9AdLYX3w4yDBMLU8t4
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/2672-189-0x0000000000860000-0x000000000087C000-memory.dmp family_rhadamanthys behavioral1/memory/2672-190-0x0000000000860000-0x000000000087C000-memory.dmp family_rhadamanthys behavioral1/memory/2672-192-0x0000000000860000-0x000000000087C000-memory.dmp family_rhadamanthys behavioral1/memory/2672-201-0x0000000000860000-0x000000000087C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3176 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2672 BC2C.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4064 bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe 4064 bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3176 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4064 bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3176 wrote to memory of 2672 3176 Process not Found 66 PID 3176 wrote to memory of 2672 3176 Process not Found 66 PID 3176 wrote to memory of 2672 3176 Process not Found 66 PID 2672 wrote to memory of 3964 2672 BC2C.exe 67 PID 2672 wrote to memory of 3964 2672 BC2C.exe 67 PID 2672 wrote to memory of 3964 2672 BC2C.exe 67 PID 2672 wrote to memory of 3964 2672 BC2C.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe"C:\Users\Admin\AppData\Local\Temp\bc2c568621d5070ae1b3e42ec8a2f91a7433fea2ccf2cd3524b756ae9b9ad48c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4064
-
C:\Users\Admin\AppData\Local\Temp\BC2C.exeC:\Users\Admin\AppData\Local\Temp\BC2C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:3964
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5be0ef2a8aa27379c64c67ada3d5a1773
SHA1ea4b5852c0df0022e33fe82bc350a3e4b8ce94bb
SHA256e0e712f91cb159997cc85b98b14078b1344bc591a56edab6464e54bff9f8324f
SHA512a692e4fbb5f77b3a9235c861478ee199c4c347083b3ee1297279d66bce8873f114c11b3ee91e9b66aa806997d075848a0179d67361727aaa80fc452c3772febd
-
Filesize
424KB
MD5be0ef2a8aa27379c64c67ada3d5a1773
SHA1ea4b5852c0df0022e33fe82bc350a3e4b8ce94bb
SHA256e0e712f91cb159997cc85b98b14078b1344bc591a56edab6464e54bff9f8324f
SHA512a692e4fbb5f77b3a9235c861478ee199c4c347083b3ee1297279d66bce8873f114c11b3ee91e9b66aa806997d075848a0179d67361727aaa80fc452c3772febd