Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2023, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe
Resource
win10v2004-20230220-en
General
-
Target
c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe
-
Size
346KB
-
MD5
99d09bbf9eb3ea2864f7b540090ca89d
-
SHA1
d4901a3e1ef53bf27fa7e75d43421c3c9235976d
-
SHA256
c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0
-
SHA512
34231eca74f3c6b18ce8334065adef3689f92f73fbfe6984e672c82a9c0e15253daf6dd07fb452148669decbd85023bf426abb876586c8cb5b53517bf89123ca
-
SSDEEP
6144:Wo55tMv/wGVD4zOPSkOQIMhRpDkpvAnoYlc7Wjr5bbe4:WoPtopVD4zOKkHUvAnc7mlq4
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Extracted
rhadamanthys
http://179.43.142.201/img/favicon.png
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
resource yara_rule behavioral1/memory/3692-151-0x0000000002450000-0x000000000246C000-memory.dmp family_rhadamanthys behavioral1/memory/3692-152-0x0000000002450000-0x000000000246C000-memory.dmp family_rhadamanthys behavioral1/memory/3692-154-0x0000000002450000-0x000000000246C000-memory.dmp family_rhadamanthys behavioral1/memory/3692-161-0x0000000002450000-0x000000000246C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3692 8879.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1828 3692 WerFault.exe 91 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe 4832 c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4832 c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3152 Process not Found Token: SeCreatePagefilePrivilege 3152 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3152 wrote to memory of 3692 3152 Process not Found 91 PID 3152 wrote to memory of 3692 3152 Process not Found 91 PID 3152 wrote to memory of 3692 3152 Process not Found 91 PID 3692 wrote to memory of 1912 3692 8879.exe 92 PID 3692 wrote to memory of 1912 3692 8879.exe 92 PID 3692 wrote to memory of 1912 3692 8879.exe 92 PID 3692 wrote to memory of 1912 3692 8879.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe"C:\Users\Admin\AppData\Local\Temp\c65c78ca35a3edf7fc8d4150bb77c788651bad8c5a54888bd8d366f8ec8bdac0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4832
-
C:\Users\Admin\AppData\Local\Temp\8879.exeC:\Users\Admin\AppData\Local\Temp\8879.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:1912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 7322⤵
- Program crash
PID:1828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3692 -ip 36921⤵PID:4512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD59be26f22ab7153a54d77a4df6dad9090
SHA1e28b37438f2e13af5ce2122348864a217086129f
SHA2564b10b47611967e2d3024eb451df1ca05451fa3e15d1970d6ee3fc09a64e0bc99
SHA5126d5fd51806e8569cc464d4ccf9bef77563b2fa411e75b9d6b4afddb07d35b415cd5605b45fa0e2166a2f838218e25dda65ef4032b207866d59195edbd8a387a0
-
Filesize
419KB
MD59be26f22ab7153a54d77a4df6dad9090
SHA1e28b37438f2e13af5ce2122348864a217086129f
SHA2564b10b47611967e2d3024eb451df1ca05451fa3e15d1970d6ee3fc09a64e0bc99
SHA5126d5fd51806e8569cc464d4ccf9bef77563b2fa411e75b9d6b4afddb07d35b415cd5605b45fa0e2166a2f838218e25dda65ef4032b207866d59195edbd8a387a0