Overview

overview

10

Static

static

3

rh_0.4.9.exe

windows10-1703-x64

10

Resubmissions

27-11-2024 10:03

241127-l3hmxaypaw 10

01-08-2024 15:54

240801-tcb2fasenh 10

18-07-2023 20:01

230718-yrm5gaec6v 10

Analysis

  • max time kernel
    34s
  • max time network
    34s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-07-2023 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rh_0.4.9.exe

  • Size

    456KB

  • MD5

    cf4914d021c5a5378428d6f5d3b1c57b

  • SHA1

    2dc95dc667cf4c49f78b4b8033cec85d889fd069

  • SHA256

    f0f70c6ba7dcb338794ee0034250f5f98fc6bddea0922495af863421baf4735f

  • SHA512

    c07408df7b0bb3f5f57482d9d93b79654e1eb1cb5e938c1e814b25ca6bdf5729c5de85c85b4e91116c38ba875b4611372f6452d1d2ad1e3f2be59b62009fae43

  • SSDEEP

    6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+n:2uWP/BZUyoLu8Agsmxwrvejkd2

Score
10/10
rhadamanthyscollectionstealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 5 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes itself 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3208
      • C:\Users\Admin\AppData\Local\Temp\rh_0.4.9.exe
        "C:\Users\Admin\AppData\Local\Temp\rh_0.4.9.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3256
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
        • Deletes itself
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:5048
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4120
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.0.689753283\520239725" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1716 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c52a929-515c-44f2-b9d6-7338a2dc854f} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 1820 1ff73bccb58 gpu
            4⤵
              PID:4760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.1.2143808087\42691355" -parentBuildID 20221007134813 -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e65963a-e71f-4d6a-b1d4-e137cbdb1b07} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 2176 1ff618e2158 socket
              4⤵
              • Checks processor information in registry
              PID:3528
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.2.1235807846\2014738938" -childID 1 -isForBrowser -prefsHandle 2736 -prefMapHandle 2856 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ee60255-45ab-49eb-945e-bc6377a8627c} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 2720 1ff77eb6858 tab
              4⤵
                PID:4984
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.3.903289431\137009322" -childID 2 -isForBrowser -prefsHandle 3124 -prefMapHandle 3220 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43bb3a4e-5dc5-4d52-9dce-dadb6b2d81a2} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 3120 1ff61868158 tab
                4⤵
                  PID:4916
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.4.199765794\345783918" -childID 3 -isForBrowser -prefsHandle 4536 -prefMapHandle 4532 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {587d4e6c-a8b1-487b-96d7-72cfc745630a} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 4548 1ff77e35858 tab
                  4⤵
                    PID:3120
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.5.2136971168\1361027965" -childID 4 -isForBrowser -prefsHandle 4884 -prefMapHandle 1604 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1d0d9a-0d79-46e5-b913-c9ce4afb5331} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 3124 1ff7a370858 tab
                    4⤵
                      PID:2524
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.7.1743557242\670699742" -childID 6 -isForBrowser -prefsHandle 5128 -prefMapHandle 5044 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f64ac3b5-a36e-4fac-9045-4360ee4dae4a} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 5232 1ff7a36e458 tab
                      4⤵
                        PID:2736
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4120.6.370630121\545008386" -childID 5 -isForBrowser -prefsHandle 4956 -prefMapHandle 4980 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02371f76-b782-43ae-aae0-7f51b83dba18} 4120 "\\.\pipe\gecko-crash-server-pipe.4120" 5044 1ff7a36e758 tab
                        4⤵
                          PID:2528

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    135KB

                    MD5

                    49b99e1bbaea33e7cb683cb3fa927062

                    SHA1

                    ce4b8292cf5d9674c42b1f8f0e48405607fa2d2e

                    SHA256

                    51c0816e63358383bc39e5ae8ed053951c832322a1c77edbf75a2feb4717bb1f

                    SHA512

                    efc18ce049cf6136a95c785f178ac2b5836217882e517c4d38e658f487bb7e1671097ca0fedd4bd2b8303c8df657b120fb5285b7e300b1c69c9793cf964dd7bc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    e3249bb1375634316e5ad71c3cbe70c8

                    SHA1

                    6df5a6cbe248cf369732e2aacbffbec43a6446f8

                    SHA256

                    4cadffc784a4f69ffb0fd35f45030221e25a28bc37d9c0b2e1d017fd7d293ab0

                    SHA512

                    9ccf638787f17636c67ee230b23475d48d9bd0d733cc46d58a8f5309e9c877439abefbeed060c1999b1b74c6bbb16b6bfc141724e8807324c13e4783e4139e63

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    2f9c041ac69eccf8338b5395a7d90034

                    SHA1

                    e7cde3b7ade40b870474ced8da7af3bf60906e96

                    SHA256

                    0184290124eb436c4ee025c892fca60b26534003d0c7adf8de0bb6e1b22a169a

                    SHA512

                    1c582d96c8f5abb7169fd7bcef48170b2a38c79903ace1538757d58c828c00da1f143618687c6a36867726c6e4e7aa5169b927d73e9fddfd872ae3de8fd3a917

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore.jsonlz4
                    Filesize

                    892B

                    MD5

                    12c3d8a4c752dbf70ef815d6ec6d46d9

                    SHA1

                    7c74ca1f7ad9eee8e68415c0ea8fb526723656b4

                    SHA256

                    8717fe42bcc83e35afc57f9ba1c7ca017781700bdaf43f60841b02e7013d8f4d

                    SHA512

                    88780b08f32170846a0e158aae6a1110ab3d4c4d08b7cf26c2d824f04925b32af13eac246c44273ebeadb3c6752a5034daa57e733991b658475f0109f3eac7da

                    Download Submit

                  • memory/3256-120-0x0000000002070000-0x0000000002077000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/3256-122-0x0000000002320000-0x0000000002720000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3256-123-0x0000000002320000-0x0000000002720000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3256-121-0x0000000002320000-0x0000000002720000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3256-124-0x0000000002320000-0x0000000002720000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3256-128-0x0000000003060000-0x0000000003096000-memory.dmp

                    Filesize

                    216KB

                    Download

                  • memory/3256-134-0x0000000003060000-0x0000000003096000-memory.dmp

                    Filesize

                    216KB

                    Download

                  • memory/3256-135-0x0000000002320000-0x0000000002720000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/5048-197-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-204-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-195-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-196-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-192-0x0000022037C40000-0x0000022037C47000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/5048-193-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-200-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-203-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-205-0x00007FFFA15C0000-0x00007FFFA179B000-memory.dmp

                    Filesize

                    1.9MB

                    Download

                  • memory/5048-194-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-202-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-206-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-207-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-189-0x0000022037AB0000-0x0000022037AB3000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/5048-213-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-214-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-125-0x0000022037AB0000-0x0000022037AB3000-memory.dmp

                    Filesize

                    12KB

                    Download

                  • memory/5048-274-0x00007FF6677B0000-0x00007FF6678DD000-memory.dmp

                    Filesize

                    1.2MB

                    Download

                  • memory/5048-275-0x0000022037C40000-0x0000022037C45000-memory.dmp

                    Filesize

                    20KB

                    Download

                  • memory/5048-276-0x00007FFFA15C0000-0x00007FFFA179B000-memory.dmp

                    Filesize

                    1.9MB

                    Download