Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2023 05:17
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
General
-
Target
tmp.exe
-
Size
456KB
-
MD5
5c805d4466345b26b820ff887eab561a
-
SHA1
478d40e07351d59b7854c9b4140b3592ff19c841
-
SHA256
112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2
-
SHA512
d3656925bb6c1776f6b8ca5592d527e4f77d5ade621c715bed5042ac4a2e1a9344febb73eb927b7fb1ba4511488da1062e01c470326bf28e0a4d671b830f3502
-
SSDEEP
12288:ItjtEVJvfW1kGh0ZbIfl6dtcj4BtRt6D2cehTAI:I7EV4io5jet5fhMI
Malware Config
Extracted
systembc
discordcdn8839248.com:4327
chinabar821994.com:4327
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3556-145-0x00000000038F0000-0x0000000003CF0000-memory.dmp family_rhadamanthys behavioral2/memory/3556-146-0x00000000038F0000-0x0000000003CF0000-memory.dmp family_rhadamanthys behavioral2/memory/3556-147-0x00000000038F0000-0x0000000003CF0000-memory.dmp family_rhadamanthys behavioral2/memory/3556-148-0x00000000038F0000-0x0000000003CF0000-memory.dmp family_rhadamanthys behavioral2/memory/3556-157-0x00000000038F0000-0x0000000003CF0000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
tmp.exedescription pid Process procid_target PID 3556 created 3140 3556 tmp.exe 69 -
Executes dropped EXE 1 IoCs
Processes:
YFd.exepid Process 4772 YFd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
YFd.exedescription pid Process procid_target PID 4772 set thread context of 1572 4772 YFd.exe 97 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 2368 3556 WerFault.exe 82 3704 4772 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
tmp.execertreq.exepid Process 3556 tmp.exe 3556 tmp.exe 3556 tmp.exe 3556 tmp.exe 3900 certreq.exe 3900 certreq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exeYFd.exedescription pid Process procid_target PID 3556 wrote to memory of 3900 3556 tmp.exe 91 PID 3556 wrote to memory of 3900 3556 tmp.exe 91 PID 3556 wrote to memory of 3900 3556 tmp.exe 91 PID 3556 wrote to memory of 3900 3556 tmp.exe 91 PID 4772 wrote to memory of 1572 4772 YFd.exe 97 PID 4772 wrote to memory of 1572 4772 YFd.exe 97 PID 4772 wrote to memory of 1572 4772 YFd.exe 97 PID 4772 wrote to memory of 1572 4772 YFd.exe 97 PID 4772 wrote to memory of 1572 4772 YFd.exe 97
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 9483⤵
- Program crash
PID:2368
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 35561⤵PID:4172
-
C:\Users\Admin\AppData\Local\Microsoft\YFd.exe"C:\Users\Admin\AppData\Local\Microsoft\YFd.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 3082⤵
- Program crash
PID:3704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4772 -ip 47721⤵PID:2792
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
961KB
MD5648e1bf1672068d725a9b8434627947e
SHA1c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA2564a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725
-
Filesize
961KB
MD5648e1bf1672068d725a9b8434627947e
SHA1c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA2564a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725