Malware Analysis Report

2024-11-30 23:27

Sample ID 230811-fy4rpada7z
Target tmp
SHA256 112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2
Tags
rhadamanthys systembc stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

rhadamanthys systembc stealer trojan

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

Detect rhadamanthys stealer shellcode

Executes dropped EXE

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-11 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 05:17

Reported

2023-08-11 05:20

Platform

win7-20230712-en

Max time kernel

118s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2168 created 1356 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2596 set thread context of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2168 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\system32\certreq.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2596 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2596 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

"C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 108

Network

Country Destination Domain Proto
RU 193.109.85.76:6623 tcp
RU 193.109.85.76:6623 tcp
RU 193.109.85.76:6623 tcp

Files

memory/2168-54-0x00000000003B0000-0x00000000003F9000-memory.dmp

memory/2168-55-0x0000000001960000-0x00000000019D0000-memory.dmp

memory/2168-56-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/2168-57-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/2168-58-0x00000000003B0000-0x00000000003F9000-memory.dmp

memory/2168-59-0x0000000001960000-0x00000000019D0000-memory.dmp

memory/2168-65-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/2168-67-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/2168-66-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/2168-68-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/2168-69-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/2900-70-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2168-71-0x00000000031B0000-0x00000000031E6000-memory.dmp

memory/2168-77-0x00000000031B0000-0x00000000031E6000-memory.dmp

memory/2168-78-0x00000000033B0000-0x00000000037B0000-memory.dmp

memory/2168-79-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/2900-80-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2900-81-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2900-82-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-83-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-84-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-85-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-87-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-86-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-92-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-91-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-90-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-93-0x0000000076D00000-0x0000000076EA9000-memory.dmp

memory/2900-94-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-95-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-96-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2900-97-0x0000000076D00000-0x0000000076EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

memory/2596-100-0x0000000000DD0000-0x0000000000F13000-memory.dmp

memory/2596-101-0x0000000000DD0000-0x0000000000F13000-memory.dmp

memory/2836-102-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2836-104-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2836-109-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2836-111-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2836-112-0x0000000000400000-0x0000000000407000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

memory/2900-116-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2900-117-0x0000000076D00000-0x0000000076EA9000-memory.dmp

memory/2596-118-0x0000000000DD0000-0x0000000000F13000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 05:17

Reported

2023-08-11 05:20

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3556 created 3140 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\YFd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4772 set thread context of 1572 N/A C:\Users\Admin\AppData\Local\Microsoft\YFd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 948

C:\Users\Admin\AppData\Local\Microsoft\YFd.exe

"C:\Users\Admin\AppData\Local\Microsoft\YFd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 308

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
RU 193.109.85.76:6623 tcp
US 8.8.8.8:53 76.85.109.193.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.109.85.76:6623 tcp
RU 193.109.85.76:6623 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3556-133-0x0000000003530000-0x0000000003579000-memory.dmp

memory/3556-134-0x0000000003580000-0x00000000035F0000-memory.dmp

memory/3556-135-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/3556-136-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/3556-137-0x0000000003530000-0x0000000003579000-memory.dmp

memory/3556-138-0x0000000003580000-0x00000000035F0000-memory.dmp

memory/3556-144-0x00000000001D0000-0x00000000001D7000-memory.dmp

memory/3556-145-0x00000000038F0000-0x0000000003CF0000-memory.dmp

memory/3556-146-0x00000000038F0000-0x0000000003CF0000-memory.dmp

memory/3556-147-0x00000000038F0000-0x0000000003CF0000-memory.dmp

memory/3556-148-0x00000000038F0000-0x0000000003CF0000-memory.dmp

memory/3900-149-0x0000016C60D80000-0x0000016C60D83000-memory.dmp

memory/3556-150-0x0000000004670000-0x00000000046A6000-memory.dmp

memory/3556-157-0x00000000038F0000-0x0000000003CF0000-memory.dmp

memory/3556-156-0x0000000004670000-0x00000000046A6000-memory.dmp

memory/3556-158-0x0000000000400000-0x00000000018F0000-memory.dmp

memory/3900-159-0x0000016C60D80000-0x0000016C60D83000-memory.dmp

memory/3900-160-0x0000016C61020000-0x0000016C61027000-memory.dmp

memory/3900-161-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-162-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-163-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-164-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-165-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-167-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-169-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-170-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-171-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-172-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp

memory/3900-173-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-174-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-175-0x00007FF4D3120000-0x00007FF4D324F000-memory.dmp

memory/3900-176-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\YFd.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

C:\Users\Admin\AppData\Local\Microsoft\YFd.exe

MD5 648e1bf1672068d725a9b8434627947e
SHA1 c21e0bd251e33d4464fdd376ae46fe4f01c533cf
SHA256 4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2
SHA512 c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

memory/4772-180-0x00000000008F0000-0x0000000000A33000-memory.dmp

memory/4772-181-0x00000000008F0000-0x0000000000A33000-memory.dmp

memory/1572-182-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1572-188-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1572-189-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4772-190-0x00000000008F0000-0x0000000000A33000-memory.dmp

memory/3900-191-0x0000016C61020000-0x0000016C61025000-memory.dmp

memory/3900-192-0x00007FF8B7FD0000-0x00007FF8B81C5000-memory.dmp