Overview

overview

10

Static

static

3

cvFlingcTr...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cvFlingcTrain4sd.77.23.exe

  • Size

    113.0MB

  • MD5

    d08635f30ede076ac64d068579232710

  • SHA1

    4c19d0f7b53eee28a7ffcbbfdaa1a096f800678d

  • SHA256

    7b5481968d10f3d8594cace1c962f7161a86d89e8b9bb5f095b884050f25c7d0

  • SHA512

    3e118ff3c73359f5f2e283afd352cbd89f6732568fb64706c762e159334215fb7df28f957f9c45e340a8b589631f082dedf9839d0e2fbf77ec34b4eb2ec82b98

  • SSDEEP

    196608:vjMkvVn1BGGw3ns0x+WL/Y7lyd/8IBq2pQjMkvVn1BGGw3ns0x+WL/Y7lyd/8IB9:vJfGGwc3WgydUg2JfGGwc3WgydUg

Score
10/10
rhadamanthysstealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2608
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4364
    • C:\Users\Admin\AppData\Local\Temp\cvFlingcTrain4sd.77.23.exe
      "C:\Users\Admin\AppData\Local\Temp\cvFlingcTrain4sd.77.23.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Local\Temp\UIRmake\UniversalInstaller.exe
        C:\Users\Admin\AppData\Local\Temp\UIRmake\UniversalInstaller.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Users\Admin\AppData\Roaming\UIRmake\UniversalInstaller.exe
          "C:\Users\Admin\AppData\Roaming\UIRmake\UniversalInstaller.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:5028
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2840
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3156

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\UIxMarketPlugin.dll
        Filesize

        316KB

        MD5

        2b75a3896e9c550cefb3d1314b1360d7

        SHA1

        fbb8e3ed860e18fffbec30e1751b8d1675a8fad4

        SHA256

        09bcf11e896ff9a9b23a8a9b68306269bdbb16824c165dd810de246a9783914b

        SHA512

        e8702f3521471c04e23122bd6227c714067bf3abbc3b10ef08742a6ca07f24e4026b37d925b3467ea9e0f4cc0003edf9ac4ebda013a7ba1f638389fc09c20907

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\UIxMarketPlugin.dll
        Filesize

        198KB

        MD5

        f89e3184955f601b37383d983bd6081a

        SHA1

        6cc1f47a572e961342385250a8316e7ae66eb9f7

        SHA256

        f00e3fe58a5d6640f6a21b1fa5907dab8b4966c8329802d564f9b1f76cace41d

        SHA512

        4a41f0796d3f6144aea4661589c509eacf0d540dd2167f716fb37af98812c1c57fdb384f4c916123bbf8ca0dca53cfc9de79a5c1c645d8fb44dd835db7bb654e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\UniversalInstaller.exe
        Filesize

        201KB

        MD5

        0bf746dadfeae87d9acba5df7d53c21f

        SHA1

        9bcd5d2e0680444044dc10922e802820918e208c

        SHA256

        278234048ab435da86a4f72039955ba8eecdf77900da4e7f5eec1b4e2c6a7f84

        SHA512

        41a7a46949a2c350036ed5e5d5a54d48d91c905441bd3b5f8e77a7ad46352190c4fcd8eee655b97b31e736d6bd1a87156707c43dfb59e798b8183ebfb81f5bf0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\UniversalInstaller.exe
        Filesize

        244KB

        MD5

        39c14c53c54e55b1d5088b463f34a605

        SHA1

        0c9edfe0acaf78671d22e5d699ed111d1e1f301a

        SHA256

        94e3e4b258edfafb94276e7692381cabfa56ec0025586b619d65f01c1609aa90

        SHA512

        6912076a64376a8840ce1715356181bd2a3fb447e43bab3b4984a6306f2c50d1e486870325afb415b6d33854c8e1ecf90b6a1e37dda847cfd0e20ebcd346c8e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\agape.accdb
        Filesize

        54KB

        MD5

        c234965885950885032e3909cd971043

        SHA1

        48709db2b23102ca5a66074bce7b1a3dd77335d4

        SHA256

        c3753b100cc5f485cfaafac7f3abdff288d926d76177be07bb1bf9f6061ee893

        SHA512

        6f44d4ff67e276968cea51d62069932fde47395fa8fb3eb23e66fc7dbe7c94a8755e4a6e9843f237ad1290c23d042534f608fb94bf70ea48069a44eca2289248

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\paroxytone.asp
        Filesize

        187KB

        MD5

        b8a8bd8f16a54175caf841995bac0fa9

        SHA1

        15c8fe67fb63082f3a00b4de25c5ae62f397bf9d

        SHA256

        f243b48341153bc3fd2f1795b98343f44ae22989196b446da6a2b2a337e5271f

        SHA512

        c8bf362a6118632309c434e3fc4a5fb6b583347b35d179e25154ec78d16324ccd07fe34beb73f5e06a5fef790a7213e74c031627f1646ef3583868d42bd55123

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\relay.dll
        Filesize

        211KB

        MD5

        b95a878c4bb77884f96eb4a896fe01d7

        SHA1

        f53032a0cfab323adb2447a7ddeea997db04488b

        SHA256

        5f156da1fe4cd08e3e82b0c9e14f0d07731eaaa60a9f81f5298a6daab38ad5de

        SHA512

        2935f20d7548ac033150e24494fe98d14fa94d9971aea1da1f3befdf23ee01208e9924fca3025c85ec30924101dcb2336a48e61fedcc508dbe393f5cadf6aa60

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\UIRmake\relay.dll
        Filesize

        348KB

        MD5

        33b2655670fa1b5b536486c2b2565dbf

        SHA1

        37cda473a2e4c53534203fbb449428284299c8b7

        SHA256

        40cfda2be7d1ddbdc086a3555fd50867f1ca424ee4d29a340888f576bf7f11a1

        SHA512

        67a0ca8c5fd38ef39c2c0e8f767011d27639d351d105015e384da0723a419d0d05a330ab558ae5291858d310ce44941811fc4ddb6ee438ab4d5cf02242c08b0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c700116b
        Filesize

        1KB

        MD5

        53eec62baddbf4953b748c92050a9b66

        SHA1

        a8c3c49fb993c3778d0f6dafe3d5c07b215ade3c

        SHA256

        254c892e78be8b9140aeacccaff88f0a2427958d7df1ecb715a1b046b2a1293d

        SHA512

        d35bae471445ca1f6c693447aa0ab479a5bb81c6ccffd4ed53700bcac0ef892cd15d057a5a5c458915349b8c51075f16ec21a709fd2aea3a17473ada47554f6a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\UIxMarketPlugin.dll
        Filesize

        281KB

        MD5

        bc4fb1956d5103cfd71ccac9efa3f238

        SHA1

        89c1ea1bfcab318b26b63f3f9af73beff977edab

        SHA256

        84510fd98c9a085145cf86221e2341117566fcd3617d08160cac37531cba4070

        SHA512

        b354f5c3f84a706e5ceff9bf3ba321f5165e864c3a1f12b5cb0ae945f1bd840dd5a136263bc386f59939f7384e7ff0c6517ee98a67b7f8c9eda1a15d7fbd7dba

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\UIxMarketPlugin.dll
        Filesize

        122KB

        MD5

        ebc7ecf9955e67daa13384729d46005c

        SHA1

        363a73754ce099f7a68093e4f9ab69bffea24ed7

        SHA256

        59c0e05e090e379d28defa8079be4e48f563f873023bd03666491c2d61863a38

        SHA512

        fe725110282eaf2910aedc7560e4e79cacd0a698021ba5a7835526d39d8731187c8268311ac72b4b8798749c908a6b28fadc3b95b0d4cdcbe19c58ff421f31c4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\UniversalInstaller.exe
        Filesize

        222KB

        MD5

        7d251a3273d4a35c346bef704a971253

        SHA1

        018b1e1714a30fcc9382d87cc619dde8252cf3fb

        SHA256

        a5d9e73641b932eef3b111ad3c60c2cc498bb95b36e7b74d1571213de6bf3112

        SHA512

        30f6eb0a8c416513462fcd1a6632796a366682f8d23bdb97969608feba5c378f1bcb43c185e16f5fd747bcad4d4682b184b91511605106df81a15fa417d17725

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\UniversalInstaller.exe
        Filesize

        92KB

        MD5

        311d4e631bb75daafcd2246c95320fbc

        SHA1

        fa5a94f2a6956df8e78a6bb605bc152f0b8d7213

        SHA256

        54493d637f531698b2dc234bb02029b8316c542a53c005de2201e87a6c813ad5

        SHA512

        d19b146163f5a95218a954bdd7b4c4ffbe4d02b20b4f872b750f6cee26425eb0ec8d7f6c4dca8b0ad7fbd48105695f00a651b8b1d6da28d41cd293cd5477c6b0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\paroxytone.asp
        Filesize

        122KB

        MD5

        01e2aa6c6b1f4b142bcbdb2f99dd0c66

        SHA1

        92024680cefe511bc833bbe8925f21dceef6b680

        SHA256

        61c1e66167f586f082b24d4debb328255c089e9bf4d5a79fbdff61c27c5651b8

        SHA512

        77e172182bebe7e7fdd361d1385dced2444588d8a3a218bb20c9f7b3a16b89b197b546c3ee5b3391255885fa035798f34c04f7a4ea3f1c4bbe9f30c83e7bcc23

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\relay.dll
        Filesize

        153KB

        MD5

        39f3886c12a2d43c7b9a763f1524b0da

        SHA1

        69efba4314135bb9cf65e63b912ebe61a29628dc

        SHA256

        b600e117f549472d68c81ea9bf3d8d91a071d936109052f7158f150f5dc49301

        SHA512

        7e7ffc084bac16c143941703e76d21b87fbb024f93825ace6794719cf5af329725e77cefa44a006c47190020086ee6d789b777b6431d130f146da46a23b8b65c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\UIRmake\relay.dll
        Filesize

        108KB

        MD5

        9da6f98bb8e93f6e18f700525fb7a8ef

        SHA1

        37ece1704182e3a6f04d96b59dbccff423a8d574

        SHA256

        0cf32b84e5571d440a39b933f8bbe686d4e0005b19a3af9c0e56d1ffe1af934a

        SHA512

        b88a9f18ee98d687c3a56be600702df2b51436649778809647ca0ad972e6ec944622a8764393db65fe1b3b601426c52ead27a314be7cd20267831b42d30b8fb6

        Download Submit

      • memory/1596-6-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1596-9-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1596-7-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1596-1-0x0000000005560000-0x0000000005561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1596-16-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1596-5-0x0000000000400000-0x0000000000CA7000-memory.dmp

        Filesize

        8.7MB

        Download

      • memory/1596-19-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1596-48-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2188-30-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2188-29-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2840-60-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2840-59-0x0000000001050000-0x00000000010DA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/2840-73-0x0000000001050000-0x00000000010DA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/2840-70-0x00000000046B0000-0x0000000004AB0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2840-71-0x00000000775D0000-0x00000000777E5000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2840-67-0x00000000046B0000-0x0000000004AB0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2840-65-0x00000000046B0000-0x0000000004AB0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2840-64-0x0000000000620000-0x0000000000A53000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/2840-61-0x0000000001050000-0x00000000010DA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/4364-76-0x0000000002E40000-0x0000000003240000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4364-72-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4364-81-0x0000000002E40000-0x0000000003240000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4364-79-0x0000000002E40000-0x0000000003240000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4364-80-0x00000000775D0000-0x00000000777E5000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4364-77-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4364-75-0x0000000002E40000-0x0000000003240000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4532-47-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4532-46-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4532-50-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4532-45-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/5028-52-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/5028-54-0x00007FF88A5D0000-0x00007FF88A7C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/5028-55-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/5028-56-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/5028-58-0x0000000073050000-0x00000000731CB000-memory.dmp

        Filesize

        1.5MB

        Download