Malware Analysis Report

2025-06-15 19:48

Sample ID 240210-v1rmgage86
Target github-setup.exe
SHA256 bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc0266d295b2cd211f0c16aa608caf0db401916f284a99cc578f5ad394b117d0

Threat Level: Known bad

The file github-setup.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-10 17:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-10 17:27

Reported

2024-02-10 17:28

Platform

win10v2004-20231215-en

Max time kernel

30s

Max time network

43s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1636 created 2704 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\system32\sihost.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 636 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\github-setup.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1636 wrote to memory of 4460 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\dialer.exe
PID 1636 wrote to memory of 4460 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\dialer.exe
PID 1636 wrote to memory of 4460 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\dialer.exe
PID 1636 wrote to memory of 4460 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\dialer.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3780 wrote to memory of 2364 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1636 wrote to memory of 4460 N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\github-setup.exe

"C:\Users\Admin\AppData\Local\Temp\github-setup.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1636 -ip 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 436

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.0.1342496028\443047022" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1688 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfdaf628-6e1b-42fb-8eb6-ba77d1e90e72} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1844 2039d108158 gpu

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1636 -ip 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 460

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.1.2024149280\1657581628" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74b11a8-b275-4e3c-bcf1-cb12eae7b157} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2288 2039bce3b58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.2.2123370429\678295021" -childID 1 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {849c7fd9-e3b6-43a5-8368-2c984cd167c4} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 3792 2039ffbe258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.3.1191035124\1341348667" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 4032 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a734297-27dc-4768-9d4b-5b924568d935} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4024 2039f8e8958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.4.2100368506\1107902488" -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4308 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa8b3a2-55d5-42c2-8a11-8843b05ec1e7} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 4468 203a1d49b58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 52.24.144.241:443 shavar.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp

Files

memory/636-2-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp

memory/1636-5-0x0000000000E10000-0x0000000000E98000-memory.dmp

memory/1636-8-0x0000000000E10000-0x0000000000E98000-memory.dmp

memory/1636-9-0x0000000000E10000-0x0000000000E98000-memory.dmp

memory/636-6-0x00007FF648EB0000-0x00007FF64C997000-memory.dmp

memory/1636-11-0x0000000003E90000-0x0000000004290000-memory.dmp

memory/1636-13-0x0000000003E90000-0x0000000004290000-memory.dmp

memory/1636-12-0x0000000003E90000-0x0000000004290000-memory.dmp

memory/1636-14-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp

memory/1636-17-0x0000000003E90000-0x0000000004290000-memory.dmp

memory/4460-18-0x0000000000910000-0x0000000000919000-memory.dmp

memory/1636-16-0x00000000765B0000-0x00000000767C5000-memory.dmp

memory/4460-20-0x0000000002720000-0x0000000002B20000-memory.dmp

memory/4460-21-0x0000000002720000-0x0000000002B20000-memory.dmp

memory/4460-22-0x00007FFAF3990000-0x00007FFAF3B85000-memory.dmp

memory/4460-23-0x0000000002720000-0x0000000002B20000-memory.dmp

memory/4460-25-0x00000000765B0000-0x00000000767C5000-memory.dmp

memory/1636-31-0x0000000003E90000-0x0000000004290000-memory.dmp

memory/4460-30-0x0000000002720000-0x0000000002B20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin

MD5 cfdd7da662f752b9bc5f6dc0a88ea65c
SHA1 2c529c155c48c35dace029e771440426c16f6d5a
SHA256 19e67863b3f6affa15d7cc1b229d1c006b5edf0ab673c5a5b4e01412acd9a419
SHA512 9e0096f1c0ab065dc2546455cdb8a3c3e287e38f23df1ed20ca971b47c2a7bc516e7b6add85f6e2389e46a57b88d5c63d822f88302c958fa066a13db73c99e82

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\14dbc98a-a07e-4793-bb5d-ccdf2261d3f6

MD5 1aa91f27939c41d002d02dfcb5bf3b5c
SHA1 dda8fe1eeeee070abd90127ac17f2f6929bb9bfc
SHA256 ce2863b61aa0d0e7b711bbcea8ab8896fe193248a911f5cf6a0c286c0216c807
SHA512 9f3d635ac1f44b0ae0501955067f0850ca737a4dc4d5f84238f1f7d14c362a3d5c41a9ca8cd6ce56ab30de772c42c111ea6655c6da23e4a03a60326a33a3b0e5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\9f7218aa-9ce9-49bd-b7ed-121e6718f9f8

MD5 51f007a6d9b047e20cdd7f8b18f0f859
SHA1 e44bbff4edfb33d1b8ae6d779a813248dbc7fa2e
SHA256 5b754a7282a4e5d58725af6e9e22b41070ff8c196b1ae04b72edbfe01274b3bd
SHA512 a1cd72f44c6f875417820cc134f48246152764f218efb7ad9e440ac869824237e983bf9380c5f732eb1af4269fbd1688f412f23212ed56d771606578256b26ba

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs.js

MD5 48b1ffb9527870b40b57528fc4686c50
SHA1 ce135b557b1d11438249067bc357e2aec2e9c0dd
SHA256 18d4602babf1574513806174b655e12dc1971fe2dc815b2b3f166f07e46165be
SHA512 4a299c128f87e14183847040b1281fa25f633e1058d49e3b2c9eeb457b61b179d49abb1674de93a5242c0aa42f6bf6569f368d6f6de389efaea1b8f3716f6093