Malware Analysis Report

2024-11-30 02:15

Sample ID 240327-pgcfjsfa3s
Target Installer.rar
SHA256 a899ca55e4c4dc45b3d2887c67d1077ffc9bcb0569c70f47fc41b31d46e17157
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a899ca55e4c4dc45b3d2887c67d1077ffc9bcb0569c70f47fc41b31d46e17157

Threat Level: Known bad

The file Installer.rar was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-27 12:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 12:17

Reported

2024-03-27 12:33

Platform

win10-20240221-en

Max time kernel

53s

Max time network

55s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2288 created 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4836 set thread context of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2772 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4836 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2288 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2288 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2288 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2288 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Install.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 804

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.135.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 e40eaf172baa952af63da4afc6b8a9e3
SHA1 a9cbc97a377d8ff56bfe98311bd22908ae36e71f
SHA256 7beb7853a6d9de5ca7e8b0e759e1a643d18584e2a04979d75d9cfd28011aec8c
SHA512 62b8fc5680d8e27c9f9fe5376b3bddfb9204ff1e1f25e6ecf92d9d90d9dec33f27bf89be1f41e82414cd1353d9f63273b6720562ec46f3c29d0ef8775fe1db4f

memory/4836-348-0x0000000000B30000-0x0000000000BA0000-memory.dmp

memory/4836-349-0x00000000736F0000-0x0000000073DDE000-memory.dmp

memory/4836-350-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/2288-353-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2288-356-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4836-357-0x0000000002E70000-0x0000000004E70000-memory.dmp

memory/2288-358-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2288-359-0x0000000003970000-0x0000000003D70000-memory.dmp

memory/2288-361-0x0000000003970000-0x0000000003D70000-memory.dmp

memory/2288-362-0x00007FFB08720000-0x00007FFB088FB000-memory.dmp

memory/2288-365-0x0000000003970000-0x0000000003D70000-memory.dmp

memory/2288-364-0x0000000074200000-0x00000000743C2000-memory.dmp

memory/1544-366-0x0000000002D50000-0x0000000002D59000-memory.dmp

memory/1544-369-0x0000000004A70000-0x0000000004E70000-memory.dmp

memory/1544-370-0x00007FFB08720000-0x00007FFB088FB000-memory.dmp

memory/1544-371-0x0000000004A70000-0x0000000004E70000-memory.dmp

memory/1544-374-0x00007FFB08720000-0x00007FFB088FB000-memory.dmp

memory/1544-373-0x0000000074200000-0x00000000743C2000-memory.dmp

memory/2288-375-0x0000000003970000-0x0000000003D70000-memory.dmp

memory/1544-376-0x0000000004A70000-0x0000000004E70000-memory.dmp

memory/4836-377-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 12:17

Reported

2024-03-27 12:36

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

167s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3872 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Install.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A