Analysis
-
max time kernel
70s -
max time network
91s -
platform
windows10-1703_x64 -
resource
win10-20240319-en -
resource tags
arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system -
submitted
27-03-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
ProjectGitHubMain/Loader.exe
Resource
win10-20240319-en
General
-
Target
ProjectGitHubMain/Loader.exe
-
Size
66.5MB
-
MD5
ab5dcb490674475c7d9937d8022fa500
-
SHA1
8c85c43c9bb5f230362458a9b086cb0c6831fa57
-
SHA256
f34c10bcc40f46873231ea3b379a405a95a6dd152503adb5b764d22348a7bd23
-
SHA512
a52ab0a78ca0c62329d34ee1077d4a3e28b803ead82ed19fe5ea42b6b5517a8a754a1bbc23e5c9ebe7aacd542772f3d263ae5477e845794d43ab13655ae300d8
-
SSDEEP
393216:mJov7+fr01+Mdu48o+UDWluZyiA5rptiv/slzx8uy60d+HEYXEyN:myvSzCkYJWl0arptin4xbyJdQZ/N
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ADelRCP.exedescription pid Process procid_target PID 2260 created 2576 2260 ADelRCP.exe 44 -
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid Process 5052 driver1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid Process procid_target PID 5052 set thread context of 2260 5052 driver1.exe 81 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4964 2260 WerFault.exe 81 1612 2260 WerFault.exe 81 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exeADelRCP.exedialer.exepid Process 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 2260 ADelRCP.exe 2260 ADelRCP.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe 1460 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exewmic.exedescription pid Process Token: SeDebugPrivilege 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe Token: 34 4416 powershell.exe Token: 35 4416 powershell.exe Token: 36 4416 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeIncreaseQuotaPrivilege 432 powershell.exe Token: SeSecurityPrivilege 432 powershell.exe Token: SeTakeOwnershipPrivilege 432 powershell.exe Token: SeLoadDriverPrivilege 432 powershell.exe Token: SeSystemProfilePrivilege 432 powershell.exe Token: SeSystemtimePrivilege 432 powershell.exe Token: SeProfSingleProcessPrivilege 432 powershell.exe Token: SeIncBasePriorityPrivilege 432 powershell.exe Token: SeCreatePagefilePrivilege 432 powershell.exe Token: SeBackupPrivilege 432 powershell.exe Token: SeRestorePrivilege 432 powershell.exe Token: SeShutdownPrivilege 432 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeSystemEnvironmentPrivilege 432 powershell.exe Token: SeRemoteShutdownPrivilege 432 powershell.exe Token: SeUndockPrivilege 432 powershell.exe Token: SeManageVolumePrivilege 432 powershell.exe Token: 33 432 powershell.exe Token: 34 432 powershell.exe Token: 35 432 powershell.exe Token: 36 432 powershell.exe Token: SeIncreaseQuotaPrivilege 3040 wmic.exe Token: SeSecurityPrivilege 3040 wmic.exe Token: SeTakeOwnershipPrivilege 3040 wmic.exe Token: SeLoadDriverPrivilege 3040 wmic.exe Token: SeSystemProfilePrivilege 3040 wmic.exe Token: SeSystemtimePrivilege 3040 wmic.exe Token: SeProfSingleProcessPrivilege 3040 wmic.exe Token: SeIncBasePriorityPrivilege 3040 wmic.exe Token: SeCreatePagefilePrivilege 3040 wmic.exe Token: SeBackupPrivilege 3040 wmic.exe Token: SeRestorePrivilege 3040 wmic.exe Token: SeShutdownPrivilege 3040 wmic.exe Token: SeDebugPrivilege 3040 wmic.exe Token: SeSystemEnvironmentPrivilege 3040 wmic.exe Token: SeRemoteShutdownPrivilege 3040 wmic.exe Token: SeUndockPrivilege 3040 wmic.exe Token: SeManageVolumePrivilege 3040 wmic.exe Token: 33 3040 wmic.exe Token: 34 3040 wmic.exe Token: 35 3040 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Loader.exedriver1.exeADelRCP.exedescription pid Process procid_target PID 664 wrote to memory of 4416 664 Loader.exe 73 PID 664 wrote to memory of 4416 664 Loader.exe 73 PID 664 wrote to memory of 432 664 Loader.exe 76 PID 664 wrote to memory of 432 664 Loader.exe 76 PID 664 wrote to memory of 3040 664 Loader.exe 78 PID 664 wrote to memory of 3040 664 Loader.exe 78 PID 664 wrote to memory of 5052 664 Loader.exe 80 PID 664 wrote to memory of 5052 664 Loader.exe 80 PID 5052 wrote to memory of 2260 5052 driver1.exe 81 PID 5052 wrote to memory of 2260 5052 driver1.exe 81 PID 5052 wrote to memory of 2260 5052 driver1.exe 81 PID 5052 wrote to memory of 2260 5052 driver1.exe 81 PID 5052 wrote to memory of 2260 5052 driver1.exe 81 PID 2260 wrote to memory of 1460 2260 ADelRCP.exe 82 PID 2260 wrote to memory of 1460 2260 ADelRCP.exe 82 PID 2260 wrote to memory of 1460 2260 ADelRCP.exe 82 PID 2260 wrote to memory of 1460 2260 ADelRCP.exe 82 PID 2260 wrote to memory of 1460 2260 ADelRCP.exe 82
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2576
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 5124⤵
- Program crash
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 5044⤵
- Program crash
PID:1612
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5c9ba72dd40efccd9ea8b199984bfcea8
SHA1047bb1776528de85752efb7e5cd8505637db610f
SHA2561ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA5122bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8
-
Filesize
3KB
MD57033adcdceef2520521477b094e52cc7
SHA16dbdc3aba745a40a79f2eb659f2b427aaf5ff62e
SHA256bb10a63597ebc56a9c5e558c7b5bed8c1dde4856f7604ab987998d10eda3ac4e
SHA512af9249bd6a64e28d1b03ce962618ce2a7e5a55dc57d1dbc8efcf2e4142e74f40e58b144952981c3a86771a9fd207e73986130edf7b7dfde2495347e284e8287e
-
Filesize
1KB
MD5236531aa12a6d4dcf54d1d234c2b3321
SHA1d9a5aaddb8418b2e0e3e008b5963e785922cc3da
SHA2567f2c00049ee1cb0b0cb7292e1e8f01c3bd22a340e6026e8d14f29db5841459f4
SHA5120364cbe65fe4363dfe7354470aef0798eee9c0f8649ef7716f371e667a721f101058b202401954ebcfe8636d3cf0bc22cfb5a4dd29bc690c9c3a19232eb175fb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a