Overview
overview
10Static
static
3ProjectMainGitHub.zip
windows7-x64
1ProjectMainGitHub.zip
windows10-2004-x64
1ProjectGit...ine.js
windows7-x64
1ProjectGit...ine.js
windows10-2004-x64
1ProjectGit...er.exe
windows7-x64
7ProjectGit...er.exe
windows10-2004-x64
10ProjectGit...on.dll
windows7-x64
1ProjectGit...on.dll
windows10-2004-x64
1ProjectGit...rB.exe
windows7-x64
1ProjectGit...rB.exe
windows10-2004-x64
7ProjectGit...rS.exe
windows7-x64
1ProjectGit...rS.exe
windows10-2004-x64
7ProjectGit...cv.jar
windows7-x64
1ProjectGit...cv.jar
windows10-2004-x64
1ProjectGit...32.dll
windows10-2004-x64
1ProjectGit..._datas
windows7-x64
1ProjectGit..._datas
windows10-2004-x64
1ProjectGit...prefix
windows7-x64
1ProjectGit...prefix
windows10-2004-x64
1ProjectGit...tingss
windows7-x64
1ProjectGit...tingss
windows10-2004-x64
1ProjectGit...ersion
windows7-x64
1ProjectGit...ersion
windows10-2004-x64
1ProjectGit...ersion
windows7-x64
1ProjectGit...ersion
windows10-2004-x64
1ProjectGit...et.dll
windows7-x64
1ProjectGit...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
67s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
ProjectMainGitHub.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ProjectMainGitHub.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ProjectGitHubMain/Engine.js
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ProjectGitHubMain/Engine.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
ProjectGitHubMain/Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
ProjectGitHubMain/Loader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
ProjectGitHubMain/Newtonsoft.Json.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
ProjectGitHubMain/Newtonsoft.Json.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
ProjectGitHubMain/bin/UbuilderB.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
ProjectGitHubMain/bin/UbuilderB.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ProjectGitHubMain/bin/UbuilderS.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
ProjectGitHubMain/bin/UbuilderS.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
ProjectGitHubMain/bin/scv.jar
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
ProjectGitHubMain/bin/scv.jar
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
ProjectGitHubMain/opengl32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
ProjectGitHubMain/packages/key_datas
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
ProjectGitHubMain/packages/key_datas
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
ProjectGitHubMain/packages/prefix
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
ProjectGitHubMain/packages/prefix
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
ProjectGitHubMain/packages/settingss
Resource
win7-20240215-en
Behavioral task
behavioral21
Sample
ProjectGitHubMain/packages/settingss
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
ProjectGitHubMain/user_data/cache/version
Resource
win7-20240220-en
Behavioral task
behavioral23
Sample
ProjectGitHubMain/user_data/cache/version
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
ProjectGitHubMain/user_data/media_cache/version
Resource
win7-20231129-en
Behavioral task
behavioral25
Sample
ProjectGitHubMain/user_data/media_cache/version
Resource
win10v2004-20240319-en
Behavioral task
behavioral26
Sample
ProjectGitHubMain/xNet.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
ProjectGitHubMain/xNet.dll
Resource
win10v2004-20240226-en
General
-
Target
ProjectGitHubMain/Loader.exe
-
Size
66.5MB
-
MD5
ab5dcb490674475c7d9937d8022fa500
-
SHA1
8c85c43c9bb5f230362458a9b086cb0c6831fa57
-
SHA256
f34c10bcc40f46873231ea3b379a405a95a6dd152503adb5b764d22348a7bd23
-
SHA512
a52ab0a78ca0c62329d34ee1077d4a3e28b803ead82ed19fe5ea42b6b5517a8a754a1bbc23e5c9ebe7aacd542772f3d263ae5477e845794d43ab13655ae300d8
-
SSDEEP
393216:mJov7+fr01+Mdu48o+UDWluZyiA5rptiv/slzx8uy60d+HEYXEyN:myvSzCkYJWl0arptin4xbyJdQZ/N
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ADelRCP.exedescription pid Process procid_target PID 4576 created 2712 4576 ADelRCP.exe 50 -
Executes dropped EXE 1 IoCs
Processes:
driver1.exepid Process 3660 driver1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
driver1.exedescription pid Process procid_target PID 3660 set thread context of 4576 3660 driver1.exe 102 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1128 4576 WerFault.exe 102 3876 4576 WerFault.exe 102 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 3336 schtasks.exe 3456 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 17 Go-http-client/1.1 HTTP User-Agent header 26 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exeADelRCP.exedialer.exepid Process 4212 powershell.exe 4212 powershell.exe 816 powershell.exe 816 powershell.exe 4576 ADelRCP.exe 4576 ADelRCP.exe 1944 dialer.exe 1944 dialer.exe 1944 dialer.exe 1944 dialer.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exepowershell.exewmic.exedescription pid Process Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeIncreaseQuotaPrivilege 2216 wmic.exe Token: SeSecurityPrivilege 2216 wmic.exe Token: SeTakeOwnershipPrivilege 2216 wmic.exe Token: SeLoadDriverPrivilege 2216 wmic.exe Token: SeSystemProfilePrivilege 2216 wmic.exe Token: SeSystemtimePrivilege 2216 wmic.exe Token: SeProfSingleProcessPrivilege 2216 wmic.exe Token: SeIncBasePriorityPrivilege 2216 wmic.exe Token: SeCreatePagefilePrivilege 2216 wmic.exe Token: SeBackupPrivilege 2216 wmic.exe Token: SeRestorePrivilege 2216 wmic.exe Token: SeShutdownPrivilege 2216 wmic.exe Token: SeDebugPrivilege 2216 wmic.exe Token: SeSystemEnvironmentPrivilege 2216 wmic.exe Token: SeRemoteShutdownPrivilege 2216 wmic.exe Token: SeUndockPrivilege 2216 wmic.exe Token: SeManageVolumePrivilege 2216 wmic.exe Token: 33 2216 wmic.exe Token: 34 2216 wmic.exe Token: 35 2216 wmic.exe Token: 36 2216 wmic.exe Token: SeIncreaseQuotaPrivilege 2216 wmic.exe Token: SeSecurityPrivilege 2216 wmic.exe Token: SeTakeOwnershipPrivilege 2216 wmic.exe Token: SeLoadDriverPrivilege 2216 wmic.exe Token: SeSystemProfilePrivilege 2216 wmic.exe Token: SeSystemtimePrivilege 2216 wmic.exe Token: SeProfSingleProcessPrivilege 2216 wmic.exe Token: SeIncBasePriorityPrivilege 2216 wmic.exe Token: SeCreatePagefilePrivilege 2216 wmic.exe Token: SeBackupPrivilege 2216 wmic.exe Token: SeRestorePrivilege 2216 wmic.exe Token: SeShutdownPrivilege 2216 wmic.exe Token: SeDebugPrivilege 2216 wmic.exe Token: SeSystemEnvironmentPrivilege 2216 wmic.exe Token: SeRemoteShutdownPrivilege 2216 wmic.exe Token: SeUndockPrivilege 2216 wmic.exe Token: SeManageVolumePrivilege 2216 wmic.exe Token: 33 2216 wmic.exe Token: 34 2216 wmic.exe Token: 35 2216 wmic.exe Token: 36 2216 wmic.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Loader.exedriver1.exeADelRCP.exedescription pid Process procid_target PID 3924 wrote to memory of 4212 3924 Loader.exe 89 PID 3924 wrote to memory of 4212 3924 Loader.exe 89 PID 3924 wrote to memory of 816 3924 Loader.exe 91 PID 3924 wrote to memory of 816 3924 Loader.exe 91 PID 3924 wrote to memory of 2216 3924 Loader.exe 96 PID 3924 wrote to memory of 2216 3924 Loader.exe 96 PID 3924 wrote to memory of 3660 3924 Loader.exe 99 PID 3924 wrote to memory of 3660 3924 Loader.exe 99 PID 3660 wrote to memory of 4576 3660 driver1.exe 102 PID 3660 wrote to memory of 4576 3660 driver1.exe 102 PID 3660 wrote to memory of 4576 3660 driver1.exe 102 PID 3660 wrote to memory of 4576 3660 driver1.exe 102 PID 3660 wrote to memory of 4576 3660 driver1.exe 102 PID 4576 wrote to memory of 1944 4576 ADelRCP.exe 103 PID 4576 wrote to memory of 1944 4576 ADelRCP.exe 103 PID 4576 wrote to memory of 1944 4576 ADelRCP.exe 103 PID 4576 wrote to memory of 1944 4576 ADelRCP.exe 103 PID 4576 wrote to memory of 1944 4576 ADelRCP.exe 103 PID 3924 wrote to memory of 3336 3924 Loader.exe 110 PID 3924 wrote to memory of 3336 3924 Loader.exe 110 PID 3924 wrote to memory of 3456 3924 Loader.exe 112 PID 3924 wrote to memory of 3456 3924 Loader.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2712
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 4524⤵
- Program crash
PID:1128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 4684⤵
- Program crash
PID:3876
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:3336
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:3456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 45761⤵PID:3572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4576 -ip 45761⤵PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5c9ba72dd40efccd9ea8b199984bfcea8
SHA1047bb1776528de85752efb7e5cd8505637db610f
SHA2561ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA5122bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82