Malware Analysis Report

2024-11-30 02:07

Sample ID 240328-w26nfsdh59
Target file.exe
SHA256 4f76cd6ec7222833969dcad5f71ab7cbddfd3714bc9adda334413c66c2826209
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f76cd6ec7222833969dcad5f71ab7cbddfd3714bc9adda334413c66c2826209

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-28 18:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 18:26

Reported

2024-03-28 18:28

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 960 created 2440 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\system32\sihost.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\file.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 2512 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 2512 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 2512 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 2512 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 2512 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 2512 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 396 wrote to memory of 960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 396 wrote to memory of 960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 396 wrote to memory of 960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 396 wrote to memory of 960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\SysWOW64\dialer.exe
PID 960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\SysWOW64\dialer.exe
PID 960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\SysWOW64\dialer.exe
PID 960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\SysWOW64\dialer.exe
PID 960 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe" --cp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 480

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/2512-2-0x00000000006E0000-0x00000000009FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1361fbc7

MD5 2094ddc2476788a39de6be04d3420c25
SHA1 cd76e5863f694f2d9f2c4dd2491dbd9de3989b18
SHA256 1550fbc51c842e8fe98e7f7046bd1672c5fa5f46807228d4cc457331e4e56a86
SHA512 13901c88de3fd492dddb7c2b4c7286d43e9b26904b0275f5acee97dcf1167f20092b87ddb4d34832a2ef7efbe4c7b5c949e38a57aa4ad39db9b43118ac31f343

memory/2512-8-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/2512-9-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/2512-10-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/2512-11-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/396-13-0x0000000075680000-0x00000000757FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\140a252b

MD5 013ff5bf5b7c3ca1f73b9c28eb741028
SHA1 c2d8f5898e12f2c0a287d640d096814641b308bc
SHA256 0f56ca4926ee6a9dd881b4cbbce6f1c816a986746657f0b1ebb938e59004e715
SHA512 4017bba67fbadfc069b3a97f33701ac8831677dec244d606b9591995688df49e7641898b3f0f2d911962434cb922687e2c07e85231cc22e1265c57d3b24cf11d

memory/396-15-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/396-17-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/396-18-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/396-21-0x0000000075680000-0x00000000757FB000-memory.dmp

memory/960-22-0x00000000004B0000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

memory/960-24-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/960-25-0x00000000004B0000-0x000000000051E000-memory.dmp

memory/960-27-0x0000000000F60000-0x000000000104B000-memory.dmp

memory/960-28-0x00000000052E0000-0x00000000056E0000-memory.dmp

memory/960-29-0x00000000004B0000-0x000000000051E000-memory.dmp

memory/960-31-0x00000000052E0000-0x00000000056E0000-memory.dmp

memory/960-30-0x00000000052E0000-0x00000000056E0000-memory.dmp

memory/960-34-0x00000000052E0000-0x00000000056E0000-memory.dmp

memory/960-35-0x0000000075F50000-0x0000000076165000-memory.dmp

memory/1416-36-0x0000000000E50000-0x0000000000E59000-memory.dmp

memory/1416-39-0x0000000002C60000-0x0000000003060000-memory.dmp

memory/1416-40-0x0000000002C60000-0x0000000003060000-memory.dmp

memory/1416-41-0x00007FF976930000-0x00007FF976B25000-memory.dmp

memory/1416-43-0x0000000002C60000-0x0000000003060000-memory.dmp

memory/1416-44-0x0000000075F50000-0x0000000076165000-memory.dmp

memory/1416-45-0x0000000002C60000-0x0000000003060000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 18:26

Reported

2024-03-28 18:28

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PvjBg.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 1948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 1948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 1948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 1948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\netsh.exe
PID 2396 wrote to memory of 2784 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 2396 wrote to memory of 2784 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 2396 wrote to memory of 2784 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 2396 wrote to memory of 2784 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3
PID 2396 wrote to memory of 2784 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe" --cp

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

C:\Users\Admin\AppData\Local\Temp\PvjBg.au3

Network

N/A

Files

memory/1948-2-0x0000000000400000-0x000000000071F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d2ed39b

MD5 2094ddc2476788a39de6be04d3420c25
SHA1 cd76e5863f694f2d9f2c4dd2491dbd9de3989b18
SHA256 1550fbc51c842e8fe98e7f7046bd1672c5fa5f46807228d4cc457331e4e56a86
SHA512 13901c88de3fd492dddb7c2b4c7286d43e9b26904b0275f5acee97dcf1167f20092b87ddb4d34832a2ef7efbe4c7b5c949e38a57aa4ad39db9b43118ac31f343

memory/1948-8-0x0000000074CA0000-0x0000000074E14000-memory.dmp

memory/1948-9-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/1948-10-0x0000000074CA0000-0x0000000074E14000-memory.dmp

memory/1948-11-0x0000000074CA0000-0x0000000074E14000-memory.dmp

memory/2396-13-0x0000000074CA0000-0x0000000074E14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8f67dd8e

MD5 5898a859276adeecdc0bd9d481490673
SHA1 3ce7ce18322952895f7bdbe9d8755a037efa82d6
SHA256 058821c67ad5aa7960f3bee493aca6950be4b191a38321d60c2e9740a4b7587b
SHA512 0536c4440313fe0faf339fcde577219f7feba41810fec4c5d91b7d8466b512a9fdbacc327a5a61ae3822a18c10c5c42bcb97f3b25f5e00588521ee8130ce0f9a

memory/2396-15-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/2396-17-0x0000000074CA0000-0x0000000074E14000-memory.dmp

memory/2396-18-0x0000000074CA0000-0x0000000074E14000-memory.dmp

\Users\Admin\AppData\Local\Temp\PvjBg.au3

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

memory/2396-23-0x0000000074CA0000-0x0000000074E14000-memory.dmp

memory/2784-24-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2784-26-0x00000000778A0000-0x0000000077A49000-memory.dmp

memory/2784-27-0x0000000000080000-0x00000000000EE000-memory.dmp

memory/2784-29-0x0000000000CC0000-0x0000000000DAB000-memory.dmp

memory/2784-30-0x0000000000080000-0x00000000000EE000-memory.dmp