Analysis
-
max time kernel
5s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-04-2024 15:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Hurricane Loader 4.9.0.exe
Resource
win11-20240221-en
6 signatures
150 seconds
General
-
Target
Hurricane Loader 4.9.0.exe
-
Size
365KB
-
MD5
bc5220a906b2d5fee8d2d9aabac1cdc1
-
SHA1
e7efd6fc174eae355c4f39a6e5725f9260cdf987
-
SHA256
cc2ffeb6c70c867fb87b8392cb1abf595cb73f8ff38d6595f98430400d688ebc
-
SHA512
b73dbf7e8eef99814db519da1fd702f3cb82d51ba22e7981fa96dd4e925bbc4c6714e8e616436857d147bf47d2268593866eb86124e9bd98c118e342d19f50e8
-
SSDEEP
6144:TLM2LZtM6Yi7slqUWE21n/uG+tyYTW1bxrimB4kIUZc5bmmw3P4+EZbVT2K:TPZvH71UWE21ncNMrimBI5Dw3vQ2
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid process target process PID 4024 created 2072 4024 RegAsm.exe sihost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hurricane Loader 4.9.0.exedescription pid process target process PID 1848 set thread context of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4732 4024 WerFault.exe RegAsm.exe 2260 4024 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegAsm.exedialer.exepid process 4024 RegAsm.exe 4024 RegAsm.exe 1980 dialer.exe 1980 dialer.exe 1980 dialer.exe 1980 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Hurricane Loader 4.9.0.exeRegAsm.exedescription pid process target process PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 1848 wrote to memory of 4024 1848 Hurricane Loader 4.9.0.exe RegAsm.exe PID 4024 wrote to memory of 1980 4024 RegAsm.exe dialer.exe PID 4024 wrote to memory of 1980 4024 RegAsm.exe dialer.exe PID 4024 wrote to memory of 1980 4024 RegAsm.exe dialer.exe PID 4024 wrote to memory of 1980 4024 RegAsm.exe dialer.exe PID 4024 wrote to memory of 1980 4024 RegAsm.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2072
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
C:\Users\Admin\AppData\Local\Temp\Hurricane Loader 4.9.0.exe"C:\Users\Admin\AppData\Local\Temp\Hurricane Loader 4.9.0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 5003⤵
- Program crash
PID:4732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 5163⤵
- Program crash
PID:2260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 40241⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4024 -ip 40241⤵PID:4500