Overview

overview

10

Static

static

3

Portable_x...ce.dll

windows7-x64

1

Portable_x...ce.dll

windows10-2004-x64

1

Portable_x...up.exe

windows7-x64

3

Portable_x...up.exe

windows10-2004-x64

10

Portable_x...40.dll

windows7-x64

1

Portable_x...40.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    135s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Portable_x32_x64/Setup.exe

  • Size

    251KB

  • MD5

    fe51917821ba0847a64c5467741ed7e3

  • SHA1

    100ee217a3a2d1b2b211fa214804bfa77c676765

  • SHA256

    54b3c35bdc0c3a426f6fbe5e06500738dabcdc47b9eaeb6548122af1f46cd2eb

  • SHA512

    4a8de56ff27c71f582d342ae82699e1b2b1b3958ff3dbf67c46dd94c35afd8b97cc7dddb3f04e6797a3b50d2ebba44b6ddee8c42174a09b83a808b9ba35f9137

  • SSDEEP

    6144:tpbIwepIdznDi8Har8HSDzYTk0zh6LM8wG4m7:fbIwewi8Har8czYTkbLZ4m7

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://144.76.133.166:8034/5502b8a765a7d7349/8duqxdnh.falc4

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2608
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3656
    • C:\Users\Admin\AppData\Local\Temp\Portable_x32_x64\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Portable_x32_x64\Setup.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 444
          3⤵
          • Program crash
          PID:2832
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 440
          3⤵
          • Program crash
          PID:4128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4948 -ip 4948
      1⤵
        PID:4144
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4948 -ip 4948
        1⤵
          PID:2748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\d3d9x.dll
          Filesize

          642KB

          MD5

          d6a05fd14991d2dc5f972b681b0b8fd1

          SHA1

          92b9d749770953695fc04658af5a7d3d20a13485

          SHA256

          b20121b224944f229ebe84c0adb2500be80cda86dba4d6542e7f225503f8cea7

          SHA512

          1f48c03f4d29e30ac7598a6ed427b9fefe8077fee79239c973c1df39e540d30f6a4ef4667a366f8851a8be0bf469c236da06469f3058393d29b8b058270a2605

          Download Submit

        • memory/3656-22-0x00000000006F0000-0x00000000006F9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3656-31-0x0000000002290000-0x0000000002690000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3656-25-0x0000000002290000-0x0000000002690000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3656-26-0x00007FFAECD90000-0x00007FFAECF85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3656-28-0x0000000076DB0000-0x0000000076FC5000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3656-29-0x0000000002290000-0x0000000002690000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3656-24-0x0000000002290000-0x0000000002690000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4448-2-0x0000000077581000-0x00000000776A1000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4948-12-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/4948-20-0x0000000076DB0000-0x0000000076FC5000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4948-18-0x00007FFAECD90000-0x00007FFAECF85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4948-21-0x0000000003DF0000-0x00000000041F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4948-16-0x0000000003DF0000-0x00000000041F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4948-17-0x0000000003DF0000-0x00000000041F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4948-15-0x0000000003DF0000-0x00000000041F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4948-13-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/4948-14-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/4948-30-0x0000000003DF0000-0x00000000041F0000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4948-11-0x0000000000400000-0x000000000047E000-memory.dmp

          Filesize

          504KB

          Download