Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
RG_Catalyst3/Data/menu.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RG_Catalyst3/Data/menu.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
RG_Catalyst3/SetLoader.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
RG_Catalyst3/SetLoader.exe
Resource
win10v2004-20240802-en
General
-
Target
RG_Catalyst3/SetLoader.exe
-
Size
35.9MB
-
MD5
eb142f56ed73c4cce280fc3f3493429a
-
SHA1
e1ce2464864482703abded9cbed4aaabc638a113
-
SHA256
054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72
-
SHA512
75c97a01fe3963939233214093c419fdc3fc561e35e8884ee221e4dced3bab1baa9c4ed2fec6a95517de794728df1eef0e533357b16b719480aa7692910779c2
-
SSDEEP
393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfd:fMguj8Q4VfvPqFTrYC
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1316 created 2628 1316 module.exe 44 -
Executes dropped EXE 1 IoCs
pid Process 1316 module.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language openwith.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1316 module.exe 1316 module.exe 1316 module.exe 1316 module.exe 4652 openwith.exe 4652 openwith.exe 4652 openwith.exe 4652 openwith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1736 wrote to memory of 4556 1736 SetLoader.exe 87 PID 1736 wrote to memory of 4556 1736 SetLoader.exe 87 PID 4556 wrote to memory of 1316 4556 cmd.exe 88 PID 4556 wrote to memory of 1316 4556 cmd.exe 88 PID 4556 wrote to memory of 1316 4556 cmd.exe 88 PID 1316 wrote to memory of 4652 1316 module.exe 89 PID 1316 wrote to memory of 4652 1316 module.exe 89 PID 1316 wrote to memory of 4652 1316 module.exe 89 PID 1316 wrote to memory of 4652 1316 module.exe 89 PID 1316 wrote to memory of 4652 1316 module.exe 89
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2628
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe"C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\module.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\module.exeC:\Users\Admin\AppData\Local\Temp\module.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD5850903be8fe94bf6b270c2188af82cca
SHA1e0469de46b7ced7b4de11157d0eff8719ba3dc70
SHA2565e69b0dd5a6cea4b9d9790a0d63e9e25417c6d602f004f5540c951585b15cbec
SHA5125d430c21dab1427400f5750f788076e76fe1d45fd5b79f792ad2cbcf916787312f37d596bc70e4d1d16f01a39275798513beaf8741bc864e113cb4a39d44ee1e