Malware Analysis Report

2024-11-15 06:02

Sample ID 240930-tmjh9stgpm
Target Installer.zip
SHA256 d98832bfc040c10d3000a9afc90ec9f8d9adcfc12ad45bc6baabfa26f760d97b
Tags
discovery rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d98832bfc040c10d3000a9afc90ec9f8d9adcfc12ad45bc6baabfa26f760d97b

Threat Level: Known bad

The file Installer.zip was found to be: Known bad.

Malicious Activity Summary

discovery rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-30 16:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-30 16:10

Reported

2024-09-30 16:13

Platform

win7-20240708-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"

Network

N/A

Files

memory/752-1-0x0000000076670000-0x0000000076731000-memory.dmp

memory/752-0-0x00000000777E0000-0x00000000778B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-30 16:10

Reported

2024-09-30 16:13

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

140s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4364 created 2116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\system32\sihost.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4868 set thread context of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4868 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4364 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\openwith.exe
PID 4364 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\openwith.exe
PID 4364 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\openwith.exe
PID 4364 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\openwith.exe
PID 4364 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 440

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4868-6-0x0000000077A51000-0x0000000077B71000-memory.dmp

C:\Users\Admin\AppData\Roaming\msvcp110.dll

MD5 351c51206a136e8e3224579b50d5ff3c
SHA1 8683cef48ad78e150dfb290c65188f4b9a5100a8
SHA256 a14e7251adaa163f527e4f45471b4649af25856ecce2f90d2544e69773b69a8a
SHA512 53e9e6c02d0f7370ca0743783b933936825ea7a690aaf40c64a0b2b6f7983dd196053c06c94470eac11f6ede50204c80d448edf42877722936338cfc98122b5d

memory/4364-11-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4364-12-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4364-14-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4364-13-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4364-16-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

memory/4364-15-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

memory/4364-17-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

memory/4364-18-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

memory/4364-21-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

memory/4364-20-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

memory/1760-22-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/1760-25-0x0000000002D10000-0x0000000003110000-memory.dmp

memory/1760-28-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

memory/1760-29-0x0000000002D10000-0x0000000003110000-memory.dmp

memory/1760-26-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

memory/1760-24-0x0000000002D10000-0x0000000003110000-memory.dmp

memory/1760-30-0x0000000002D10000-0x0000000003110000-memory.dmp

memory/4364-31-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-30 16:10

Reported

2024-09-30 16:13

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-30 16:10

Reported

2024-09-30 16:13

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Installer\msvcp140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A