Malware Analysis Report

2024-11-30 02:27

Sample ID 241013-1vrm6sveqj
Target f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe
SHA256 f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
Tags
rhadamanthys discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

Threat Level: Known bad

The file f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 21:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 21:58

Reported

2024-10-13 22:01

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1740 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 3056 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 3056 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 3056 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 3056 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe

"C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe"

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 628

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

N/A

Files

memory/2916-37-0x0000000077050000-0x0000000077097000-memory.dmp

memory/2916-35-0x0000000077B30000-0x0000000077CD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main.exe

MD5 e1e28c3acf184aa364c9ed9a30ab7289
SHA1 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c
SHA256 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
SHA512 e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

memory/2916-33-0x0000000000880000-0x0000000000C80000-memory.dmp

memory/1740-31-0x00000000013B0000-0x0000000001438000-memory.dmp

memory/2916-30-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1740-29-0x0000000077050000-0x0000000077097000-memory.dmp

memory/1740-27-0x0000000077B30000-0x0000000077CD9000-memory.dmp

memory/1740-26-0x00000000009C0000-0x0000000000DC0000-memory.dmp

memory/1740-25-0x00000000009C0000-0x0000000000DC0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Eclipse.exe

MD5 e1990fe52ec2c952b28350a8f1c1689e
SHA1 2fd088c787de7573337cb533d275d8d9fb56c644
SHA256 a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4
SHA512 e41f4561a6dd4ed3335f92f2b87e8abeab1042c78e6333496ff7240a705093710f6b7328abd98592aaf8728cc5733f3e49b6dc8762056e7f4b3cb98a1d7d66e0

memory/2544-19-0x00000000000D0000-0x0000000000BF6000-memory.dmp

memory/1740-18-0x00000000013B0000-0x0000000001438000-memory.dmp

memory/3056-16-0x0000000000400000-0x0000000000F9C000-memory.dmp

memory/3056-10-0x0000000002AE0000-0x0000000002B68000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 21:58

Reported

2024-10-13 22:01

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

97s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2992 created 3044 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\sihost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Eclipse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dialer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 4356 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 4356 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
PID 4356 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 4356 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 4356 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2992 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2992 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2992 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2992 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe
PID 2992 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe

"C:\Users\Admin\AppData\Local\Temp\f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499.exe"

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

"C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1076

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

MD5 e1990fe52ec2c952b28350a8f1c1689e
SHA1 2fd088c787de7573337cb533d275d8d9fb56c644
SHA256 a5f5d652e2682b0162924b23b509bace21566526b6ac0d44e2a273e3a77440f4
SHA512 e41f4561a6dd4ed3335f92f2b87e8abeab1042c78e6333496ff7240a705093710f6b7328abd98592aaf8728cc5733f3e49b6dc8762056e7f4b3cb98a1d7d66e0

memory/3472-14-0x000000007388E000-0x000000007388F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main.exe

MD5 e1e28c3acf184aa364c9ed9a30ab7289
SHA1 1a173a6f4ec39fe467f1b4b91c9fad794167ac1c
SHA256 03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
SHA512 e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

memory/2992-23-0x0000000000880000-0x0000000000908000-memory.dmp

memory/4356-24-0x0000000000400000-0x0000000000F9C000-memory.dmp

memory/3472-25-0x0000000000BF0000-0x0000000001716000-memory.dmp

memory/3472-26-0x00000000060D0000-0x000000000616C000-memory.dmp

memory/3472-27-0x0000000006720000-0x0000000006CC4000-memory.dmp

memory/3472-28-0x0000000006210000-0x00000000062A2000-memory.dmp

memory/3472-29-0x00000000061C0000-0x00000000061CA000-memory.dmp

memory/3472-31-0x0000000073880000-0x0000000074030000-memory.dmp

memory/3472-30-0x0000000006430000-0x0000000006486000-memory.dmp

memory/3472-32-0x0000000073880000-0x0000000074030000-memory.dmp

memory/2992-33-0x0000000003990000-0x0000000003D90000-memory.dmp

memory/2992-37-0x0000000003990000-0x0000000003D90000-memory.dmp

memory/2992-36-0x00007FFA668F0000-0x00007FFA66AE5000-memory.dmp

memory/2992-35-0x0000000003990000-0x0000000003D90000-memory.dmp

memory/2992-34-0x0000000003990000-0x0000000003D90000-memory.dmp

memory/2992-39-0x00000000754B0000-0x00000000756C5000-memory.dmp

memory/116-40-0x0000000000520000-0x0000000000529000-memory.dmp

memory/2992-41-0x0000000000880000-0x0000000000908000-memory.dmp

memory/116-43-0x00000000023E0000-0x00000000027E0000-memory.dmp

memory/116-44-0x00007FFA668F0000-0x00007FFA66AE5000-memory.dmp

memory/116-46-0x00000000754B0000-0x00000000756C5000-memory.dmp