Overview

overview

10

Static

static

1

RG Launcher.exe

windows10-ltsc 2021-x64

10

RG Launcher.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-11-2024 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RG Launcher.exe

  • Size

    175.7MB

  • MD5

    cb3ce412a9c4cb7f0cf20344fdb2f46e

  • SHA1

    bed9b9bedfe2f7d328b66fd9c5914ad8fa0f69a2

  • SHA256

    a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014

  • SHA512

    5b92e1c448ab2f6b46c04d496207bbc843cb223db341ca493469907dc96206e02e9db95356fac6d75833c018d876417481c429b2def5dc9be54eec9cce288c26

  • SSDEEP

    786432:0C6zTLvV+8ym5CqWpQshx4i9vnrX5hf9RMFJKaRODgJZhybxJXZdZdDIll3S+GE3:0fTB/P4Dzr9v/1iFIRDgtmxJp1O3h

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://147.45.70.184:1525/f6e80fbec866c8b43/AVS

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2884
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:612
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2448
    • C:\Users\Admin\AppData\Local\Temp\RG Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\RG Launcher.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Users\Admin\AppData\Local\DownloadedExes\1.exe
        "C:\Users\Admin\AppData\Local\DownloadedExes\1.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 532
          3⤵
          • Program crash
          PID:1264
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 528
          3⤵
          • Program crash
          PID:4860
      • C:\Users\Admin\AppData\Local\DownloadedExes\2.exe
        "C:\Users\Admin\AppData\Local\DownloadedExes\2.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 532
          3⤵
          • Program crash
          PID:1548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
          3⤵
          • Program crash
          PID:2520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 248 -ip 248
      1⤵
        PID:2528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 248 -ip 248
        1⤵
          PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1956 -ip 1956
          1⤵
            PID:1100
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1956 -ip 1956
            1⤵
              PID:2732

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\DownloadedExes\1.exe
              Filesize

              16.6MB

              MD5

              b4e80b2b2278c16fc0d9d96509273b38

              SHA1

              3a690dba90353088dbb5da1897b09bdb55a934d6

              SHA256

              afa73902cb62bd3fc39c67ff494172148144f2bc194a31250390d8b6f94f3473

              SHA512

              830d858cade6a20021c3bf4addca71ca01638107ced1d51278a515745862274c6ca96c23104dba645c0c513060c06474e2fa878c0820bddda2a37f4f3181cc48

              Download Submit

            • C:\Users\Admin\AppData\Local\DownloadedExes\2.exe
              Filesize

              16.5MB

              MD5

              0c6b1946ae82e2cb099f3f24ec6082ed

              SHA1

              1bff64d5b7657b6b77daef3037215043d48aaad5

              SHA256

              2f2309857af8f8fdb34f7e077c8059ae3e734f1f2685736f69771cf9497cf4c2

              SHA512

              6dccfba891128d5c85d7b120863fad2954d99abcf826c2a786d24450d47db0f0e094761b58c7d83dd5292a73b6c964ddb0086a412ff13b518628d6df8282b99d

              Download Submit

            • memory/248-31-0x00007FF8AFE01000-0x00007FF8AFF2A000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/248-26-0x0000000003C80000-0x0000000004080000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/248-27-0x0000000003C80000-0x0000000004080000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/248-28-0x0000000003C80000-0x0000000004080000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/248-29-0x0000000003C80000-0x0000000004080000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/248-33-0x0000000076050000-0x00000000762A2000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/248-30-0x00007FF8AFE00000-0x00007FF8B0009000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/248-40-0x0000000003C80000-0x0000000004080000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/248-25-0x0000000001310000-0x000000000138E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/612-36-0x00000000027D0000-0x0000000002BD0000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/612-39-0x0000000076050000-0x00000000762A2000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/612-37-0x00007FF8AFE00000-0x00007FF8B0009000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/612-34-0x0000000000A20000-0x0000000000A29000-memory.dmp

              Filesize

              36KB

              Download

            • memory/1956-42-0x0000000003520000-0x0000000003920000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1956-45-0x0000000076050000-0x00000000762A2000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/1956-43-0x00007FF8AFE00000-0x00007FF8B0009000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2448-48-0x0000000002BC0000-0x0000000002FC0000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2448-49-0x00007FF8AFE00000-0x00007FF8B0009000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2448-51-0x0000000076050000-0x00000000762A2000-memory.dmp

              Filesize

              2.3MB

              Download