Overview

overview

10

Static

static

5

Ssna11.exe

windows7-x64

3

Ssna11.exe

windows10-2004-x64

3

Sunlogin_output.exe

windows7-x64

10

Sunlogin_output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sunlogin_output.exe

  • Size

    63.6MB

  • MD5

    af61e50d2c391aefd54d6fef36be542d

  • SHA1

    0bd5a47894cf6436e541644ea957d2da6544b78a

  • SHA256

    46379d431e8e4bb7104555ece6dd254b34ad461cca1793d0f7dcd3f7b70de7bf

  • SHA512

    46ce0fd1f135ec19359d5cdb59c3f67dc31104f92d2a97b81a47b3ddd45311564dba49adcf6ea90eec168bca6b68c27b7da67ead648162d5f630332819cc7209

  • SSDEEP

    786432:llOLwxvg0im7xP8tNA7RJlzOob13dT3mBspsQzS/bhu5UI798wJMwmnX0HGR5z:llOLio0r71qAvUob135mzQzpUu/rmZF

Score
10/10
rhadamanthysdiscoverystealerupx

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 16 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\Sunlogin_output.exe
        "C:\Users\Admin\AppData\Local\Temp\Sunlogin_output.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Program Files (x86)\Sunlogin\SunloginClient.exe
          "C:\Program Files (x86)\Sunlogin\SunloginClient.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Program Files (x86)\Sunlogin\SunloginClient.exe
            "C:\Program Files (x86)\Sunlogin\SunloginClient.exe" --mod=install --admin=1
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1708
        • C:\Program Files (x86)\Sunlogin\SunAnquan.exe
          "C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\config.ini"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
        • C:\Program Files (x86)\Sunlogin\SunAnquan.exe
          "C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\sun_config.ini"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2004
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2000
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {532D8310-E71C-47D1-80B9-FF3E4CD6D7FF} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Program Files (x86)\Sunlogin\SunAnquan.exe
        "C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\config.ini"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Sunlogin\SunAnquan.exe
      Filesize

      14KB

      MD5

      426dfd5ece3b41970773031637cd5539

      SHA1

      d0fe14f8dab89aaddac8b1c89b1cee48396ec636

      SHA256

      737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8

      SHA512

      5c66ea3360115d6dcc71f6d624a886f3c992c5d30338880b0ba48db77dd7fa744b60a3d65fed63427ebb3a8bcf9b204e9ba1521d8c9f0e804ce0db76befa8935

      Download Submit

    • C:\Program Files (x86)\Sunlogin\config.ini
      Filesize

      910KB

      MD5

      93c7ca328e30b4142f1d7202f864eba7

      SHA1

      53dac1968204812a95dedea4b923ed3d1e18b5c1

      SHA256

      01a668544e0bf9ff0ee12f4c090738a8b460c0d183fb4da0169b93d5c02efa7b

      SHA512

      9c68adcb1736d4c4606dbe512df78cca08ba262024d104edb17ceba7014d21eb26747942f4b92c6b87bec537d781c0c00031b581010b67d5f21a4f34b7581441

      Download Submit

    • C:\Program Files (x86)\Sunlogin\lua5.1.dll
      Filesize

      164KB

      MD5

      24a0d2ef5b931a2a13341a2503b1de80

      SHA1

      6201347d1ded92d365126a1225768e11c33ee818

      SHA256

      fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f

      SHA512

      5e06f88bb3920cef40a4941efb3b4d3012edf868cc3042f9dbc1989c76b410b4e2da12c20ae2fbcffe5525b43aeca8875e51167d0ce041864d546fdb2e1fecd2

      Download Submit

    • C:\Program Files (x86)\Sunlogin\sun_config.ini
      Filesize

      636KB

      MD5

      fb5c9d4258a310e13712a1a4ec63a5b3

      SHA1

      4c8db46c25b6ef9071dff884bf2a08e17ea4e384

      SHA256

      d0c667d6b7ed468f409079dff0ba8d8db8b20df71b1cb52c92a400dba8aa8bfe

      SHA512

      ad24ee048599f3f32876290e1d010be2d45bd1bea4a4bf2e52f74d01481fdd16bab8dda9eeccc965ac1be8337792778556022b6c530fac4cbff79bd87897fd1f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\check_sign_test.log
      Filesize

      280B

      MD5

      8394de2d276795e5602db0a28da1fa19

      SHA1

      cb6ffc6e9ee2bae3f8f10cd36032a3d0eb823ef4

      SHA256

      0fc2261bdb1256e74ff8ca4aa1d413ce584c325fc1e47ccccb3e40876b97a9a1

      SHA512

      9baca0f3d91b261e8d52498f8bae2eae0164fa7d130e287add3ea31ad4666c79dd6bbd35eb147641ebad909cd1993840c0c405821d0ea34033a33ab7431c91b4

      Download Submit

    • \Program Files (x86)\Sunlogin\alien\core.dll
      Filesize

      25KB

      MD5

      24b6950afd8663a46246044e6b09add8

      SHA1

      6444dab57d93ce987c22da66b3706d5d7fc226da

      SHA256

      9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071

      SHA512

      e1967e7e8c3d64b61451254da281415edf9946a6c8a46006f39ae091609c65666c376934b1bdcbd2a7f73adea7aa68e557694f804bf3bc3ce7854fa527e91740

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsuA999.tmp\INetC.dll
      Filesize

      25KB

      MD5

      40d7eca32b2f4d29db98715dd45bfac5

      SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

      SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

      SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

      Download Submit

    • memory/1168-94-0x0000000001F60000-0x0000000001F67000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1168-92-0x0000000004620000-0x0000000004688000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1708-102-0x0000000000970000-0x0000000006CC2000-memory.dmp

      Filesize

      99.3MB

      Download

    • memory/1920-89-0x0000000000970000-0x0000000006CC2000-memory.dmp

      Filesize

      99.3MB

      Download

    • memory/2000-83-0x0000000077C20000-0x0000000077DC9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2000-80-0x00000000000D0000-0x00000000000D9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2000-82-0x0000000001CD0000-0x00000000020D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2000-85-0x0000000075FE0000-0x0000000076027000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2004-79-0x0000000075FE0000-0x0000000076027000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2004-77-0x0000000077C20000-0x0000000077DC9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2004-75-0x0000000001CD0000-0x00000000020D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2004-74-0x0000000001CD0000-0x00000000020D0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2004-73-0x0000000000370000-0x0000000000379000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2060-76-0x00000000047E0000-0x000000000AB32000-memory.dmp

      Filesize

      99.3MB

      Download

    • memory/2060-101-0x00000000047E0000-0x000000000AB32000-memory.dmp

      Filesize

      99.3MB

      Download