Overview

overview

10

Static

static

1

Bootstrapperx-64.exe

windows7-x64

10

Bootstrapperx-64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2025 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapperx-64.exe

  • Size

    3.3MB

  • MD5

    38c66e9633c76cb1cf97f64b50c2a70f

  • SHA1

    11266ac4127867d1524186c54c64783d62ff1f5f

  • SHA256

    d4fdddf67ad137ecda25132a0c4e7eeeae875b6d549aad40193f8a05031c32a2

  • SHA512

    15509f36935bf30eb9a47a8fea2463228b8d783c29c408d4c1e3071c067e14a9f2ba5349e84e1e196adf1dc7ff3569bc9693dc4898c1cc7b1c794cca16be0604

  • SSDEEP

    49152:KSC9PLwyVeNnaJnue+3U9Saf22bHRkfC+fguSYh+BD3xz/9M5hrSkrX:ZCiN4uzU0afvbACQ3EVz9M5t

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2988
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4652
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Users\Admin\AppData\Local\Temp\is-T2F9E.tmp\Bootstrapperx-64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-T2F9E.tmp\Bootstrapperx-64.tmp" /SL5="$90022,2160511,119296,C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe
          "C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe" /VERYSILENT
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1064
          • C:\Users\Admin\AppData\Local\Temp\is-NTVJ5.tmp\Bootstrapperx-64.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-NTVJ5.tmp\Bootstrapperx-64.tmp" /SL5="$70030,2160511,119296,C:\Users\Admin\AppData\Local\Temp\Bootstrapperx-64.exe" /VERYSILENT
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:8
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2452
              • C:\Windows\SysWOW64\find.exe
                find /I "wrsa.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4984
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2456
              • C:\Windows\SysWOW64\find.exe
                find /I "opssvc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2768
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3164
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:3820
              • C:\Windows\SysWOW64\find.exe
                find /I "avastui.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1556
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:940
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1012
              • C:\Windows\SysWOW64\find.exe
                find /I "avgui.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3396
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4224
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:368
              • C:\Windows\SysWOW64\find.exe
                find /I "nswscsvc.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3932
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1576
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1824
              • C:\Windows\SysWOW64\find.exe
                find /I "sophoshealth.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:5032
            • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
              "C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe" preregulated.a3x
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:116
              • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
                "C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe"
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1372
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 324
                  7⤵
                  • Program crash
                  PID:3088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 1372
      1⤵
        PID:2980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\AutoIt3.exe
        Filesize

        921KB

        MD5

        3f58a517f1f4796225137e7659ad2adb

        SHA1

        e264ba0e9987b0ad0812e5dd4dd3075531cfe269

        SHA256

        1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

        SHA512

        acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

        Download Submit

      • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\preregulated.a3x
        Filesize

        1.1MB

        MD5

        a00d62c6933431bd2308175bf71cc1c9

        SHA1

        6c142eb1bc5d8aa4ff42c8707fb7fbc77683b908

        SHA256

        3e5cce91cb1cc1439bf99ebdb448cd62e7dffcfd58f4339c976b6af193c07f55

        SHA512

        47b6f0e475a10d0cc15d3a25b76f0e1352ca782d1a4a5eab5dc7e884da5c516d6d9c43223e1cb5aad3a3848796d7d520e48b4047633683af92a25eb4ee73e1a2

        Download Submit

      • C:\ProgramData\{2DF544D0-2B54-4551-8FF2-3501593E44C4}\preregulated.flv
        Filesize

        439KB

        MD5

        ac8beb8989fcb0a9058f337fd24d3a43

        SHA1

        5fadbe148b99764528b1d68a6d9c743437795994

        SHA256

        da4abd7c27852cdb41b50b19922e4724d7c8d7f6c863292bc10986026a8a4c13

        SHA512

        5d1b6165c887e1db9cadb9993007f39a9d0f9c7fed4398d41eb8457be551694dada73220b34356da85dd6d6e3670875246446380e354d904a418d670348035e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-J6EL7.tmp\_isetup\_shfoldr.dll
        Filesize

        22KB

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-T2F9E.tmp\Bootstrapperx-64.tmp
        Filesize

        1.1MB

        MD5

        b1f9d665e52c29972b50d7145d88dce1

        SHA1

        df2c67a5c32a19bb110ec8372134522c0dab9ac2

        SHA256

        2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787

        SHA512

        bcdce189402ffc1c17b9803ac4040bd1cb23e32ba2c1476cbcfae13438078e01f78ad3f76e1bf71a6ec204663aa5f5780990016fc074218763d63db1431f1e75

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-V5H5J.tmp\_isetup\_iscrypt.dll
        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-V5H5J.tmp\_isetup\_isdecmp.dll
        Filesize

        13KB

        MD5

        a813d18268affd4763dde940246dc7e5

        SHA1

        c7366e1fd925c17cc6068001bd38eaef5b42852f

        SHA256

        e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

        SHA512

        b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

        Download Submit

      • memory/1064-72-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1064-23-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1064-25-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1064-46-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1372-77-0x0000000000CA0000-0x0000000000D21000-memory.dmp

        Filesize

        516KB

        Download

      • memory/1372-80-0x00007FF83A050000-0x00007FF83A245000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1372-82-0x00000000772B0000-0x00000000774C5000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1372-79-0x0000000001270000-0x0000000001670000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1372-78-0x0000000001270000-0x0000000001670000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1372-75-0x0000000000CA0000-0x0000000000D21000-memory.dmp

        Filesize

        516KB

        Download

      • memory/1940-33-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1940-49-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1940-70-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1940-61-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3100-2-0x0000000000401000-0x0000000000412000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3100-0-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3100-32-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4600-28-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4600-6-0x0000000000400000-0x000000000052C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4652-83-0x00000000003F0000-0x00000000003FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4652-85-0x0000000000C00000-0x0000000001000000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4652-88-0x00000000772B0000-0x00000000774C5000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4652-86-0x00007FF83A050000-0x00007FF83A245000-memory.dmp

        Filesize

        2.0MB

        Download