Overview

overview

10

Static

static

3

goodboy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2025 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    goodboy.exe

  • Size

    860KB

  • MD5

    11ad0f71caabbadba8ca08663690ca39

  • SHA1

    2dde6d4b02f8121c7e79af49ff524b96e62fc708

  • SHA256

    861f2c5f07c9e1c7d24c2e34eb47ff3129cd39a2227a2549809b9d5c92267883

  • SHA512

    ea4e66ea0df09c2f4ae90731ccf06343b7ba3066915f234858fdaee39cb39dc681ebcc9b82ccc38ab146330b1fad2cced798d0bf694ec9d31d963abf789c7a9c

  • SSDEEP

    24576:I2yEGU/CgPh3wl0oKEJKpSL3MG6/2ZbNy0:IFG/Cy5poKVpSTn

Score
10/10
rhadamanthysdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2788
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4268
    • C:\Users\Admin\AppData\Local\Temp\goodboy.exe
      "C:\Users\Admin\AppData\Local\Temp\goodboy.exe"
      1⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD0~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD0~1.EXE
        2⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c214.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c214.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c214.exe
          "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c214.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 332
            4⤵
            • Program crash
            PID:3936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 812
          3⤵
          • Program crash
          PID:3352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1192 -ip 1192
      1⤵
        PID:432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1196 -ip 1196
        1⤵
          PID:3116

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD0~1.EXE
          Filesize

          393KB

          MD5

          b15c2d0072df0e7c756c4338f34643dc

          SHA1

          e2a542c27ef62e873eecaf4a5ac2fd35857996c2

          SHA256

          56d449ae82f8985ed268a7ce88d51729f96e22ae023ac7c8b57f32e565670c0d

          SHA512

          e13cabfa08d2367ace57db1861d924c2ea359f932aa4eb935f3adde8e7f6de453f25fa6c38836dd5f6aebdc3d38b09ce6ed479b3ac29edc92018125f83da36fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c214.exe
          Filesize

          637KB

          MD5

          dc89d3df253d2a99c687fdc1175525b0

          SHA1

          4c545dd39023631340eaffe0b970dbd7cd2ed310

          SHA256

          1838af37f774045256981101f05c22cc796088ae6643f7de07b3d6ac19a9b9f3

          SHA512

          19b36bbbbb07467360f9a7c7a72ce12e3593b5db3fde40b08c5c3127143ecc10038afb4f8369e691937efd277a83252cdcd0fb1e182685f2e04d339458391cf0

          Download Submit

        • memory/1100-7-0x00007FF8589A3000-0x00007FF8589A5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1100-8-0x000001F1FB420000-0x000001F1FB488000-memory.dmp

          Filesize

          416KB

          Download

        • memory/1100-9-0x000001F1FB8B0000-0x000001F1FB900000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1100-10-0x00007FF8589A0000-0x00007FF859461000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1100-11-0x000001F1FDA80000-0x000001F1FDC42000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1100-12-0x000001F198F70000-0x000001F199498000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1100-13-0x000001F1FB840000-0x000001F1FB852000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1100-14-0x000001F1FD930000-0x000001F1FD9A6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1100-15-0x000001F1FB860000-0x000001F1FB87E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1100-17-0x00007FF8589A0000-0x00007FF859461000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1192-23-0x0000000005D30000-0x00000000062D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1192-29-0x00000000751F0000-0x00000000759A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1192-21-0x00000000751FE000-0x00000000751FF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-22-0x0000000000D70000-0x0000000000E16000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-32-0x0000000001680000-0x0000000001A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1196-34-0x00007FF876A50000-0x00007FF876C45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1196-30-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/1196-27-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/1196-31-0x0000000001680000-0x0000000001A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1196-28-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/1196-33-0x0000000001680000-0x0000000001A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1196-25-0x0000000000400000-0x0000000000481000-memory.dmp

          Filesize

          516KB

          Download

        • memory/1196-36-0x0000000076A60000-0x0000000076C75000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1196-43-0x0000000001680000-0x0000000001A80000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4268-39-0x0000000001550000-0x0000000001950000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4268-42-0x0000000076A60000-0x0000000076C75000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4268-40-0x00007FF876A50000-0x00007FF876C45000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4268-37-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

          Filesize

          40KB

          Download