Overview

overview

10

Static

static

3

kapubvalo.exe

windows7-x64

10

kapubvalo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kapubvalo.exe

  • Size

    2.0MB

  • MD5

    bc42b228a222e547e199fe8a7ad012d0

  • SHA1

    7f7f2655c3b9fe74a225255f609ba89165be776d

  • SHA256

    560f888fe44146da6d08fda8fe0f6f6f6eaed3cab768096ac195e5d14a85a399

  • SHA512

    b4ce427095453f949b470ba58ba4177206e7512fd4c5fbf11430f1a00df385884c54a601a174a02434d0d2741a69cbb2a19e6ad1a9e83872dc028382646111d8

  • SSDEEP

    49152:5oIdtKEtKNtKAtKGtKvtK2dM0ErvDtKdn:j0E0N0A0G0v0Ak30

Score
10/10
rhadamanthyspersistencestealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1156
      • C:\Users\Admin\AppData\Local\Temp\kapubvalo.exe
        "C:\Users\Admin\AppData\Local\Temp\kapubvalo.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SoftwareDistribution\Download\drvloader.exe
          "C:\Windows\SoftwareDistribution\Download\drvloader.exe" C:\Windows\SoftwareDistribution\Download\vac.sys
          3⤵
          • Sets service image path in registry
          • Executes dropped EXE
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          PID:2944
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c color e
          3⤵
            PID:2752
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            3⤵
              PID:2792
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c color c
              3⤵
                PID:2772
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                3⤵
                  PID:2716
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c color c
                  3⤵
                    PID:2680
                • C:\Windows\system32\dialer.exe
                  "C:\Windows\system32\dialer.exe"
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2424

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SoftwareDistribution\Download\drvloader.exe
                Filesize

                134KB

                MD5

                34cfbe3ff70461820ccc31a1afeec0b3

                SHA1

                5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9

                SHA256

                6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df

                SHA512

                1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e

                Download Submit

              • memory/2136-30-0x0000000001FB0000-0x00000000023B0000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2136-2-0x0000000000220000-0x0000000000249000-memory.dmp

                Filesize

                164KB

                Download

              • memory/2136-13-0x000007FEFD5A0000-0x000007FEFD60C000-memory.dmp

                Filesize

                432KB

                Download

              • memory/2136-12-0x0000000077310000-0x000000007742F000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2136-3-0x0000000000090000-0x0000000000099000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2136-16-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/2136-15-0x0000000077431000-0x0000000077532000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2136-14-0x0000000001FB0000-0x00000000023B0000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2136-6-0x0000000001FB0000-0x00000000023B0000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2136-1-0x0000000001FB0000-0x00000000023B0000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2136-31-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/2424-17-0x0000000000060000-0x000000000006A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2424-21-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/2424-23-0x000007FEFD5A0000-0x000007FEFD60C000-memory.dmp

                Filesize

                432KB

                Download

              • memory/2424-24-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/2424-22-0x0000000077310000-0x000000007742F000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2424-26-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download

              • memory/2424-19-0x0000000001B20000-0x0000000001F20000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2424-20-0x0000000077430000-0x00000000775D9000-memory.dmp

                Filesize

                1.7MB

                Download