Overview

overview

10

Static

static

1

Armageddon.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2025, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Armageddon.rar

  • Size

    63.6MB

  • MD5

    5c83ed38de72379180793a33359b9e0d

  • SHA1

    68a5ac8a6bacc36b6c13fdcac0b005e2eacf066a

  • SHA256

    f76c3a8f6b4c04dea2a6e02ba5d08cc967175c3035f87eb35e1d959568fd378a

  • SHA512

    01cc871733c4019ae18c54b8ef415e78de9fdf425756b71ddc353dfc8691cf4984b673a39d8b78606f8f4d1923e602fe2b37cad4962a90faf31f909f7943928e

  • SSDEEP

    1572864:bU+ad/EmQmp3nzuPby5vBPbEO6ohRb5/nKpD+/:bUNQmNnzuPujhRb5f2i/

Score
10/10
rhadamanthysstealer

Malware Config

Signatures

  • Detects Rhadamanthys payload 1 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Armageddon.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2360
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5720
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2296
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:6132
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\setup\bin\data\FLEngine_x64.dll"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1612
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\setup\bin\application.ini
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1296

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zE839A2908\msvcp290.dll
      Filesize

      3.6MB

      MD5

      bda101bb10ae2f6d573c6cc0230d0c54

      SHA1

      e45496d29a636a4b79c68981e9e61730f6277a76

      SHA256

      84255595956c98b371bf24d1a6d41f8f69daa0be3d913a49887c467ec3bb65bd

      SHA512

      1b45f3b453c2a112354ef290c9195f7680a30c2f1448d8c2c733d457f7cbccf78176eff5e05ac8530368fd2af746965282c249254eb4709881a51b0818329809

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zE839A2908\nasrallah_x86.dll
      Filesize

      439KB

      MD5

      2e3d4cab5dd86cc6e536162d70613d46

      SHA1

      823a8cf30a4fef127431849d84d7737cdece5e9b

      SHA256

      1d5b2ba0a99228befaad231171fdf7f8ccbf2f7a4685b2b3829df112ee70284a

      SHA512

      81813ab1e86a4ac853292f774f69115a1d601d5b45bdd082fdbddfb6b9a7fa0355f1886d2a711e8805457bf51af11fb9fa2a17a12a89fa0406cceddee57c15c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zE839A2908\tier0_s64.dll
      Filesize

      412KB

      MD5

      de738f87b7a558476d73d590ea20a3b9

      SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

      SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

      SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zE839A2908\vcruntime210.dll
      Filesize

      4KB

      MD5

      7b8f768c06420d31c53f1d97dafe1e93

      SHA1

      12db6e84217924071bb0ca6aad60dbdd7bdd85dc

      SHA256

      9c7490f282e414a11006d9965a962f791ba1f256240ebaba865a7a0e80eb02f9

      SHA512

      cd7b3fd34f67e6d0f7c8c06989214a56f2f8a276723fb9e8fdbc4e8f06a294df00f44bf543893e8498ff8f85dd29bb517e9528dddb2025a4a92d19d1dd608aa2

      Download Submit

    • C:\Users\Admin\Desktop\setup\bin\application.ini
      Filesize

      552B

      MD5

      b25b88a8b83633617aca8a97d13b93a1

      SHA1

      e312c1a8469f7ae9257c7e4c92dba062ffc6dd5f

      SHA256

      183e5bcc5fcf6efa1c623d6d8ebddd1cc94e4fb283c1ec63d329fa4e1b9abd05

      SHA512

      9ea8d48aa0914f76116200ea7d150bca7b6c5cde7b6d0f6c8a244c948844d5f266820d6a53b2b6f8c80010e8032cf969906f9b271c98a1dce2eb811d06f5167f

      Download Submit

    • C:\Users\Admin\Desktop\setup\bin\data\FLEngine_x64.dll
      Filesize

      49.7MB

      MD5

      bbe92690771bd4d9daba74b8f6d2c7d5

      SHA1

      7b87c002ce2348d212cbba0e15ed8cf5108f4a82

      SHA256

      05a5bf1b5dfb06f9b535cd08c90aec5f4fdb57522c5ffb86bdd4f16416afcfa8

      SHA512

      b8b823349514096765ee4c0f8bf7f3ea503100a358cf169bab5df4305e0357bbffc710c69ca82269c5ec276bb1ccf546286886eb626f4de9981c6deff17b8ceb

      Download Submit