Analysis
-
max time kernel
104s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe
-
Size
1.2MB
-
MD5
8ba6b1857dfce1a4b7eb6b4c31ea0433
-
SHA1
452d588a7802c0bdd73f1a0b5eb1be4c6cee2b70
-
SHA256
fb15b64570c8060609e3a29185244aefa9da30b6acb56f10642923ac4e098f22
-
SHA512
d96f7ccbe95d43185c73d23dd661d05db647daa5424ad09b734366c95c9102af7df3289884c48a07e3507adad97d11e76c142caa39975fcd60c87a6d5bf956b3
-
SSDEEP
24576:G1QfopqgmJXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp049cYzK15yaGOjbvD/+XbdM:G1wg6XiTcNV7CS7bkY8xWa49cYW5yKDr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2932 tmppack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmppack.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5116 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe 5116 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2932 5116 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe 85 PID 5116 wrote to memory of 2932 5116 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe 85 PID 5116 wrote to memory of 2932 5116 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\tmppack.exe-y2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD515bcf709fb25c7a12adc31337f674183
SHA16190814afed856b543e5ef7488cb1f6b4488704a
SHA256397a6d796f96055c95ed6bcf98ce87513304fa69e5c06f5d1abdca1fb0feb588
SHA51249165fd09a5e909f7525cbbcdf866a2f06a30c9213d3051f8963a0ee1f9bab94ecdca09dce3748937b06df8a8069cfcd2315fbf1e46ab5ccff725df5492b986e
-
Filesize
1KB
MD50a396dc280db5266f43e244cb9c7d0f6
SHA18c92c353dd7d5b3fc85e2c684fbced5316ec1930
SHA256c3516b0b9038ce1a8880f92c0f9c4c5a55a6e032657566d06c351248bf37dc8d
SHA51256faab16e15acc6437119caa3af77bd83b07ca9151be3924fdc295c745485f2bdc56f01d23f8a5ff4278fc5560ceacc8ac97572f5c0be548d648c0ca8cbb885d
-
Filesize
1.6MB
MD5a4a7f8cb2dbefe97901cf657f6ed5ca4
SHA13b297cd14d8844b6da442557b0d82d1f2e888b22
SHA256babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2
SHA512bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07
-
Filesize
716KB
MD5d2f31d4bcb2f93e137eed54a8f4c8874
SHA128bf2717bfda88a3e93906c720065cde847b1487
SHA256473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c
SHA512d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84