Malware Analysis Report

2025-08-10 20:05

Sample ID 250704-n77hyasvb1
Target 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys
SHA256 fb15b64570c8060609e3a29185244aefa9da30b6acb56f10642923ac4e098f22
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb15b64570c8060609e3a29185244aefa9da30b6acb56f10642923ac4e098f22

Threat Level: Shows suspicious behavior

The file 2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:05

Platform

win11-20250502-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVAXSRMLWKCUO\tmppack.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DVAXSRMLWKCUO\tmppack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"

C:\Users\Admin\AppData\Local\Temp\DVAXSRMLWKCUO\tmppack.exe

-y

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ibario.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 174.36.241.171:80 api.ibario.com tcp
US 174.36.241.171:80 api.ibario.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\DVAXSRMLWKCUO\tmppack.exe

MD5 d2f31d4bcb2f93e137eed54a8f4c8874
SHA1 28bf2717bfda88a3e93906c720065cde847b1487
SHA256 473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c
SHA512 d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

C:\Users\Admin\AppData\Local\Temp\DVAXSRMLWKCUO\installer.pak

MD5 a4a7f8cb2dbefe97901cf657f6ed5ca4
SHA1 3b297cd14d8844b6da442557b0d82d1f2e888b22
SHA256 babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2
SHA512 bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07

memory/4312-8-0x0000000002940000-0x0000000002ADD000-memory.dmp

memory/4312-78-0x0000000002B70000-0x0000000002B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35mea38\gui\events\cav.xml

MD5 0a396dc280db5266f43e244cb9c7d0f6
SHA1 8c92c353dd7d5b3fc85e2c684fbced5316ec1930
SHA256 c3516b0b9038ce1a8880f92c0f9c4c5a55a6e032657566d06c351248bf37dc8d
SHA512 56faab16e15acc6437119caa3af77bd83b07ca9151be3924fdc295c745485f2bdc56f01d23f8a5ff4278fc5560ceacc8ac97572f5c0be548d648c0ca8cbb885d

C:\Users\Admin\AppData\Local\Temp\35mea38\gui\3231.html

MD5 15bcf709fb25c7a12adc31337f674183
SHA1 6190814afed856b543e5ef7488cb1f6b4488704a
SHA256 397a6d796f96055c95ed6bcf98ce87513304fa69e5c06f5d1abdca1fb0feb588
SHA512 49165fd09a5e909f7525cbbcdf866a2f06a30c9213d3051f8963a0ee1f9bab94ecdca09dce3748937b06df8a8069cfcd2315fbf1e46ab5ccff725df5492b986e

memory/4312-100-0x0000000002B70000-0x0000000002B71000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:05

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\tmppack.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\tmppack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8ba6b1857dfce1a4b7eb6b4c31ea0433_elex_mafia_rhadamanthys.exe"

C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\tmppack.exe

-y

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ibario.com udp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 174.36.241.171:80 api.ibario.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 174.36.241.171:80 api.ibario.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\tmppack.exe

MD5 d2f31d4bcb2f93e137eed54a8f4c8874
SHA1 28bf2717bfda88a3e93906c720065cde847b1487
SHA256 473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c
SHA512 d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

C:\Users\Admin\AppData\Local\Temp\YQLBTOKOY\installer.pak

MD5 a4a7f8cb2dbefe97901cf657f6ed5ca4
SHA1 3b297cd14d8844b6da442557b0d82d1f2e888b22
SHA256 babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2
SHA512 bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07

memory/5116-9-0x0000000002970000-0x0000000002B0D000-memory.dmp

memory/5116-13-0x0000000002970000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35mea38\gui\events\cav.xml

MD5 0a396dc280db5266f43e244cb9c7d0f6
SHA1 8c92c353dd7d5b3fc85e2c684fbced5316ec1930
SHA256 c3516b0b9038ce1a8880f92c0f9c4c5a55a6e032657566d06c351248bf37dc8d
SHA512 56faab16e15acc6437119caa3af77bd83b07ca9151be3924fdc295c745485f2bdc56f01d23f8a5ff4278fc5560ceacc8ac97572f5c0be548d648c0ca8cbb885d

memory/5116-79-0x0000000002460000-0x0000000002461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35mea38\gui\3231.html

MD5 15bcf709fb25c7a12adc31337f674183
SHA1 6190814afed856b543e5ef7488cb1f6b4488704a
SHA256 397a6d796f96055c95ed6bcf98ce87513304fa69e5c06f5d1abdca1fb0feb588
SHA512 49165fd09a5e909f7525cbbcdf866a2f06a30c9213d3051f8963a0ee1f9bab94ecdca09dce3748937b06df8a8069cfcd2315fbf1e46ab5ccff725df5492b986e

memory/5116-101-0x0000000002970000-0x0000000002B0D000-memory.dmp

memory/5116-102-0x0000000002460000-0x0000000002461000-memory.dmp