Edit tour
Windows
Analysis Report
a2zZyepQzF.exe
Overview
General Information
| Sample name: | a2zZyepQzF.exerenamed because original name is a hash value |
| Original sample name: | ed02ac429db2a8e556c8edd22d575ae4caae45719df16dce9b2026205572a426.exe |
| Analysis ID: | 1556256 |
| MD5: | 7c636c7587c6e01eca1ffb03f137156d |
| SHA1: | 7356eff93825c1fcc5483d231a674b9c62b13804 |
| SHA256: | ed02ac429db2a8e556c8edd22d575ae4caae45719df16dce9b2026205572a426 |
| Tags: | exeLionSoftwareLLCuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
RHADAMANTHYS
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Drops large PE files
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Uncommon Child Process Of BgInfo.EXE
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64
a2zZyepQzF.exe (PID: 5864 cmdline: "C:\Users\ user\Deskt op\a2zZyep QzF.exe" MD5: 7C636C7587C6E01ECA1FFB03F137156D) 
cmd.exe (PID: 2852 cmdline: "C:\Window s\system32 \cmd.exe" /c tasklis t /FI "USE RNAME eq % USERNAME%" /FI "IMAG ENAME eq D ocuAppCent er.exe" /F O csv | "C :\Windows\ system32\f ind.exe" " DocuAppCen ter.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 5020 cmdline: tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq DocuAppCen ter.exe" / FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 768 cmdline:
"C:\Window s\system32 \find.exe" "DocuAppC enter.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
DocuAppCenter.exe (PID: 2620 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" MD5: 7C8A196CCBBDD56338960528E97C45E4) "C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" --type=gp u-process --user-dat a-dir="C:\ Users\user \AppData\R oaming\Doc uAppCenter " --gpu-pr eferences= UAAAAAAAAA DgAAAEAAAA AAAAAAAAAA AAAABgAAEA AAAAAAAAAA AAAAAAAAAC AAAAAAAAAA AAAAAAAAAA AAAAABAAAA AAAAAAEAAA AAAAAAAIAA AAAAAAAAgA AAAAAAAA - -field-tri al-handle= 1808,i,915 2930841318 595919,897 0329187195 368968,262 144 --disa ble-featur es=SpareRe ndererForS itePerProc ess,WinDel aySpellche ckServiceI nit,WinRet rieveSugge stionsOnly OnDemand - -variation s-seed-ver sion --moj o-platform -channel-h andle=1800 /prefetch :2 MD5: 7C8A196CCBBDD56338960528E97C45E4) - cmd.exe (PID: 7136 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\Chromium Driver\Bgi nfo.exe" / taskbar" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
Bginfo.exe (PID: 3180 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Chromi umDriver\B ginfo.exe" /taskbar MD5: 3AEF228FB7EE187160482084D36C9726) 
OpenWith.exe (PID: 64 cmdline: "C:\Window s\system32 \openwith. exe" MD5: 0ED31792A7FFF811883F80047CBCFC91) - OpenWith.exe (PID: 4200 cmdline:
"C:\Window s\system32 \openwith. exe" MD5: E4A834784FA08C17D47A1E72429C5109) "C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" --type=ut ility --ut ility-sub- type=netwo rk.mojom.N etworkServ ice --lang =en-GB --s ervice-san dbox-type= none --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\DocuAppC enter" --f ield-trial -handle=22 36,i,91529 3084131859 5919,89703 2918719536 8968,26214 4 --disabl e-features =SpareRend ererForSit ePerProces s,WinDelay Spellcheck ServiceIni t,WinRetri eveSuggest ionsOnlyOn Demand --v ariations- seed-versi on --mojo- platform-c hannel-han dle=2228 / prefetch:3 MD5: 7C8A196CCBBDD56338960528E97C45E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T08:13:55.947986+0100 | 2854824 | 2 | Potentially Bad Traffic | 193.201.9.187 | 2049 | 192.168.2.6 | 49931 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T08:13:42.994483+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 193.201.9.187 | 2049 | 192.168.2.6 | 49863 | TCP |
| 2024-11-15T08:13:55.947986+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 193.201.9.187 | 2049 | 192.168.2.6 | 49931 | TCP |
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | Window detected: | ||