Edit tour
Windows
Analysis Report
a2zZyepQzF.exe
Overview
General Information
| Sample name: | a2zZyepQzF.exerenamed because original name is a hash value |
| Original sample name: | ed02ac429db2a8e556c8edd22d575ae4caae45719df16dce9b2026205572a426.exe |
| Analysis ID: | 1556256 |
| MD5: | 7c636c7587c6e01eca1ffb03f137156d |
| SHA1: | 7356eff93825c1fcc5483d231a674b9c62b13804 |
| SHA256: | ed02ac429db2a8e556c8edd22d575ae4caae45719df16dce9b2026205572a426 |
| Tags: | exeLionSoftwareLLCuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
RHADAMANTHYS
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Drops large PE files
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Uncommon Child Process Of BgInfo.EXE
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64
a2zZyepQzF.exe (PID: 4784 cmdline: "C:\Users\ user\Deskt op\a2zZyep QzF.exe" MD5: 7C636C7587C6E01ECA1FFB03F137156D) 
cmd.exe (PID: 5068 cmdline: "C:\Window s\system32 \cmd.exe" /c tasklis t /FI "USE RNAME eq % USERNAME%" /FI "IMAG ENAME eq D ocuAppCent er.exe" /F O csv | "C :\Windows\ system32\f ind.exe" " DocuAppCen ter.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3084 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 3960 cmdline: tasklist / FI "USERNA ME eq user " /FI "IMA GENAME eq DocuAppCen ter.exe" / FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1) - find.exe (PID: 3236 cmdline:
"C:\Window s\system32 \find.exe" "DocuAppC enter.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
DocuAppCenter.exe (PID: 3052 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" MD5: 7C8A196CCBBDD56338960528E97C45E4) "C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" --type=gp u-process --user-dat a-dir="C:\ Users\user \AppData\R oaming\Doc uAppCenter " --gpu-pr eferences= UAAAAAAAAA DgAAAEAAAA AAAAAAAAAA AAAABgAAEA AAAAAAAAAA AAAAAAAAAC AAAAAAAAAA AAAAAAAAAA AAAAABAAAA AAAAAAEAAA AAAAAAAIAA AAAAAAAAgA AAAAAAAA - -field-tri al-handle= 1792,i,118 7288176100 2166062,78 4040855965 1734129,26 2144 --dis able-featu res=SpareR endererFor SitePerPro cess,WinDe laySpellch eckService Init,WinRe trieveSugg estionsOnl yOnDemand --variatio ns-seed-ve rsion --mo jo-platfor m-channel- handle=178 0 /prefetc h:2 MD5: 7C8A196CCBBDD56338960528E97C45E4) - cmd.exe (PID: 3180 cmdline:
C:\Windows \system32\ cmd.exe /d /s /c ""C :\Users\us er\AppData \Local\Tem p\Chromium Driver\Bgi nfo.exe" / taskbar" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
Bginfo.exe (PID: 3004 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Chromi umDriver\B ginfo.exe" /taskbar MD5: 3AEF228FB7EE187160482084D36C9726) 
OpenWith.exe (PID: 2448 cmdline: "C:\Window s\system32 \openwith. exe" MD5: 0ED31792A7FFF811883F80047CBCFC91) - OpenWith.exe (PID: 3428 cmdline:
"C:\Window s\system32 \openwith. exe" MD5: E4A834784FA08C17D47A1E72429C5109) "C:\Users\ user\AppDa ta\Local\P rograms\Do cuAppCente r\DocuAppC enter.exe" --type=ut ility --ut ility-sub- type=netwo rk.mojom.N etworkServ ice --lang =en-GB --s ervice-san dbox-type= none --use r-data-dir ="C:\Users \user\AppD ata\Roamin g\DocuAppC enter" --f ield-trial -handle=23 16,i,11872 8817610021 66062,7840 4085596517 34129,2621 44 --disab le-feature s=SpareRen dererForSi tePerProce ss,WinDela ySpellchec kServiceIn it,WinRetr ieveSugges tionsOnlyO nDemand -- variations -seed-vers ion --mojo -platform- channel-ha ndle=2216 /prefetch: 3 MD5: 7C8A196CCBBDD56338960528E97C45E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T08:25:13.787205+0100 | 2854824 | 2 | Potentially Bad Traffic | 193.201.9.187 | 2049 | 192.168.2.6 | 49989 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-15T08:25:01.165427+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 193.201.9.187 | 2049 | 192.168.2.6 | 49943 | TCP |
| 2024-11-15T08:25:13.787205+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 193.201.9.187 | 2049 | 192.168.2.6 | 49989 | TCP |
Click to jump to signature section
Show All Signature Results
| Source: | Static PE information: | ||
| Source: | Window detected: | ||