Windows
Analysis Report
1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
Overview
General Information
Sample name: | 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe |
Analysis ID: | 1526768 |
MD5: | 6c1a9eaef729e651997fd85545f1a38b |
SHA1: | d0bb98dedb4a6c65551a23318ff9b2bda5fe2b81 |
SHA256: | ac75ec2a674b32886feef62ace21882c133540bc2e1b383c816be0505aeee9b1 |
Tags: | base64-decodedexeuser-abuse_ch |
Infos: | |
Errors
|
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user. |
{"C2 url": "https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RHADAMANTHYS | Yara detected RHADAMANTHYS Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1526768 |
Start date and time: | 2024-10-06 15:48:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe |
Detection: | MAL |
Classification: | mal68.troj.winEXE@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 5.616618375855966 |
TrID: |
|
File name: | 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe |
File size: | 443'373 bytes |
MD5: | 6c1a9eaef729e651997fd85545f1a38b |
SHA1: | d0bb98dedb4a6c65551a23318ff9b2bda5fe2b81 |
SHA256: | ac75ec2a674b32886feef62ace21882c133540bc2e1b383c816be0505aeee9b1 |
SHA512: | 53294590ad77d61c12d40c1a82e06329c529cf5790bfadbbf15e02ccdbf4b00c3955b1229d32e734e65d13be5c8696be2a6e9119704c57235a1adf76c6d62da8 |
SSDEEP: | 6144:swaqZeJpEEEdEbWx0jq/ak5D2x+/yYsrKSn4EKeSGFq+TMjpMVF5jeJxlfc:sX7EEEd90jq/aa2x+oKYoOb35jgfc |
TLSH: | 6394E14EF6D1E462D4E70932C45089F0A92D7C51871A89E3A36C3D353E702F8BA35EB5 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UP.|.1@/.1@/.1@/ZIC..1@/ZIE..1@/ZID..1@/.NE.71@/.ND..1@/.NC..1@/ZIA..1@/.1A/v1@/+.D..1@/.1@/.1@/+../.1@/+.B..1@/Rich.1@/....... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x455235 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x645F7B5F [Sat May 13 11:58:23 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
add byte ptr [edi+00002700h], ch |
add byte ptr [eax], al |
daa |
add bl, dl |
add byte ptr [eax], al |
in al, dx |
add byte ptr [eax+00h], dh |
add byte ptr [eax], al |
add byte ptr [eax+eax], dh |
add byte ptr [eax], al |
add ch, dl |
add byte ptr [eax], al |
jno 00007F6328DA6432h |
jo 00007F6328DA6432h |
add byte ptr [eax], al |
add byte ptr [eax], ah |
add byte ptr [ecx+00710000h], al |
stosd |
add byte ptr [eax], al |
add byte ptr [eax], al |
mov eax, 00000000h |
or eax, dword ptr [eax] |
add byte ptr [ecx+00008100h], dl |
add byte ptr [eax], al |
xor al, byte ptr [eax] |
adc dword ptr [eax], eax |
add bh, dh |
add byte ptr [ebx+00h], bh |
add byte ptr [eax], al |
add byte ptr [edx+00000000h], bl |
add byte ptr [eax], al |
jnle 00007F6328DA6432h |
xor byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [edi+00h], cl |
sub dword ptr [eax], eax |
add byte ptr [eax+eax+000000C1h], dl |
add byte ptr [esi+00000000h], al |
xor byte ptr [eax], al |
add byte ptr [esi], al |
add byte ptr [ebx+00DE3A81h], al |
add byte ptr [eax], al |
add byte ptr [eax+00h], ch |
mov dh, 00h |
add byte ptr [eax+00002C00h], bh |
add byte ptr [eax], al |
scasd |
add byte ptr [eax], al |
add byte ptr [eax], al |
add al, 00h |
add byte ptr [0000C000h], al |
add byte ptr [eax], al |
sub byte ptr [eax], al |
push ss |
add byte ptr [eax], al |
inc edi |
add byte ptr [eax+eax], ch |
add byte ptr [eax], al |
add cl, cl |
add byte ptr [eax], al |
add byte ptr [eax], al |
cmpsd |
add byte ptr [eax], al |
fld qword ptr [eax] |
salc |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec ecx |
add byte ptr [edx], ch |
add byte ptr [eax], al |
mov byte ptr [eax], al |
mov eax, dword ptr [eax] |
add byte ptr [eax], al |
add dl, bl |
add byte ptr [eax], al |
add byte ptr [eax], al |
and al, byte ptr [eax] |
add byte ptr [ecx+00009400h], ah |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x7794c | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7b000 | 0x1498 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7d000 | 0xf40 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x76e40 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x76d80 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x72000 | 0x164 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x60533 | 0x60600 | e3c563df218adce1ff16115f6516b688 | False | 0.645597742380026 | data | 5.493092837192213 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.textbss | 0x62000 | 0x10000 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x72000 | 0x611e | 0x6200 | d628b4ec1248d6fd03c54ef1c8c57716 | False | 0.49864477040816324 | data | 5.727567550712018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x79000 | 0x1320 | 0xa00 | 00cfb429a71f120d572af0950a50dfab | False | 0.559375 | data | 4.837970127635262 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x7b000 | 0x1498 | 0x1600 | 86578439adc2c246224b8ea67ce07e60 | False | 0.41441761363636365 | data | 4.7442595359054325 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x7d000 | 0xf40 | 0x1000 | d2ba5fdb2f5d4200080fd728db14cd84 | False | 0.299072265625 | data | 3.65572032276002 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 6, 2024 15:49:03.527981997 CEST | 1.1.1.1 | 192.168.2.6 | 0x6842 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Oct 6, 2024 15:49:03.527981997 CEST | 1.1.1.1 | 192.168.2.6 | 0x6842 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |