Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Overview

General Information

Sample name:	1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
Analysis ID:	1526768
MD5:	6c1a9eaef729e651997fd85545f1a38b
SHA1:	d0bb98dedb4a6c65551a23318ff9b2bda5fe2b81
SHA256:	ac75ec2a674b32886feef62ace21882c133540bc2e1b383c816be0505aeee9b1
Tags:	base64-decodedexeuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

RHADAMANTHYS

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

×

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Joe Sandbox ML: detected

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Binary or memory string: OriginalFilename4 vs 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.winEXE@0/0@0/0

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Static PE information: section name: .textbss

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
s-part-0017.t-0009.t-msedge.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea	true		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526768
Start date and time:	2024-10-06 15:48:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
Detection:	MAL
Classification:	mal68.troj.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	http://meta.case-page-appeal.eu/community-standard/104571362730521/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://melodic-agency-full.on-fleek.app/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://santander-coders-2024.vercel.app/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://pp578bb256.top/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://kinderschutzbund-northeim.de/wp-content/template/gateway/88c1fcbe64/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://bbvip666bet.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://x3viswxo.clinicaimplantologica3d.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://allegrolokalnie.pl-546t348977t.shop/oferta/afbc38c3-8517-464b-b221-f0b162797375	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://garretitlaw.wixstudio.io/website	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.616618375855966
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
File size:	443'373 bytes
MD5:	6c1a9eaef729e651997fd85545f1a38b
SHA1:	d0bb98dedb4a6c65551a23318ff9b2bda5fe2b81
SHA256:	ac75ec2a674b32886feef62ace21882c133540bc2e1b383c816be0505aeee9b1
SHA512:	53294590ad77d61c12d40c1a82e06329c529cf5790bfadbbf15e02ccdbf4b00c3955b1229d32e734e65d13be5c8696be2a6e9119704c57235a1adf76c6d62da8
SSDEEP:	6144:swaqZeJpEEEdEbWx0jq/ak5D2x+/yYsrKSn4EKeSGFq+TMjpMVF5jeJxlfc:sX7EEEd90jq/aa2x+oKYoOb35jgfc
TLSH:	6394E14EF6D1E462D4E70932C45089F0A92D7C51871A89E3A36C3D353E702F8BA35EB5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UP.\|.1@/.1@/.1@/ZIC..1@/ZIE..1@/ZID..1@/.NE.71@/.ND..1@/.NC..1@/ZIA..1@/.1A/v1@/+.D..1@/.1@/.1@/+../.1@/+.B..1@/Rich.1@/.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x455235
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645F7B5F [Sat May 13 11:58:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
add byte ptr [edi+00002700h], ch
add byte ptr [eax], al
daa
add bl, dl
add byte ptr [eax], al
in al, dx
add byte ptr [eax+00h], dh
add byte ptr [eax], al
add byte ptr [eax+eax], dh
add byte ptr [eax], al
add ch, dl
add byte ptr [eax], al
jno 00007F6328DA6432h
jo 00007F6328DA6432h
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [ecx+00710000h], al
stosd
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, 00000000h
or eax, dword ptr [eax]
add byte ptr [ecx+00008100h], dl
add byte ptr [eax], al
xor al, byte ptr [eax]
adc dword ptr [eax], eax
add bh, dh
add byte ptr [ebx+00h], bh
add byte ptr [eax], al
add byte ptr [edx+00000000h], bl
add byte ptr [eax], al
jnle 00007F6328DA6432h
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00h], cl
sub dword ptr [eax], eax
add byte ptr [eax+eax+000000C1h], dl
add byte ptr [esi+00000000h], al
xor byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebx+00DE3A81h], al
add byte ptr [eax], al
add byte ptr [eax+00h], ch
mov dh, 00h
add byte ptr [eax+00002C00h], bh
add byte ptr [eax], al
scasd
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [0000C000h], al
add byte ptr [eax], al
sub byte ptr [eax], al
push ss
add byte ptr [eax], al
inc edi
add byte ptr [eax+eax], ch
add byte ptr [eax], al
add cl, cl
add byte ptr [eax], al
add byte ptr [eax], al
cmpsd
add byte ptr [eax], al
fld qword ptr [eax]
salc
add byte ptr [eax], al
add byte ptr [eax], al
dec ecx
add byte ptr [edx], ch
add byte ptr [eax], al
mov byte ptr [eax], al
mov eax, dword ptr [eax]
add byte ptr [eax], al
add dl, bl
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [ecx+00009400h], ah
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7794c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7b000	0x1498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0xf40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x76e40	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x76d80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x72000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60533	0x60600	e3c563df218adce1ff16115f6516b688	False	0.645597742380026	data	5.493092837192213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.textbss	0x62000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x72000	0x611e	0x6200	d628b4ec1248d6fd03c54ef1c8c57716	False	0.49864477040816324	data	5.727567550712018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0x1320	0xa00	00cfb429a71f120d572af0950a50dfab	False	0.559375	data	4.837970127635262	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7b000	0x1498	0x1600	86578439adc2c246224b8ea67ce07e60	False	0.41441761363636365	data	4.7442595359054325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0xf40	0x1000	d2ba5fdb2f5d4200080fd728db14cd84	False	0.299072265625	data	3.65572032276002	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 15:49:03.527981997 CEST	1.1.1.1	192.168.2.6	0x6842	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 6, 2024 15:49:03.527981997 CEST	1.1.1.1	192.168.2.6	0x6842	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly