Windows Analysis Report
LGvZDRRknR.exe

Overview

General Information

Sample name:	LGvZDRRknR.exe renamed because original name is a hash value
Original sample name:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19.exe
Analysis ID:	1592726
MD5:	5577aedd686307dcc768a7a1aefe8bb7
SHA1:	3169e70a2eba65e56b6d13ad329beb2b2e3c794b
SHA256:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19
Tags:	encrypthub-orgexeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RHADAMANTHYS Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found evasive API chain checking for process token information

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Signatures

AV Detection

Found malware configuration

Source: LGvZDRRknR.exe

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp"}

Multi AV Scanner detection for submitted file

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%			Perma Link
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.20.224:9773 -> 192.168.2.8:49706

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 154.216.20.224:9773

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224

Source: svchost.exe, 00000002.00000002.1503153583.0000000A0271B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryMachineGuidSOFTWARE

Creates a DirectInput object (often for capturing keystrokes)

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_498be3ad-d

Installs a raw input device (often for capturing keystrokes)

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7e4d83f0-5

Yara detected Keylogger Generic

Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LGvZDRRknR.exe PID: 4608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3428, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB5FA0 NtQueryInformationProcess,	0_3_0000019E4DBB5FA0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB8AE0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,	0_3_0000019E4DBB8AE0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB64C0 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,CloseHandle,CloseHandle,	0_3_0000019E4DBB64C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D5FA0 NtQueryInformationProcess,	2_2_00000166CD6D5FA0

Detected potential crypto function

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263908	0_3_00007FF653263908
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB51BC	0_3_0000019E4DBB51BC
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB69D8	0_3_0000019E4DBB69D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB1500	0_3_0000019E4DBB1500
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB2F00	0_3_0000019E4DBB2F00
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBE4EA	0_3_0000019E4DBBE4EA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9B4C	0_3_0000019E4DBB9B4C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9E98	0_3_0000019E4DBB9E98
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB7FE8	0_3_0000019E4DBB7FE8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBB43C	0_3_0000019E4DBBB43C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB442C	0_3_0000019E4DBB442C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC5E8D	0_3_0000019E4DBC5E8D
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325A4E0	0_2_00007FF65325A4E0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257528	0_2_00007FF653257528
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BD34	0_2_00007FF65325BD34
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325773C	0_2_00007FF65325773C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BF40	0_2_00007FF65325BF40
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653261F88	0_2_00007FF653261F88
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325FFD8	0_2_00007FF65325FFD8
Source: C:\Windows\System32\svchost.exe	Code function: 2_3_00000166CD370998	2_3_00000166CD370998
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D69D8	2_2_00000166CD6D69D8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D51BC	2_2_00000166CD6D51BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D7FE8	2_2_00000166CD6D7FE8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9E98	2_2_00000166CD6D9E98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D442C	2_2_00000166CD6D442C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DB43C	2_2_00000166CD6DB43C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DE4EA	2_2_00000166CD6DE4EA
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D1500	2_2_00000166CD6D1500
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D2F00	2_2_00000166CD6D2F00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9B4C	2_2_00000166CD6D9B4C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E93F8	2_2_00000166CD6E93F8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E4A85	2_2_00000166CD6E4A85
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6EA77E	2_2_00000166CD6EA77E

Sample file is different than original file name gathered from version info

Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilename vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FF06000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FD08000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E50105000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000000.1449310718.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FD0B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe

Source: LGvZDRRknR.exe	Binary or memory string: FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v
Source: LGvZDRRknR.exe	Binary or memory string: u.C.Ji.rDd_qU q q.q p d.L$_vX v_k: i_fMly.JPf.3 X_tFT.O_k_a_C H f<) F.yc: E_r_P.h P R_qY K.R.y w,v S q O L F j}.ZJ.b_J zF p.L7 KLJ.R_g_a.Q@.a_N.QAD NC nB k a< s_t w c_sQ_e z.i.Q.v.2.7.n[.t_rX.9_lqY/}V W a:F_l nYo R.k x_B Q W.M.b.S_wkM.9.7.s4 K{F_j_L- f_l0 J.SL5Y$_Q.U.s.RL f w.Q.HT.W.Tta0 t TTgz G sk f.9.Fh.K cIlA_Mx.e G.P_y_r_t.c t.a.6_u.FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v.1_q_w_J_xmbg<_r_p.Z`n.x

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/0@0/1

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-40bf6037-4e6f-965ae0-f901919f7387}

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\LGvZDRRknR.exe "C:\Users\user\Desktop\LGvZDRRknR.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wudfplatform.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: LGvZDRRknR.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LGvZDRRknR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: LGvZDRRknR.exe	Static PE information: section name: .textbss
Source: LGvZDRRknR.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263864 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653268250 pushad ; iretd	0_3_00007FF653268256
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326815E push edi; ret	0_3_00007FF653268164
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326833E push esi; ret	0_3_00007FF653268345
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326853E push eax; retf	0_3_00007FF653268541
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263822 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD19C push esi; retf	0_3_0000019E4DBBD1A3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD194 push esi; retf	0_3_0000019E4DBBD19B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD18C push esi; retf	0_3_0000019E4DBBD193
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD16C push ebp; retf	0_3_0000019E4DBBD18B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1DC push ebp; retf	0_3_0000019E4DBBD1FB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1D4 push ebp; retf	0_3_0000019E4DBBD1DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1B4 push ebp; retf	0_3_0000019E4DBBD1C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1AC push esi; retf	0_3_0000019E4DBBD1B3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1A4 push esi; retf	0_3_0000019E4DBBD1AB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD11C push ebp; retf	0_3_0000019E4DBBD12B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD114 push ebp; retf	0_3_0000019E4DBBD11B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD10C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0E4 push ebp; retf	0_3_0000019E4DBBD10B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD15C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD14C push esi; retf	0_3_0000019E4DBBD15B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD144 push ebp; retf	0_3_0000019E4DBBD14B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD12C push ebp; retf	0_3_0000019E4DBBD13B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD09A push ebp; retf	0_3_0000019E4DBBD09B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD084 push edi; retf	0_3_0000019E4DBBD093
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC0684 push ebp; retf	0_3_0000019E4DBC068B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD26C pushfd ; retf	0_3_0000019E4DBBD2A2
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD264 pushfd ; retf	0_3_0000019E4DBBD2CA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0DC push ebp; retf	0_3_0000019E4DBBD0E3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0CC push esi; retf	0_3_0000019E4DBBD0DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB3CC4 push E8000098h; ret	0_3_0000019E4DBB3CC9

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: LGvZDRRknR.exe	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: LGvZDRRknR.exe	Binary or memory string: CFF EXPLORER.EXE
Source: LGvZDRRknR.exe	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000166CD6E711B sldt word ptr [esi]

2_2_00000166CD6E711B

Found evasive API chain checking for process token information

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB573C GetSystemInfo,

0_3_0000019E4DBB573C

Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1503582315.00000166CD45D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF65325B6E8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257108 GetProcessHeap,HeapAlloc,HeapFree,VirtualFree,HeapFree,

0_2_00007FF653257108

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF6532580D8 SetUnhandledExceptionFilter,	0_2_00007FF6532580D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653262520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF653262520
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF65325B6E8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257EF4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF653257EF4

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653261DD0 cpuid

0_2_00007FF653261DD0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257DCC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF653257DCC

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.224	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: LGvZDRRknR.exe

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp"}

Multi AV Scanner detection for submitted file

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%			Perma Link
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.20.224:9773 -> 192.168.2.8:49706

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 154.216.20.224:9773

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.224

Source: svchost.exe, 00000002.00000002.1503153583.0000000A0271B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://154.216.20.224:9773/a36090f1390c7cab81330/1a7qev84.1gopp
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 00000002.00000003.1490275504.00000166CD5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryMachineGuidSOFTWARE

Creates a DirectInput object (often for capturing keystrokes)

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_498be3ad-d

Installs a raw input device (often for capturing keystrokes)

Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_7e4d83f0-5

Yara detected Keylogger Generic

Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf8a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fe70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LGvZDRRknR.exe.19e4fb90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.svchost.exe.166cf5c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LGvZDRRknR.exe PID: 4608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3428, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB5FA0 NtQueryInformationProcess,	0_3_0000019E4DBB5FA0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB8AE0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,	0_3_0000019E4DBB8AE0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB64C0 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,CloseHandle,CloseHandle,	0_3_0000019E4DBB64C0
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D5FA0 NtQueryInformationProcess,	2_2_00000166CD6D5FA0

Detected potential crypto function

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263908	0_3_00007FF653263908
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB51BC	0_3_0000019E4DBB51BC
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB69D8	0_3_0000019E4DBB69D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB1500	0_3_0000019E4DBB1500
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB2F00	0_3_0000019E4DBB2F00
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBE4EA	0_3_0000019E4DBBE4EA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9B4C	0_3_0000019E4DBB9B4C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB9E98	0_3_0000019E4DBB9E98
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB7FE8	0_3_0000019E4DBB7FE8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBB43C	0_3_0000019E4DBBB43C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB442C	0_3_0000019E4DBB442C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC5E8D	0_3_0000019E4DBC5E8D
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325A4E0	0_2_00007FF65325A4E0
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257528	0_2_00007FF653257528
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BD34	0_2_00007FF65325BD34
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325773C	0_2_00007FF65325773C
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325BF40	0_2_00007FF65325BF40
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653261F88	0_2_00007FF653261F88
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325FFD8	0_2_00007FF65325FFD8
Source: C:\Windows\System32\svchost.exe	Code function: 2_3_00000166CD370998	2_3_00000166CD370998
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D69D8	2_2_00000166CD6D69D8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D51BC	2_2_00000166CD6D51BC
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D7FE8	2_2_00000166CD6D7FE8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9E98	2_2_00000166CD6D9E98
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D442C	2_2_00000166CD6D442C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DB43C	2_2_00000166CD6DB43C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6DE4EA	2_2_00000166CD6DE4EA
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D1500	2_2_00000166CD6D1500
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D2F00	2_2_00000166CD6D2F00
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6D9B4C	2_2_00000166CD6D9B4C
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E93F8	2_2_00000166CD6E93F8
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6E4A85	2_2_00000166CD6E4A85
Source: C:\Windows\System32\svchost.exe	Code function: 2_2_00000166CD6EA77E	2_2_00000166CD6EA77E

Sample file is different than original file name gathered from version info

Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilename vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FF06000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FD08000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E50105000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000000.1449310718.00007FF6532CF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FD0B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs LGvZDRRknR.exe
Source: LGvZDRRknR.exe	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs LGvZDRRknR.exe

Source: LGvZDRRknR.exe	Binary or memory string: FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v
Source: LGvZDRRknR.exe	Binary or memory string: u.C.Ji.rDd_qU q q.q p d.L$_vX v_k: i_fMly.JPf.3 X_tFT.O_k_a_C H f<) F.yc: E_r_P.h P R_qY K.R.y w,v S q O L F j}.ZJ.b_J zF p.L7 KLJ.R_g_a.Q@.a_N.QAD NC nB k a< s_t w c_sQ_e z.i.Q.v.2.7.n[.t_rX.9_lqY/}V W a:F_l nYo R.k x_B Q W.M.b.S_wkM.9.7.s4 K{F_j_L- f_l0 J.SL5Y$_Q.U.s.RL f w.Q.HT.W.Tta0 t TTgz G sk f.9.Fh.K cIlA_Mx.e G.P_y_r_t.c t.a.6_u.FaI O k.h.o.vBP.tV.R.u_t_X_Pt G-~ qoUy_Wc_k_P v.1_q_w_J_xmbg<_r_p.Z`n.x

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/0@0/1

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-40bf6037-4e6f-965ae0-f901919f7387}

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LGvZDRRknR.exe	Virustotal: Detection: 65%
Source: LGvZDRRknR.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\LGvZDRRknR.exe "C:\Users\user\Desktop\LGvZDRRknR.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wudfplatform.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: LGvZDRRknR.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LGvZDRRknR.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LGvZDRRknR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LGvZDRRknR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: LGvZDRRknR.exe, 00000000.00000003.1461246981.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1461316537.0000019E4FC50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467073108.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1467573874.00000166CF680000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: LGvZDRRknR.exe, 00000000.00000003.1460366361.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1460527686.0000019E4FD80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1466417114.00000166CF7B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1465545200.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: LGvZDRRknR.exe, 00000000.00000003.1463700898.0000019E4FE70000.00000004.00000001.00020000.00000000.sdmp, LGvZDRRknR.exe, 00000000.00000003.1462053955.0000019E4FB90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1470244839.00000166CF8A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp

Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LGvZDRRknR.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: LGvZDRRknR.exe	Static PE information: section name: .textbss
Source: LGvZDRRknR.exe	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263864 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653268250 pushad ; iretd	0_3_00007FF653268256
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326815E push edi; ret	0_3_00007FF653268164
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326833E push esi; ret	0_3_00007FF653268345
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF65326853E push eax; retf	0_3_00007FF653268541
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_00007FF653263822 push cs; ret	0_3_00007FF6532638C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD19C push esi; retf	0_3_0000019E4DBBD1A3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD194 push esi; retf	0_3_0000019E4DBBD19B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD18C push esi; retf	0_3_0000019E4DBBD193
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD16C push ebp; retf	0_3_0000019E4DBBD18B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1DC push ebp; retf	0_3_0000019E4DBBD1FB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1D4 push ebp; retf	0_3_0000019E4DBBD1DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1B4 push ebp; retf	0_3_0000019E4DBBD1C3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1AC push esi; retf	0_3_0000019E4DBBD1B3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD1A4 push esi; retf	0_3_0000019E4DBBD1AB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD11C push ebp; retf	0_3_0000019E4DBBD12B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD114 push ebp; retf	0_3_0000019E4DBBD11B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD10C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0E4 push ebp; retf	0_3_0000019E4DBBD10B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD15C push ebp; retf	0_3_0000019E4DBBD16B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD14C push esi; retf	0_3_0000019E4DBBD15B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD144 push ebp; retf	0_3_0000019E4DBBD14B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD12C push ebp; retf	0_3_0000019E4DBBD13B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD09A push ebp; retf	0_3_0000019E4DBBD09B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD084 push edi; retf	0_3_0000019E4DBBD093
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBC0684 push ebp; retf	0_3_0000019E4DBC068B
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD26C pushfd ; retf	0_3_0000019E4DBBD2A2
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD264 pushfd ; retf	0_3_0000019E4DBBD2CA
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0DC push ebp; retf	0_3_0000019E4DBBD0E3
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBBD0CC push esi; retf	0_3_0000019E4DBBD0DB
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_3_0000019E4DBB3CC4 push E8000098h; ret	0_3_0000019E4DBB3CC9

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: LGvZDRRknR.exe	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: LGvZDRRknR.exe	Binary or memory string: CFF EXPLORER.EXE
Source: LGvZDRRknR.exe	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\svchost.exe

Code function: 2_2_00000166CD6E711B sldt word ptr [esi]

2_2_00000166CD6E711B

Found evasive API chain checking for process token information

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325BF40 FindFirstFileExW,

0_2_00007FF65325BF40

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB5BC8 GetLogicalDriveStringsW,QueryDosDeviceW,

0_3_0000019E4DBB5BC8

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_3_0000019E4DBB573C GetSystemInfo,

0_3_0000019E4DBB573C

Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1503582315.00000166CD45D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000002.00000003.1468650559.00000166CF5C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: svchost.exe, 00000002.00000002.1503548284.00000166CD413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF65325B6E8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257108 GetProcessHeap,HeapAlloc,HeapFree,VirtualFree,HeapFree,

0_2_00007FF653257108

Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF6532580D8 SetUnhandledExceptionFilter,	0_2_00007FF6532580D8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653262520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF653262520
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF65325B6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF65325B6E8
Source: C:\Users\user\Desktop\LGvZDRRknR.exe	Code function: 0_2_00007FF653257EF4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF653257EF4

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653261DD0 cpuid

0_2_00007FF653261DD0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LGvZDRRknR.exe

Code function: 0_2_00007FF653257DCC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF653257DCC

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: svchost.exe, 00000002.00000002.1503622485.00000166CD505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000003.1464398093.0000019E4DBB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1459418313.0000019E4D980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1504542898.00000166CD6D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1464387974.00000166CD3B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1592726
Product:	CloudBasic
Start time:	13:24:25
Start date:	16.01.2025
Sample:	LGvZDRRknR.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5577aedd686307dcc768a7a1aefe8bb7
SHA1:	3169e70a2eba65e56b6d13ad329beb2b2e3c794b
SHA256:	ad56dd8d6a82960c2e4272b12fdffc0f4044eea525b319a488eec30ec74b1d19
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
LGvZDRRknR.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report LGvZDRRknR.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
LGvZDRRknR.exe

Malware Threat Intel
Provided by