File name:	vstdlib_s64.dll
Full analysis:	https://app.any.run/tasks/3fdd8445-eb80-4640-ba6e-53ea32bb775e
Verdict:	Malicious activity
Threats:	Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 23, 2025, 01:33:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rhadamanthys stealer shellcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 8 sections
MD5:	C7ADFE8ADEFD46CBF4C4E066F48BE7C2
SHA1:	395EDDC9104A14822391420DBA170FAFD49FEF32
SHA256:	56A3B248A233CED12AFAB7FD34B9D077340B05AD27DC210C51C07A0D9E287ACA
SSDEEP:	98304:rJ3TvrSVqrakJlCVlE+v3W/7zI6OUFiVTV/7zkkfnTrXweWIUqejGs5i4BcrHCb5:DW

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	AMD AMD64
TimeStamp:	2025:02:20 13:40:21+00:00
ImageFileCharacteristics:	Executable, Large address aware, DLL
PEType:	PE32+
LinkerVersion:	14.32
CodeSize:	4992512
InitializedDataSize:	6628864
UninitializedDataSize:	-
EntryPoint:	0xbed08
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	159.148.1234.7890
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Marijampolės Duomenų Integratorius – pažangus sprendimas didelių informacijos srautų sujungimui ir analizei
CompanyName:	Suvalkijos Technologijos
FileDescription:	Šakiai
FileVersion:	159.148.1234.7890
InternalName:	Šakiai.dll
LegalCopyright:
OriginalFileName:	Šakiai.dll
ProductName:	Marijampolės Duomenų Integratorius
ProductVersion:	1.0.0
AssemblyVersion:	159.148.1234.7890


(PID) Process:	(4328) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: 5C2EAE6B9913C3624C988B34470364B5BC27A54E3D798BEC0C44C79A22FB0C34E684D2EB122F92111E61E0FD24001F185AC9F0610C4F53F1540C137AF5150BA4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2356	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2356	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5156	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5156	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2356	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5156	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5156	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2356	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2356	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5156	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	52.182.143.208	whitelisted

General Info

vstdlib_s64.dll

C7ADFE8ADEFD46CBF4C4E066F48BE7C2

395EDDC9104A14822391420DBA170FAFD49FEF32

56A3B248A233CED12AFAB7FD34B9D077340B05AD27DC210C51C07A0D9E287ACA

98304:rJ3TvrSVqrakJlCVlE+v3W/7zI6OUFiVTV/7zkkfnTrXweWIUqejGs5i4BcrHCb5:DW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RHADAMANTHYS mutex has been found

RHADAMANTHYS has been detected (YARA)

SUSPICIOUS

The process checks if it is being run in the virtual environment

Executes application which crashes

Connects to unusual port

INFO

Checks supported languages

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings