File name:

SetLoader.exe

Full analysis: https://app.any.run/tasks/c5c9cc7c-d802-4d8a-85ab-99b23c7ecc31
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: September 18, 2024, 09:29:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rhadamanthys
shellcode
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

53C7101148E18F8D51A0951367D685AF

SHA1:

C402D153E5AAAB6F29C5B272E38947B17C30DA13

SHA256:

5E4C3EDE27F4B698191B7D8E27C58C5E23E15ACAF97FC1C18F8A94208FF8D837

SSDEEP:

98304:+1Njik5mn6s2+HYOzlpQkDkxO3NtzCXv2uksFHUg24dj2oHRtZNYdtv+KSFcT6Je:oWmTcWnc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS has been detected (YARA)

      • OpenWith.exe (PID: 964)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:05:13 11:58:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 394752
InitializedDataSize: 39936
UninitializedDataSize: 65536
EntryPoint: 0x5111ed
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.9.5252
ProductVersionNumber: 2.0.9.5252
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: VMProtect Software
FileDescription: -
FileVersion: 2.0.9.5252
InternalName: -
LegalCopyright: Copyright 2003-2011 VMProtect Software
LegalTrademarks: -
OriginalFileName: -
ProductName: VMProtect
ProductVersion: 2.09
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setloader.exe no specs #RHADAMANTHYS openwith.exe

Process information

PID
CMD
Path
Indicators
Parent process
964"C:\WINDOWS\system32\openwith.exe"C:\Windows\SysWOW64\OpenWith.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3972"C:\Users\admin\Desktop\SetLoader.exe" C:\Users\admin\Desktop\SetLoader.exeexplorer.exe
User:
admin
Company:
VMProtect Software
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.0.9.5252
Modules
Images
c:\users\admin\desktop\setloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
878
Read events
877
Write events
1
Delete events
0

Modification events

(PID) Process:(3972) SetLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:writeName:sn2
Value:
3CDDC8A6DF864065769144F2FA4EE1398786ADBDCF1CB625F3F63A89D627BAE7F421B6CB9F5C602C07A2AB0DF034470417D3F94018E5F86356173BB551721AF8
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
29
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3004
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
GET
94.232.249.92:443
https://94.232.249.92/92c5711beaa92dc31afcb9/Youtube
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6176
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3004
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.79.141.153:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
2.23.209.186:443
Akamai International B.V.
GB
unknown
6176
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 20.44.239.154
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SetLoader.exe