File name:

pomo.exe

Full analysis: https://app.any.run/tasks/2ac43746-b883-4c58-8081-4b0d37cfc3e4
Verdict: Malicious activity
Threats:

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Malware Trends Tracker     >>>
Analysis date: January 21, 2025, 20:16:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rhadamanthys
stealer
themida
vmprotect
shellcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 18 sections
MD5:

756219B350B87A85F693DCCBBF4CBC1E

SHA1:

74B914EECDE695B919F9474609BD1C3B95D3D48E

SHA256:

7DFF620D738F6CA95281CDD0C9574A384F99AE0F02AEAB4D9B0B5379B79CA1CB

SSDEEP:

98304:PHe9lc77Y3FshkOhmD5V0IiZrk8tHHOllk:X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS mutex has been found

      • svchost.exe (PID: 5568)
      • jsc.exe (PID: 3988)

    • RHADAMANTHYS has been detected (YARA)

      • svchost.exe (PID: 5568)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • pomo.exe (PID: 2736)

    • Executable content was dropped or overwritten

      • pomo.exe (PID: 2736)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 5568)

    • Connects to unusual port

      • svchost.exe (PID: 5568)

  • INFO

    • Checks supported languages

      • pomo.exe (PID: 2736)
      • jsc.exe (PID: 3988)

    • Create files in a temporary directory

      • pomo.exe (PID: 2736)

    • VMProtect protector has been detected

      • pomo.exe (PID: 2736)

    • Themida protector has been detected

      • pomo.exe (PID: 2736)

    • Reads the computer name

      • jsc.exe (PID: 3988)

    • Manual execution by a user

      • svchost.exe (PID: 5568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:19 20:09:56+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 3061760
InitializedDataSize: 6585856
UninitializedDataSize: -
EntryPoint: 0x15e9c8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start pomo.exe #RHADAMANTHYS jsc.exe no specs #RHADAMANTHYS svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2736"C:\Users\admin\Desktop\pomo.exe" C:\Users\admin\Desktop\pomo.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4531
Modules
Images
c:\users\admin\desktop\pomo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3988"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
pomo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Exit code:
0
Version:
14.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5568"C:\Windows\System32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
Total events
467
Read events
466
Write events
1
Delete events
0

Modification events

(PID) Process:(3988) jsc.exeKey:HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:writeName:sn3
Value:
8FA3F78BD46D6AE15ED67C159345A47086C6BE7BFC0876AC6AD8E0C73A629765A1A2EB83420AFA2AC8E413CE4473BC04079DC492B157FFBC8EA553EA204EC027
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2736pomo.exeC:\Users\admin\AppData\Local\Temp\oTIhMBaVu虔executable
MD5:3992F464696B0EEFF236AEF93B1FDBD5
SHA256:0D1A8457014F2EB2563A91D1509DBA38F6C418FEDF5F241D8579D15A93E40E14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3508
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5568
svchost.exe
92.255.85.148:3574
Chang Way Technologies Co. Limited
HK
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.69.239.79
whitelisted

Threats

PID
Process
Class
Message
5568
svchost.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pomo.exe