Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2023, 16:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf77b8618991c3335437f00e07c4d601fbb30031948d45e15a23962cb89ddfd.exe

  • Size

    343KB

  • MD5

    9996b0548ad0cba93c9da1eebcf9203f

  • SHA1

    f3278076a8f11d7ef075276627a79c0bd38cc8cc

  • SHA256

    cbf77b8618991c3335437f00e07c4d601fbb30031948d45e15a23962cb89ddfd

  • SHA512

    bf4170ee20b98e38e98f27ddce04b57eb7ab8002622556cc40ac8a688fffcc9c087f5c94b5e37dc3f25084d7304f826cfc1c7296016a8859a7d075d13cfff15e

  • SSDEEP

    3072:Z5t49DGaLCG1O2ZiEo6G9e3odDdfkq1cIgk6BY2mVvIraf2j5AyXQ7+o1nHFsYen:gnLC9Lf3XDWkl2MvqjdA7hHCYMvB4b+

Score
10/10
rhadamanthysstealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 4 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf77b8618991c3335437f00e07c4d601fbb30031948d45e15a23962cb89ddfd.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf77b8618991c3335437f00e07c4d601fbb30031948d45e15a23962cb89ddfd.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\system32\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      2⤵
        PID:4360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 736
        2⤵
        • Program crash
        PID:1400
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5116 -ip 5116
      1⤵
        PID:3560

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/5116-134-0x0000000000770000-0x000000000079E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/5116-135-0x0000000000400000-0x00000000004D9000-memory.dmp

              Filesize

              868KB

              Download

            • memory/5116-138-0x00000000007A0000-0x00000000007BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/5116-140-0x00000000007A0000-0x00000000007BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/5116-141-0x00000000007C0000-0x00000000007DA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5116-142-0x00000000024A0000-0x00000000034A0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/5116-143-0x00000000007A0000-0x00000000007BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/5116-144-0x00000000007F0000-0x00000000007F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5116-145-0x0000000000400000-0x00000000004D9000-memory.dmp

              Filesize

              868KB

              Download

            • memory/5116-146-0x00000000007A0000-0x00000000007BC000-memory.dmp

              Filesize

              112KB

              Download