Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
19-03-2023 02:51
Static task
static1
Behavioral task
behavioral1
Sample
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
Resource
win10-20230220-en
General
-
Target
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
-
Size
353KB
-
MD5
e41fa2c4eb7092bc5774c60162850bee
-
SHA1
53767637b6fa80642d6884ab6ca751ba3b69796f
-
SHA256
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4
-
SHA512
b11523d61ee8f244ea56eb7446c83a4f0f9c834edc607b64342cb347beabb6df214369276ef696a6e966109e799df228904340b500c1b80bf5b720c0d39c3041
-
SSDEEP
6144:iRuxL2aEVY0sf8tmKx1AC1Atrp0igRn4Iu8E:4ux5E60s5KxyHreizIu8E
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1020-121-0x0000000002CB0000-0x0000000002CCC000-memory.dmp family_rhadamanthys behavioral1/memory/1020-123-0x0000000002CB0000-0x0000000002CCC000-memory.dmp family_rhadamanthys behavioral1/memory/1020-126-0x0000000002CB0000-0x0000000002CCC000-memory.dmp family_rhadamanthys behavioral1/memory/1020-128-0x0000000002CB0000-0x0000000002CCC000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exepid process 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1536 1020 WerFault.exe 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exepid process 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exedescription pid process target process PID 1020 wrote to memory of 4912 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe dllhost.exe PID 1020 wrote to memory of 4912 1020 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe"C:\Users\Admin\AppData\Local\Temp\1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 7002⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1020-117-0x0000000002BA0000-0x0000000002BCE000-memory.dmpFilesize
184KB
-
memory/1020-118-0x0000000000400000-0x0000000002B08000-memory.dmpFilesize
39.0MB
-
memory/1020-121-0x0000000002CB0000-0x0000000002CCC000-memory.dmpFilesize
112KB
-
memory/1020-123-0x0000000002CB0000-0x0000000002CCC000-memory.dmpFilesize
112KB
-
memory/1020-124-0x0000000002CD0000-0x0000000002CD2000-memory.dmpFilesize
8KB
-
memory/1020-125-0x0000000002CD0000-0x0000000002CD3000-memory.dmpFilesize
12KB
-
memory/1020-126-0x0000000002CB0000-0x0000000002CCC000-memory.dmpFilesize
112KB
-
memory/1020-127-0x0000000000400000-0x0000000002B08000-memory.dmpFilesize
39.0MB
-
memory/1020-128-0x0000000002CB0000-0x0000000002CCC000-memory.dmpFilesize
112KB