rhadamanthys | 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19-03-2023 02:51

Target

1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
Size

353KB
MD5

e41fa2c4eb7092bc5774c60162850bee
SHA1

53767637b6fa80642d6884ab6ca751ba3b69796f
SHA256

1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4
SHA512

b11523d61ee8f244ea56eb7446c83a4f0f9c834edc607b64342cb347beabb6df214369276ef696a6e966109e799df228904340b500c1b80bf5b720c0d39c3041
SSDEEP

6144:iRuxL2aEVY0sf8tmKx1AC1Atrp0igRn4Iu8E:4ux5E60s5KxyHreizIu8E

Score

10^/10

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1020-121-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1020-123-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1020-126-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1020-128-0x0000000002CB0000-0x0000000002CCC000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

pid	process
1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1536 1020 WerFault.exe 1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

pid	pid_target	process	target process
1536	1020	WerFault.exe	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

pid	process
1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe
1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe

description	pid	process	target process
PID 1020 wrote to memory of 4912	1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe	dllhost.exe
PID 1020 wrote to memory of 4912	1020	1d8e82d9abda58c9f4a0def2940e9f75921e2dce89a07b337a075ca363176cd4.exe	dllhost.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 700
2⤵
- Program crash
PID:1536

memory/1020-117-0x0000000002BA0000-0x0000000002BCE000-memory.dmp

Filesize
184KB

Download
memory/1020-118-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/1020-121-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/1020-123-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/1020-124-0x0000000002CD0000-0x0000000002CD2000-memory.dmp

Filesize
8KB

Download
memory/1020-125-0x0000000002CD0000-0x0000000002CD3000-memory.dmp

Filesize
12KB

Download
memory/1020-126-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/1020-127-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/1020-128-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download