rhadamanthys | d02711122b130cd44c721437f4f2767b9c61b832fe6e3d35536f745d131d16ff

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10/05/2023, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

979KB
MD5

20f70cdf44bd28fc1b1f1dd69c99f22e
SHA1

e19928d2871098c4488cf71d54a860a1f6d78a36
SHA256

d02711122b130cd44c721437f4f2767b9c61b832fe6e3d35536f745d131d16ff
SHA512

858b6acaf44cedf4f1d8660c86a70bf96779658a27ba02aa298faca3ca48063725cb50cc8168180195ff8ac3258e28a2ee9b064352c2b2a55bbeeec1c33cef84
SSDEEP

24576:CeGVZ9/e0wilWWC7rD/QTYrpGzaVWWeiZfsPHY:4320uWt4pGmVzZAY

Score

10^/10

rhadamanthys stealer

Malware Config

Extracted

Family

rhadamanthys

http://8002.motorline.pw/api/9wcnem.x0vs

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/3492-137-0x0000000001540000-0x000000000155C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3492-138-0x0000000001540000-0x000000000155C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3492-140-0x0000000001540000-0x000000000155C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3492-141-0x0000000001540000-0x000000000155C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 3492	2788	a.exe	66

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66
PID 2788 wrote to memory of 3492	2788	a.exe	66

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\a.exe
  "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2788-118-0x0000000000EE0000-0x0000000000FDA000-memory.dmp

Filesize
1000KB

Download
memory/2788-119-0x0000000008160000-0x000000000865E000-memory.dmp

Filesize
5.0MB

Download
memory/2788-120-0x0000000007D00000-0x0000000007D92000-memory.dmp

Filesize
584KB

Download
memory/2788-121-0x0000000008660000-0x00000000089B0000-memory.dmp

Filesize
3.3MB

Download
memory/2788-122-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/2788-123-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

Filesize
40KB

Download
memory/2788-124-0x0000000007F50000-0x0000000007F70000-memory.dmp

Filesize
128KB

Download
memory/2788-125-0x0000000007E40000-0x0000000007E50000-memory.dmp

Filesize
64KB

Download
memory/2788-126-0x0000000008130000-0x000000000813C000-memory.dmp

Filesize
48KB

Download
memory/2788-127-0x0000000009EC0000-0x0000000009F6E000-memory.dmp

Filesize
696KB

Download
memory/2788-128-0x000000000A030000-0x000000000A0CC000-memory.dmp

Filesize
624KB

Download
memory/2788-129-0x0000000009FA0000-0x0000000009FD6000-memory.dmp

Filesize
216KB

Download
memory/3492-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3492-137-0x0000000001540000-0x000000000155C000-memory.dmp

Filesize
112KB

Download
memory/3492-138-0x0000000001540000-0x000000000155C000-memory.dmp

Filesize
112KB

Download
memory/3492-139-0x00000000011F0000-0x00000000011F2000-memory.dmp

Filesize
8KB

Download
memory/3492-140-0x0000000001540000-0x000000000155C000-memory.dmp

Filesize
112KB

Download
memory/3492-141-0x0000000001540000-0x000000000155C000-memory.dmp

Filesize
112KB

Download