rhadamanthys | d02711122b130cd44c721437f4f2767b9c61b832fe6e3d35536f745d131d16ff

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

979KB
MD5

20f70cdf44bd28fc1b1f1dd69c99f22e
SHA1

e19928d2871098c4488cf71d54a860a1f6d78a36
SHA256

d02711122b130cd44c721437f4f2767b9c61b832fe6e3d35536f745d131d16ff
SHA512

858b6acaf44cedf4f1d8660c86a70bf96779658a27ba02aa298faca3ca48063725cb50cc8168180195ff8ac3258e28a2ee9b064352c2b2a55bbeeec1c33cef84
SSDEEP

24576:CeGVZ9/e0wilWWC7rD/QTYrpGzaVWWeiZfsPHY:4320uWt4pGmVzZAY

Score

10^/10

rhadamanthys stealer

Malware Config

Extracted

Family

rhadamanthys

http://8002.motorline.pw/api/9wcnem.x0vs

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2180-147-0x0000000001410000-0x000000000142C000-memory.dmp	family_rhadamanthys
behavioral2/memory/2180-148-0x0000000001410000-0x000000000142C000-memory.dmp	family_rhadamanthys
behavioral2/memory/2180-150-0x0000000001410000-0x000000000142C000-memory.dmp	family_rhadamanthys
behavioral2/memory/2180-151-0x0000000001410000-0x000000000142C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of SetThreadContext 1 IoCs

Processes:

a.exe

description pid process target process

PID 3032 set thread context of 2180 3032 a.exe a.exe

description	pid	process	target process
PID 3032 set thread context of 2180	3032	a.exe	a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a.exe

description	pid	process	target process
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe
PID 3032 wrote to memory of 2180	3032	a.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
2⤵
PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-147-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/2180-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-151-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/2180-150-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/2180-140-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-152-0x0000000003020000-0x000000000303A000-memory.dmp

Filesize
104KB

Download
memory/2180-149-0x0000000003020000-0x000000000303A000-memory.dmp

Filesize
104KB

Download
memory/2180-148-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/3032-138-0x0000000008050000-0x0000000008060000-memory.dmp

Filesize
64KB

Download
memory/3032-133-0x0000000000F60000-0x000000000105A000-memory.dmp

Filesize
1000KB

Download
memory/3032-136-0x0000000008050000-0x0000000008060000-memory.dmp

Filesize
64KB

Download
memory/3032-135-0x0000000007ED0000-0x0000000007F62000-memory.dmp

Filesize
584KB

Download
memory/3032-139-0x000000000A3D0000-0x000000000A46C000-memory.dmp

Filesize
624KB

Download
memory/3032-134-0x0000000008380000-0x0000000008924000-memory.dmp

Filesize
5.6MB

Download
memory/3032-137-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

Filesize
40KB

Download