Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2023 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a0246f582678efd65f9d8c2f61e3ee080bf97a7e04972630c99db815a5f84f9.exe

  • Size

    499KB

  • MD5

    face4d621d9302a91d413b7e3382bbef

  • SHA1

    9eaf7022c629efe0afbd3ba6f3df2c5b519071c2

  • SHA256

    4a0246f582678efd65f9d8c2f61e3ee080bf97a7e04972630c99db815a5f84f9

  • SHA512

    1956e726720ba3dd77c3b0170ab5c5cb678d1b008b0c88e482a8fb86bcb525e8acd81dcf59f2e3303e3590f7ee482a6195e0bdcaf05edc5225651d70c18e2149

  • SSDEEP

    6144:NngNIqM32ZLFKdEytr9mpy86eFV2kt25WJ0eR1yp4IQnHkfdI3VQ86iJ5mLe6YtI:gS2ZLAHr9SrKD4Bn3lQ86iJ519twRn

Score
10/10
rhadamanthyscollectionstealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3168
      • C:\Users\Admin\AppData\Local\Temp\4a0246f582678efd65f9d8c2f61e3ee080bf97a7e04972630c99db815a5f84f9.exe
        "C:\Users\Admin\AppData\Local\Temp\4a0246f582678efd65f9d8c2f61e3ee080bf97a7e04972630c99db815a5f84f9.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 720
          3⤵
          • Program crash
          PID:3264
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:4048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1828 -ip 1828
      1⤵
        PID:4864

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1828-146-0x0000000000400000-0x0000000000963000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1828-134-0x00000000025C0000-0x0000000002631000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1828-135-0x0000000002670000-0x0000000002677000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1828-136-0x0000000002870000-0x0000000002C70000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1828-137-0x0000000002870000-0x0000000002C70000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1828-133-0x0000000000BC0000-0x0000000000C09000-memory.dmp

        Filesize

        292KB

        Download

      • memory/1828-139-0x0000000003690000-0x00000000036C6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1828-145-0x0000000003690000-0x00000000036C6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4048-149-0x0000014F6E8C0000-0x0000014F6E8C7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4048-154-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-138-0x0000014F6E4D0000-0x0000014F6E4D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4048-150-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-151-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-152-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-153-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-148-0x0000014F6E4D0000-0x0000014F6E4D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4048-156-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-157-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-158-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-159-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-160-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4048-161-0x00007FF420A70000-0x00007FF420B9D000-memory.dmp

        Filesize

        1.2MB

        Download