rhadamanthys | 634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 20:03

Target

634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe
Size

522KB
MD5

3b5d0aef51de61ffb2ae53eeaa34766c
SHA1

dda5f974b42d9ee4018f639a14de08a604ebf47e
SHA256

634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331
SHA512

eef0e031d14bb4726053905d30f9a1662d80e1a655e6621f3e30ea5b9aeb25993dce77ceb348c85604a330da4e76a3213cef8b077e93c73d691ec9dd469de414
SSDEEP

6144:jLjyoI3G4Xy/tD+/FSnTe3JaNJQ+30oKCYjLIAiEd4fM7KdD7O2AT:jvm3PysN5yQu8CY3Iwd4V71Q

Score

10^/10

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral1/memory/5096-138-0x00000000027A0000-0x0000000002BA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/5096-139-0x00000000027A0000-0x0000000002BA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/5096-140-0x00000000027A0000-0x0000000002BA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/5096-141-0x00000000027A0000-0x0000000002BA0000-memory.dmp	family_rhadamanthys
behavioral1/memory/5096-152-0x00000000027A0000-0x0000000002BA0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5096 created 3168	5096	634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe	57

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2012	5096	634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe	98
PID 5096 wrote to memory of 2012	5096	634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe	98
PID 5096 wrote to memory of 2012	5096	634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe	98
PID 5096 wrote to memory of 2012	5096	634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe
  "C:\Users\Admin\AppData\Local\Temp\634c0528fb0188f00a639d22f3b5c2d97a799f832d90edf402cb752ce7308331.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5096
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:2012

memory/2012-143-0x0000012E9FBE0000-0x0000012E9FBE3000-memory.dmp

Filesize
12KB

Download
memory/5096-137-0x00000000007B0000-0x00000000007B7000-memory.dmp

Filesize
28KB

Download
memory/5096-136-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/5096-134-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/5096-138-0x00000000027A0000-0x0000000002BA0000-memory.dmp

Filesize
4.0MB

Download
memory/5096-139-0x00000000027A0000-0x0000000002BA0000-memory.dmp

Filesize
4.0MB

Download
memory/5096-140-0x00000000027A0000-0x0000000002BA0000-memory.dmp

Filesize
4.0MB

Download
memory/5096-141-0x00000000027A0000-0x0000000002BA0000-memory.dmp

Filesize
4.0MB

Download
memory/5096-142-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/5096-135-0x0000000002340000-0x00000000023B1000-memory.dmp

Filesize
452KB

Download
memory/5096-144-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/5096-145-0x0000000002340000-0x00000000023B1000-memory.dmp

Filesize
452KB

Download
memory/5096-146-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/5096-152-0x00000000027A0000-0x0000000002BA0000-memory.dmp

Filesize
4.0MB

Download