rhadamanthys | ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94

Analysis

max time kernel
141s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17/07/2023, 18:57

Target

ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe
Size

469KB
MD5

5c5ce88b20741b117c9c5a3f225d7e67
SHA1

629044e7070c96d09409754dd3f4e4bf9a0bc734
SHA256

ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94
SHA512

f102481be8c3262107a77445c5a8dfe6926dee0dc191a73aff2331830b91fe43c6697c66a692e0d5d67831acbef0398b0193b40dd2a421019a37e2368cb17d66
SSDEEP

12288:A/C2QaShkgQ99X/Q508p469/PQBbEO514g:A/yaShax/Q50u/PSEfg

Score

10^/10

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral1/memory/4236-125-0x0000000004AB0000-0x0000000004EB0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4236-126-0x0000000004AB0000-0x0000000004EB0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4236-127-0x0000000004AB0000-0x0000000004EB0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4236-128-0x0000000004AB0000-0x0000000004EB0000-memory.dmp	family_rhadamanthys
behavioral1/memory/4236-141-0x0000000004AB0000-0x0000000004EB0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4236 created 3288	4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe	53

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe
4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe
4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe
4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 4344	4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe	70
PID 4236 wrote to memory of 4344	4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe	70
PID 4236 wrote to memory of 4344	4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe	70
PID 4236 wrote to memory of 4344	4236	ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe	70

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3288
- C:\Users\Admin\AppData\Local\Temp\ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe
  "C:\Users\Admin\AppData\Local\Temp\ae200328425b52b04ab74aa10f16616c2d8d780d9fe5f4a442fbf3410e70ac94.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4236
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:4344

memory/4236-127-0x0000000004AB0000-0x0000000004EB0000-memory.dmp

Filesize
4.0MB

Download
memory/4236-134-0x0000000000400000-0x0000000002B81000-memory.dmp

Filesize
39.5MB

Download
memory/4236-123-0x0000000000400000-0x0000000002B81000-memory.dmp

Filesize
39.5MB

Download
memory/4236-124-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/4236-125-0x0000000004AB0000-0x0000000004EB0000-memory.dmp

Filesize
4.0MB

Download
memory/4236-126-0x0000000004AB0000-0x0000000004EB0000-memory.dmp

Filesize
4.0MB

Download
memory/4236-129-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/4236-121-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/4236-122-0x0000000004800000-0x0000000004871000-memory.dmp

Filesize
452KB

Download
memory/4236-141-0x0000000004AB0000-0x0000000004EB0000-memory.dmp

Filesize
4.0MB

Download
memory/4236-133-0x0000000004800000-0x0000000004871000-memory.dmp

Filesize
452KB

Download
memory/4236-135-0x0000000005870000-0x00000000058A6000-memory.dmp

Filesize
216KB

Download
memory/4236-128-0x0000000004AB0000-0x0000000004EB0000-memory.dmp

Filesize
4.0MB

Download
memory/4344-130-0x00000249F7FB0000-0x00000249F7FB3000-memory.dmp

Filesize
12KB

Download