rhadamanthys | b46011c5f70960debda8166ad56d523bf8bbd19bd9a0a0a1346be4cb14dc2598

Resubmissions

27/11/2024, 09:54

241127-lxghnaylhv 10

18/12/2023, 21:10

231218-z1gvgsfbg6 10

Analysis

max time kernel
12s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
18/12/2023, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OSU-FREEDOM-main/freedom.exe
Size

539KB
MD5

32b86751d376ef214a26e50eecc6e67d
SHA1

b6b7a830578cfe154b6c27d18ea7761630bb5363
SHA256

60710a8b3e9d7b6985e6a2eab5c7ed57e2ee776db285ba69cc5b53c36110770f
SHA512

00ee95b52e926173dc8dc85d6a0b21d5eb54e99a91047292be6e761b61bcd467d1551d30715707b67642741803e0c463f64b4ce1a2c72be2d7415b2dffee31f5
SSDEEP

12288:gE50GSHrG6W42JcycysY0V3D9wCV+QnXGwnUP345WRgG3OkGGs/Lwmm:h+GSHrG6W42JcychY0FD9wCVPHw3yeJF

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4980 created 452	4980	freedom.exe	51

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4980	freedom.exe
4980	freedom.exe
2884	dialer.exe
2884	dialer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2884	4980	freedom.exe	78
PID 4980 wrote to memory of 2884	4980	freedom.exe	78
PID 4980 wrote to memory of 2884	4980	freedom.exe	78
PID 4980 wrote to memory of 2884	4980	freedom.exe	78

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:452
- C:\Windows\system32\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884

C:\Users\Admin\AppData\Local\Temp\OSU-FREEDOM-main\freedom.exe
"C:\Users\Admin\AppData\Local\Temp\OSU-FREEDOM-main\freedom.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-14-0x00007FF911D60000-0x00007FF911F69000-memory.dmp

Filesize
2.0MB

Download
memory/2884-15-0x000001E686170000-0x000001E686570000-memory.dmp

Filesize
4.0MB

Download
memory/2884-20-0x00007FF911D60000-0x00007FF911F69000-memory.dmp

Filesize
2.0MB

Download
memory/2884-12-0x000001E686170000-0x000001E686570000-memory.dmp

Filesize
4.0MB

Download
memory/2884-19-0x000001E686170000-0x000001E686570000-memory.dmp

Filesize
4.0MB

Download
memory/2884-8-0x000001E684670000-0x000001E684679000-memory.dmp

Filesize
36KB

Download
memory/2884-18-0x00007FF90F4B0000-0x00007FF90F824000-memory.dmp

Filesize
3.5MB

Download
memory/2884-16-0x00007FF911D60000-0x00007FF911F69000-memory.dmp

Filesize
2.0MB

Download
memory/2884-17-0x00007FF9102D0000-0x00007FF91038D000-memory.dmp

Filesize
756KB

Download
memory/4980-5-0x00007FF9102D0000-0x00007FF91038D000-memory.dmp

Filesize
756KB

Download
memory/4980-3-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/4980-13-0x00007FF911D60000-0x00007FF911F69000-memory.dmp

Filesize
2.0MB

Download
memory/4980-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4980-11-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4980-1-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/4980-6-0x00007FF90F4B0000-0x00007FF90F824000-memory.dmp

Filesize
3.5MB

Download
memory/4980-7-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/4980-4-0x00007FF911D60000-0x00007FF911F69000-memory.dmp

Filesize
2.0MB

Download
memory/4980-2-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download