rhadamanthys | d20181563c161b0772cfad41069a572fe4c5f4f64d08be9ef99992723cec6c87

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23-12-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.9MB
MD5

50b5f7c97594361c760ecf27a93f3bd4
SHA1

b4347e675b7b5733ee9cccc9fdeda78f68d32fdc
SHA256

d20181563c161b0772cfad41069a572fe4c5f4f64d08be9ef99992723cec6c87
SHA512

671dbd211fa190482ef69f73440913ccf6cb1cb5b63ffb6177942986554512f76a770ebe801adbef14179eaca26934b9430ddef354007e56423814109eb552c5
SSDEEP

49152:pogLnkIaOPQlwORBCEM/97yzWTCiuw7Kz38Q8xTnQbv9+ktdxlISXaaVlKwBopNC:K2nkgKLCEMNBThuw7KzMQ8GF+UdnISXl

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1672 created 1100	1672	tmp.exe	18

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1672	tmp.exe
1672	tmp.exe
2080	dialer.exe
2080	dialer.exe
2080	dialer.exe
2080	dialer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2080	1672	tmp.exe	28
PID 1672 wrote to memory of 2080	1672	tmp.exe	28
PID 1672 wrote to memory of 2080	1672	tmp.exe	28
PID 1672 wrote to memory of 2080	1672	tmp.exe	28
PID 1672 wrote to memory of 2080	1672	tmp.exe	28
PID 1672 wrote to memory of 2080	1672	tmp.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-13-0x0000000076710000-0x0000000076757000-memory.dmp

Filesize
284KB

Download
memory/1672-1-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1672-3-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1672-7-0x00000000032A0000-0x00000000036A0000-memory.dmp

Filesize
4.0MB

Download
memory/1672-9-0x00000000032A0000-0x00000000036A0000-memory.dmp

Filesize
4.0MB

Download
memory/1672-8-0x00000000032A0000-0x00000000036A0000-memory.dmp

Filesize
4.0MB

Download
memory/1672-10-0x0000000076FB0000-0x0000000077159000-memory.dmp

Filesize
1.7MB

Download
memory/1672-12-0x00000000032A0000-0x00000000036A0000-memory.dmp

Filesize
4.0MB

Download
memory/1672-0-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1672-15-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/2080-14-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2080-18-0x0000000001C30000-0x0000000002030000-memory.dmp

Filesize
4.0MB

Download
memory/2080-17-0x0000000001C30000-0x0000000002030000-memory.dmp

Filesize
4.0MB

Download
memory/2080-20-0x0000000001C30000-0x0000000002030000-memory.dmp

Filesize
4.0MB

Download
memory/2080-22-0x0000000076710000-0x0000000076757000-memory.dmp

Filesize
284KB

Download
memory/2080-19-0x0000000076FB0000-0x0000000077159000-memory.dmp

Filesize
1.7MB

Download
memory/2080-23-0x0000000076FB0000-0x0000000077159000-memory.dmp

Filesize
1.7MB

Download
memory/2080-24-0x0000000001C30000-0x0000000002030000-memory.dmp

Filesize
4.0MB

Download