rhadamanthys | 8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09

Analysis

max time kernel
117s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe
Size

579KB
MD5

9f229df785e9c754203604ac4bdd027c
SHA1

0cd6aec7a015467cddcb37fd44a0d986cd95334f
SHA256

8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09
SHA512

eb33034bab8f5bbe74789522e5c1be82f689234178e229ca6dac46b34e5c50465fdf5892e4a7e6d0c03061333d76a125d784eb644445fce9caf35e03852a18fe
SSDEEP

12288:LqzxxE/84PA9h2b4u7ccF4PksIvrG/XQ6FynsDBO4:Lq1C/8wA9h2k7Puq/XQWwUO

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2672 created 1256	2672	RegAsm.exe	11

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2672	RegAsm.exe
2672	RegAsm.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe
2800	dialer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2788	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	28
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2500	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	32
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2764	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	31
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2252	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	30
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2384 wrote to memory of 2672	2384	8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe	29
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33
PID 2672 wrote to memory of 2800	2672	RegAsm.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe
  "C:\Users\Admin\AppData\Local\Temp\8d6c9fdb875cc3e3048b4852b8bc60aff5d071270ba3bf976445534250cd5f09.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2500
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-18-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-2-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2384-5-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2384-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2384-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2384-0-0x0000000001260000-0x00000000012F8000-memory.dmp

Filesize
608KB

Download
memory/2384-21-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-7-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-28-0x0000000077080000-0x00000000770C7000-memory.dmp

Filesize
284KB

Download
memory/2672-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-23-0x0000000003030000-0x0000000003430000-memory.dmp

Filesize
4.0MB

Download
memory/2672-25-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/2672-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2672-22-0x0000000003030000-0x0000000003430000-memory.dmp

Filesize
4.0MB

Download
memory/2672-24-0x0000000003030000-0x0000000003430000-memory.dmp

Filesize
4.0MB

Download
memory/2672-27-0x0000000003030000-0x0000000003430000-memory.dmp

Filesize
4.0MB

Download
memory/2800-35-0x0000000001CE0000-0x00000000020E0000-memory.dmp

Filesize
4.0MB

Download
memory/2800-37-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/2800-36-0x0000000077080000-0x00000000770C7000-memory.dmp

Filesize
284KB

Download
memory/2800-32-0x0000000001CE0000-0x00000000020E0000-memory.dmp

Filesize
4.0MB

Download
memory/2800-33-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/2800-31-0x0000000001CE0000-0x00000000020E0000-memory.dmp

Filesize
4.0MB

Download
memory/2800-29-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2800-38-0x0000000001CE0000-0x00000000020E0000-memory.dmp

Filesize
4.0MB

Download