rhadamanthys | 7f30a21151eee81870a014119d6824a245b8d534f0501917d8920f8ee1188bac

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ca6ef28110000e4a9007499388cb84.exe
Size

1.2MB
MD5

78ca6ef28110000e4a9007499388cb84
SHA1

c8c71aa3a3d2e0710748c8433d8088fa3b37d357
SHA256

7f30a21151eee81870a014119d6824a245b8d534f0501917d8920f8ee1188bac
SHA512

a4b76af9ffc364334059e891a1a1245d3506210437d33ca5f8c9ba44e2a74c5dc2e6fd913dd4f0096657648b9e349fe09867efe1b86b007f8c2a61904143844c
SSDEEP

24576:GSeLmAfyrmtqmKdIn1lTrTYxxN7Gu2mbmrU3WmiYESsf+PByu/:Qgc1lTrTaxNn2mclXSsf+PE

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3308 created 2500	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	34

Executes dropped EXE 1 IoCs

pid	Process
3308	㌷㔶䐶捑穆捺㜷瘳䜳n

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3308	㌷㔶䐶捑穆捺㜷瘳䜳n
3308	㌷㔶䐶捑穆捺㜷瘳䜳n
1540	dialer.exe
1540	dialer.exe
1540	dialer.exe
1540	dialer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 1052 wrote to memory of 3308	1052	78ca6ef28110000e4a9007499388cb84.exe	91
PID 3308 wrote to memory of 1540	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	92
PID 3308 wrote to memory of 1540	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	92
PID 3308 wrote to memory of 1540	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	92
PID 3308 wrote to memory of 1540	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	92
PID 3308 wrote to memory of 1540	3308	㌷㔶䐶捑穆捺㜷瘳䜳n	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2500
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Users\Admin\AppData\Local\Temp\78ca6ef28110000e4a9007499388cb84.exe
"C:\Users\Admin\AppData\Local\Temp\78ca6ef28110000e4a9007499388cb84.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\㌷㔶䐶捑穆捺㜷瘳䜳n
  "C:\Users\Admin\AppData\Local\Temp\㌷㔶䐶捑穆捺㜷瘳䜳n"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\㌷㔶䐶捑穆捺㜷瘳䜳n

Filesize
38KB

MD5
3992f464696b0eeff236aef93b1fdbd5

SHA1
8dddabaea6b342efc4f5b244420a0af055ae691e

SHA256
0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

SHA512
27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

Download Submit
memory/1540-16-0x0000000000A60000-0x0000000000A69000-memory.dmp

Filesize
36KB

Download
memory/1540-24-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/1540-23-0x0000000076C80000-0x0000000076E95000-memory.dmp

Filesize
2.1MB

Download
memory/1540-21-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/1540-20-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download
memory/1540-19-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/1540-18-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/3308-9-0x0000000003480000-0x0000000003880000-memory.dmp

Filesize
4.0MB

Download
memory/3308-15-0x0000000076C80000-0x0000000076E95000-memory.dmp

Filesize
2.1MB

Download
memory/3308-12-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download
memory/3308-13-0x0000000003480000-0x0000000003880000-memory.dmp

Filesize
4.0MB

Download
memory/3308-11-0x0000000003480000-0x0000000003880000-memory.dmp

Filesize
4.0MB

Download
memory/3308-10-0x0000000003480000-0x0000000003880000-memory.dmp

Filesize
4.0MB

Download
memory/3308-2-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3308-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3308-6-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download