Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/02/2024, 12:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
474KB
-
MD5
f3912a40a9803c00483e262601290abb
-
SHA1
d75486f5e418802aecbe8199c64d67c45ffa001f
-
SHA256
33b58cc2d64611459673bee5b1a4ae49db540c61b2e4f4872bbfd68e175954f1
-
SHA512
519a2bed606b36a75fbb8bd64df24d892f3461471d21870b2ba9ec1fe0e7774d9ebf6d7fa77bd1e0b10842bae1c2c439dd8e7618454444afd7fe6c4646b86d78
-
SSDEEP
12288:q1jaxEe3eYeEP7+GhvbrnPA+B3E5f7Mn:m/eZeEPyGhPPFuyn
Score
10/10
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1964 created 1216 1964 tmp.exe 18 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1964 tmp.exe 1964 tmp.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2684 1964 tmp.exe 28 PID 1964 wrote to memory of 2684 1964 tmp.exe 28 PID 1964 wrote to memory of 2684 1964 tmp.exe 28 PID 1964 wrote to memory of 2684 1964 tmp.exe 28 PID 1964 wrote to memory of 2684 1964 tmp.exe 28 PID 1964 wrote to memory of 2684 1964 tmp.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684
-