rhadamanthys | bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CelestialCodes.exe
Size

10.0MB
MD5

507048fc3e8bf91b8ea467045bc2964b
SHA1

e790cdea39a0f8c0644425e762488f9fbdea66ee
SHA256

bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203
SHA512

50a8a1a574b815b8899e09f4e83f526d2bda50f122e71afc246e2877b004aa488991c7c6a975edfc42e5ac22c2aba6c7c3b63556680fc73216f9da20bcb72f9b
SSDEEP

49152:ooUwF2D7Ah9uRoSouISQFcd2fRMEhax30H5YeFQZc3jg7RaOa1mRI0oet8HOgrbF:ohshoqSPBk2ba14oodw5f9UEHz5QMjOy

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2136 created 2512	2136	BitLockerToGo.exe	42

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2136	1632	CelestialCodes.exe	99

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4340	2136	WerFault.exe	99
1588	2136	WerFault.exe	99

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2136	BitLockerToGo.exe
2136	BitLockerToGo.exe
1484	dialer.exe
1484	dialer.exe
1484	dialer.exe
1484	dialer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2136	1632	CelestialCodes.exe	99
PID 1632 wrote to memory of 2136	1632	CelestialCodes.exe	99
PID 1632 wrote to memory of 2136	1632	CelestialCodes.exe	99
PID 1632 wrote to memory of 2136	1632	CelestialCodes.exe	99
PID 1632 wrote to memory of 2136	1632	CelestialCodes.exe	99
PID 2136 wrote to memory of 1484	2136	BitLockerToGo.exe	100
PID 2136 wrote to memory of 1484	2136	BitLockerToGo.exe	100
PID 2136 wrote to memory of 1484	2136	BitLockerToGo.exe	100
PID 2136 wrote to memory of 1484	2136	BitLockerToGo.exe	100
PID 2136 wrote to memory of 1484	2136	BitLockerToGo.exe	100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2512
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484

C:\Users\Admin\AppData\Local\Temp\CelestialCodes.exe
"C:\Users\Admin\AppData\Local\Temp\CelestialCodes.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 440
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 432
    3⤵
    - Program crash
    PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2136 -ip 2136
1⤵
PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1484-18-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/1484-27-0x00000000025B0000-0x00000000029B0000-memory.dmp

Filesize
4.0MB

Download
memory/1484-25-0x0000000076490000-0x00000000766A5000-memory.dmp

Filesize
2.1MB

Download
memory/1484-24-0x00000000025B0000-0x00000000029B0000-memory.dmp

Filesize
4.0MB

Download
memory/1484-22-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1484-20-0x00000000025B0000-0x00000000029B0000-memory.dmp

Filesize
4.0MB

Download
memory/1484-21-0x00000000025B0000-0x00000000029B0000-memory.dmp

Filesize
4.0MB

Download
memory/1632-5-0x00007FF761410000-0x00007FF761EB1000-memory.dmp

Filesize
10.6MB

Download
memory/1632-7-0x00007FF761410000-0x00007FF761EB1000-memory.dmp

Filesize
10.6MB

Download
memory/1632-0-0x00007FF761410000-0x00007FF761EB1000-memory.dmp

Filesize
10.6MB

Download
memory/2136-10-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2136-17-0x0000000076490000-0x00000000766A5000-memory.dmp

Filesize
2.1MB

Download
memory/2136-16-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/2136-14-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp

Filesize
2.0MB

Download
memory/2136-13-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/2136-12-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/2136-11-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/2136-9-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2136-6-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2136-26-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download