Malware Analysis Report

2024-11-30 02:15

Sample ID 240328-p7vptaeg2t
Target f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
Tags
rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84

Threat Level: Known bad

The file f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-28 12:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 12:58

Reported

2024-03-28 13:01

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4100 created 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3404 set thread context of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3404 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4100 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4100 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4100 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4100 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4100 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe

"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3404 -ip 3404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 868

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 596

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3404-1-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/3404-0-0x0000000000480000-0x00000000004EE000-memory.dmp

memory/3404-2-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/4100-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4100-8-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3404-9-0x00000000028E0000-0x00000000048E0000-memory.dmp

memory/4100-10-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4100-11-0x0000000003650000-0x0000000003A50000-memory.dmp

memory/4100-13-0x0000000003650000-0x0000000003A50000-memory.dmp

memory/4100-14-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

memory/4100-16-0x0000000003650000-0x0000000003A50000-memory.dmp

memory/4100-17-0x00000000762D0000-0x00000000764E5000-memory.dmp

memory/1192-18-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

memory/3404-20-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/1192-21-0x0000000002870000-0x0000000002C70000-memory.dmp

memory/1192-22-0x0000000002870000-0x0000000002C70000-memory.dmp

memory/4100-23-0x0000000003650000-0x0000000003A50000-memory.dmp

memory/1192-25-0x0000000002870000-0x0000000002C70000-memory.dmp

memory/1192-24-0x00007FFB42830000-0x00007FFB42A25000-memory.dmp

memory/1192-27-0x00000000762D0000-0x00000000764E5000-memory.dmp

memory/1192-28-0x0000000002870000-0x0000000002C70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 12:58

Reported

2024-03-28 13:01

Platform

win11-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2144 created 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4260 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4260 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2144 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2144 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2144 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2144 wrote to memory of 4844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe

"C:\Users\Admin\AppData\Local\Temp\f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4260 -ip 4260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 884

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2144 -ip 2144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 516

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4260-1-0x0000000000D20000-0x0000000000D8E000-memory.dmp

memory/4260-0-0x0000000075130000-0x00000000758E1000-memory.dmp

memory/4260-2-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/2144-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2144-8-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4260-9-0x0000000003340000-0x0000000005340000-memory.dmp

memory/2144-10-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4260-11-0x0000000075130000-0x00000000758E1000-memory.dmp

memory/2144-12-0x0000000003A50000-0x0000000003E50000-memory.dmp

memory/2144-13-0x0000000003A50000-0x0000000003E50000-memory.dmp

memory/2144-14-0x0000000003A50000-0x0000000003E50000-memory.dmp

memory/2144-15-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp

memory/2144-17-0x0000000003A50000-0x0000000003E50000-memory.dmp

memory/2144-18-0x0000000076360000-0x00000000765B2000-memory.dmp

memory/4844-19-0x0000000000310000-0x0000000000319000-memory.dmp

memory/2144-20-0x0000000003A50000-0x0000000003E50000-memory.dmp

memory/4844-23-0x0000000002370000-0x0000000002770000-memory.dmp

memory/4844-24-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp

memory/4844-25-0x0000000002370000-0x0000000002770000-memory.dmp

memory/4844-28-0x0000000076360000-0x00000000765B2000-memory.dmp

memory/4844-27-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp

memory/4844-29-0x0000000002370000-0x0000000002770000-memory.dmp

memory/4844-30-0x00007FFD5DB60000-0x00007FFD5DD69000-memory.dmp