rhadamanthys | c529cd95c0c85ca18df3e690f840e51d0be33b5b92f8bf1e9f91821eaedac68c

Analysis

max time kernel
92s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 20:22

Target

run.bat
Size

70B
MD5

922d706a6ff52cd5f8ff57287aec9907
SHA1

c2093b630f1180bc8b48c71957655182f6a56053
SHA256

12ecd3179026dc979012895d1ba547cdd48b6940d34eb5cca266ef943c990efd
SHA512

eca850162e741141a2a7e62a028cfb3c9ec45baecbdf9a0560fbc82a3aed2ef9fccd108aa8b167002fd1727e0170cdfc29a3d5d4bb574690cdeefa6b2b3e6fb3

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4432 created 2500	4432	file.exe	43

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4432	2724	cmd.exe	86
PID 2724 wrote to memory of 4432	2724	cmd.exe	86
PID 2724 wrote to memory of 4432	2724	cmd.exe	86
PID 4432 wrote to memory of 4600	4432	file.exe	90
PID 4432 wrote to memory of 4600	4432	file.exe	90
PID 4432 wrote to memory of 4600	4432	file.exe	90
PID 4432 wrote to memory of 4600	4432	file.exe	90
PID 4432 wrote to memory of 4600	4432	file.exe	90

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2500
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4432

memory/4432-0-0x0000000000530000-0x0000000000591000-memory.dmp

Filesize
388KB

Download
memory/4432-1-0x0000000003920000-0x0000000003D20000-memory.dmp

Filesize
4.0MB

Download
memory/4432-3-0x0000000003920000-0x0000000003D20000-memory.dmp

Filesize
4.0MB

Download
memory/4432-2-0x0000000003920000-0x0000000003D20000-memory.dmp

Filesize
4.0MB

Download
memory/4432-4-0x00007FFADD230000-0x00007FFADD425000-memory.dmp

Filesize
2.0MB

Download
memory/4432-6-0x0000000003920000-0x0000000003D20000-memory.dmp

Filesize
4.0MB

Download
memory/4432-7-0x0000000075F40000-0x0000000076155000-memory.dmp

Filesize
2.1MB

Download
memory/4600-8-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/4600-11-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Filesize
4.0MB

Download
memory/4600-10-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Filesize
4.0MB

Download
memory/4600-14-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Filesize
4.0MB

Download
memory/4600-15-0x0000000075F40000-0x0000000076155000-memory.dmp

Filesize
2.1MB

Download
memory/4600-12-0x00007FFADD230000-0x00007FFADD425000-memory.dmp

Filesize
2.0MB

Download
memory/4600-16-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Filesize
4.0MB

Download