Analysis
-
max time kernel
115s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe
Resource
win10v2004-20240226-en
General
-
Target
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe
-
Size
353KB
-
MD5
fe36f2fda53c21f8f7e06629cdcc377b
-
SHA1
3988d1e0628299d29ef39bbb7f24ee347933ab9b
-
SHA256
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14
-
SHA512
fa56f2dcd9fb050718389458f892a8ba2efddb81d3b72e18221333cae245e2a475a52dbc58d6ab51e0e508a31922de60f42dbd2405c7f1e0d634e46fb6261689
-
SSDEEP
6144:IM4ypBt/6bC6p/8jJkJaVnQUKRnazBrRYJs3mb2stMK39V8s98ix2p:IM1t/6+6pWG8aRna9RYSQTXtV8s98E2
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exedescription pid process target process PID 1380 created 2516 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe sihost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exedialer.exepid process 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe 4812 dialer.exe 4812 dialer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exedescription pid process target process PID 1380 wrote to memory of 4812 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe dialer.exe PID 1380 wrote to memory of 4812 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe dialer.exe PID 1380 wrote to memory of 4812 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe dialer.exe PID 1380 wrote to memory of 4812 1380 4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe dialer.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2516
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
C:\Users\Admin\AppData\Local\Temp\4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe"C:\Users\Admin\AppData\Local\Temp\4fb58687a364c3f6d6f7e0ca03654f9dec0f8832a499d61d40b0d424db1b1b14.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:81⤵PID:1424