rhadamanthys | 6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e

Analysis

max time kernel
36s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlimited_Crack.exe
Size

364KB
MD5

1b8fb8b2b74de6c36c0bf69a0d2f5664
SHA1

8ea83f1e865a9486b7d9a715728af845db23f63c
SHA256

6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e
SHA512

84dc5ec442558e21bc316dd0745c44d1b57be65c2d8b3326d3c42808977960249ccd9836d7f5fc7e8a17b8d27bf6ebb9671c4a5908f9a1c74c66397ef8859898
SSDEEP

6144:49iJkovicebiNJ0mL2lvArd15G1Yct56vTN19z7yY2lg7mlm1gWnOayBsBGaCv/u:NhaPbiNJFLSAp15Qdsj952ymlxWnjLIu

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 656 created 2420 656 RegAsm.exe sihost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Unlimited_Crack.exe

description pid process target process

PID 2876 set thread context of 656 2876 Unlimited_Crack.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2024 656 WerFault.exe RegAsm.exe
5028 656 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exedialer.exe

pid process

656 RegAsm.exe
656 RegAsm.exe
4192 dialer.exe
4192 dialer.exe
4192 dialer.exe
4192 dialer.exe

description	pid	process	target process
PID 656 created 2420	656	RegAsm.exe	sihost.exe

description	pid	process	target process
PID 2876 set thread context of 656	2876	Unlimited_Crack.exe	RegAsm.exe

pid	pid_target	process	target process
2024	656	WerFault.exe	RegAsm.exe
5028	656	WerFault.exe	RegAsm.exe

pid	process
656	RegAsm.exe
656	RegAsm.exe
4192	dialer.exe
4192	dialer.exe
4192	dialer.exe
4192	dialer.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Unlimited_Crack.exeRegAsm.exe

description	pid	process	target process
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 2876 wrote to memory of 656	2876	Unlimited_Crack.exe	RegAsm.exe
PID 656 wrote to memory of 4192	656	RegAsm.exe	dialer.exe
PID 656 wrote to memory of 4192	656	RegAsm.exe	dialer.exe
PID 656 wrote to memory of 4192	656	RegAsm.exe	dialer.exe
PID 656 wrote to memory of 4192	656	RegAsm.exe	dialer.exe
PID 656 wrote to memory of 4192	656	RegAsm.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2420

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 588
3⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 624
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 656 -ip 656
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 656 -ip 656
1⤵
PID:4544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-15-0x00007FF98FED0000-0x00007FF9900C5000-memory.dmp

Filesize
2.0MB

Download
memory/656-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/656-27-0x0000000003A50000-0x0000000003E50000-memory.dmp

Filesize
4.0MB

Download
memory/656-18-0x0000000077750000-0x0000000077965000-memory.dmp

Filesize
2.1MB

Download
memory/656-16-0x0000000003A50000-0x0000000003E50000-memory.dmp

Filesize
4.0MB

Download
memory/656-10-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/656-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/656-12-0x0000000003A50000-0x0000000003E50000-memory.dmp

Filesize
4.0MB

Download
memory/656-13-0x0000000003A50000-0x0000000003E50000-memory.dmp

Filesize
4.0MB

Download
memory/656-14-0x0000000003A50000-0x0000000003E50000-memory.dmp

Filesize
4.0MB

Download
memory/2876-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2876-1-0x00000000008D0000-0x0000000000932000-memory.dmp

Filesize
392KB

Download
memory/2876-6-0x0000000002D10000-0x0000000004D10000-memory.dmp

Filesize
32.0MB

Download
memory/2876-0-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4192-19-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/4192-21-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/4192-22-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/4192-23-0x00007FF98FED0000-0x00007FF9900C5000-memory.dmp

Filesize
2.0MB

Download
memory/4192-25-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/4192-26-0x0000000077750000-0x0000000077965000-memory.dmp

Filesize
2.1MB

Download
memory/4192-28-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download