rhadamanthys | 6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e

General

Target

Unlimited_Crack.exe
Size

364KB
MD5

1b8fb8b2b74de6c36c0bf69a0d2f5664
SHA1

8ea83f1e865a9486b7d9a715728af845db23f63c
SHA256

6e217c13ce7f7104b9e251f715ed0191d1c6751cd9c4b352320c0314fafbe57e
SHA512

84dc5ec442558e21bc316dd0745c44d1b57be65c2d8b3326d3c42808977960249ccd9836d7f5fc7e8a17b8d27bf6ebb9671c4a5908f9a1c74c66397ef8859898
SSDEEP

6144:49iJkovicebiNJ0mL2lvArd15G1Yct56vTN19z7yY2lg7mlm1gWnOayBsBGaCv/u:NhaPbiNJFLSAp15Qdsj952ymlxWnjLIu

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 3432 created 2072 3432 RegAsm.exe sihost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Unlimited_Crack.exe

description pid process target process

PID 2040 set thread context of 3432 2040 Unlimited_Crack.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3540 3432 WerFault.exe RegAsm.exe
1160 3432 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exedialer.exe

pid process

3432 RegAsm.exe
3432 RegAsm.exe
2400 dialer.exe
2400 dialer.exe
2400 dialer.exe
2400 dialer.exe

description	pid	process	target process
PID 3432 created 2072	3432	RegAsm.exe	sihost.exe

description	pid	process	target process
PID 2040 set thread context of 3432	2040	Unlimited_Crack.exe	RegAsm.exe

pid	pid_target	process	target process
3540	3432	WerFault.exe	RegAsm.exe
1160	3432	WerFault.exe	RegAsm.exe

pid	process
3432	RegAsm.exe
3432	RegAsm.exe
2400	dialer.exe
2400	dialer.exe
2400	dialer.exe
2400	dialer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Unlimited_Crack.exeRegAsm.exe

description	pid	process	target process
PID 2040 wrote to memory of 3100	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3100	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3100	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 2040 wrote to memory of 3432	2040	Unlimited_Crack.exe	RegAsm.exe
PID 3432 wrote to memory of 2400	3432	RegAsm.exe	dialer.exe
PID 3432 wrote to memory of 2400	3432	RegAsm.exe	dialer.exe
PID 3432 wrote to memory of 2400	3432	RegAsm.exe	dialer.exe
PID 3432 wrote to memory of 2400	3432	RegAsm.exe	dialer.exe
PID 3432 wrote to memory of 2400	3432	RegAsm.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2072

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Unlimited_Crack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 540
3⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 552
3⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3432 -ip 3432
1⤵
PID:2264

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-9-0x00000000035F0000-0x00000000055F0000-memory.dmp

Filesize
32.0MB

Download
memory/2040-1-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/2040-10-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/2040-0-0x0000000000FF0000-0x0000000001052000-memory.dmp

Filesize
392KB

Download
memory/2400-29-0x0000000002C30000-0x0000000003030000-memory.dmp

Filesize
4.0MB

Download
memory/2400-19-0x0000000000DA0000-0x0000000000DA9000-memory.dmp

Filesize
36KB

Download
memory/2400-30-0x00007FFEFA3A0000-0x00007FFEFA5A9000-memory.dmp

Filesize
2.0MB

Download
memory/2400-26-0x0000000076910000-0x0000000076B62000-memory.dmp

Filesize
2.3MB

Download
memory/2400-27-0x00007FFEFA3A0000-0x00007FFEFA5A9000-memory.dmp

Filesize
2.0MB

Download
memory/2400-25-0x0000000002C30000-0x0000000003030000-memory.dmp

Filesize
4.0MB

Download
memory/2400-23-0x00007FFEFA3A0000-0x00007FFEFA5A9000-memory.dmp

Filesize
2.0MB

Download
memory/2400-22-0x0000000002C30000-0x0000000003030000-memory.dmp

Filesize
4.0MB

Download
memory/2400-21-0x0000000002C30000-0x0000000003030000-memory.dmp

Filesize
4.0MB

Download
memory/3432-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3432-18-0x0000000076910000-0x0000000076B62000-memory.dmp

Filesize
2.3MB

Download
memory/3432-17-0x0000000003FA0000-0x00000000043A0000-memory.dmp

Filesize
4.0MB

Download
memory/3432-15-0x00007FFEFA3A0000-0x00007FFEFA5A9000-memory.dmp

Filesize
2.0MB

Download
memory/3432-14-0x0000000003FA0000-0x00000000043A0000-memory.dmp

Filesize
4.0MB

Download
memory/3432-13-0x0000000003FA0000-0x00000000043A0000-memory.dmp

Filesize
4.0MB

Download
memory/3432-12-0x0000000003FA0000-0x00000000043A0000-memory.dmp

Filesize
4.0MB

Download
memory/3432-28-0x0000000003FA0000-0x00000000043A0000-memory.dmp

Filesize
4.0MB

Download
memory/3432-7-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3432-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads