rhadamanthys | f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453

General

Target

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe
Size

5.6MB
MD5

93a9e3c51d74beb9591c51a28d634048
SHA1

cab58975cadcd89d14e98ec0e5cf3a950d7ea479
SHA256

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453
SHA512

6913fdcf261027cd8aae4a4f5a7c74c10cf570f364550fddc6f4369fa8e8702bef30d22130984fa592788e6e0afc96150f9f588d64811ed88da56a4c7f711b25
SSDEEP

98304:gAoK6oWRH2P1Y/abpyrjavXi/lQqBLm/Bn85w7dZBzr:KK6lx2Y/abYrsXXq1mJntdZBzr

Score

10^/10

rhadamanthys zgrat rat stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2456-1-0x0000000000E00000-0x000000000138C000-memory.dmp	family_zgrat_v1

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MsBuild.exe

description pid process target process

PID 2644 created 1228 2644 MsBuild.exe Explorer.EXE
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Loads dropped DLL 1 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

pid process

2456 f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

description	pid	process	target process
PID 2644 created 1228	2644	MsBuild.exe	Explorer.EXE

pid	process
2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

description	pid	process	target process
PID 2456 set thread context of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MsBuild.exedialer.exe

pid process

2644 MsBuild.exe
2644 MsBuild.exe
1028 dialer.exe
1028 dialer.exe
1028 dialer.exe
1028 dialer.exe

pid	process
2644	MsBuild.exe
2644	MsBuild.exe
1028	dialer.exe
1028	dialer.exe
1028	dialer.exe
1028	dialer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exeMsBuild.exe

description	pid	process	target process
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2456 wrote to memory of 2644	2456	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe
PID 2644 wrote to memory of 1028	2644	MsBuild.exe	dialer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe
"C:\Users\Admin\AppData\Local\Temp\f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/1028-38-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1028-48-0x0000000001E60000-0x0000000002260000-memory.dmp

Filesize
4.0MB

Download
memory/1028-45-0x0000000074E40000-0x0000000074E87000-memory.dmp

Filesize
284KB

Download
memory/1028-46-0x0000000001E60000-0x0000000002260000-memory.dmp

Filesize
4.0MB

Download
memory/1028-47-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/1028-43-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/1028-42-0x0000000001E60000-0x0000000002260000-memory.dmp

Filesize
4.0MB

Download
memory/1028-41-0x0000000001E60000-0x0000000002260000-memory.dmp

Filesize
4.0MB

Download
memory/2456-31-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-2-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-14-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2456-15-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-16-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-18-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-17-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-19-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-1-0x0000000000E00000-0x000000000138C000-memory.dmp

Filesize
5.5MB

Download
memory/2456-12-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-3-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-0-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-4-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-5-0x0000000006950000-0x0000000006BF8000-memory.dmp

Filesize
2.7MB

Download
memory/2456-6-0x00000000070D0000-0x0000000007262000-memory.dmp

Filesize
1.6MB

Download
memory/2456-11-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2456-13-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2644-24-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-21-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-32-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/2644-33-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/2644-34-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/2644-36-0x0000000074E40000-0x0000000074E87000-memory.dmp

Filesize
284KB

Download
memory/2644-37-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/2644-25-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-39-0x0000000003190000-0x0000000003590000-memory.dmp

Filesize
4.0MB

Download
memory/2644-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-27-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-22-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-23-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-30-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-29-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-20-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads