rhadamanthys | f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453

Analysis

max time kernel
196s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-04-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe
Size

5.6MB
MD5

93a9e3c51d74beb9591c51a28d634048
SHA1

cab58975cadcd89d14e98ec0e5cf3a950d7ea479
SHA256

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453
SHA512

6913fdcf261027cd8aae4a4f5a7c74c10cf570f364550fddc6f4369fa8e8702bef30d22130984fa592788e6e0afc96150f9f588d64811ed88da56a4c7f711b25
SSDEEP

98304:gAoK6oWRH2P1Y/abpyrjavXi/lQqBLm/Bn85w7dZBzr:KK6lx2Y/abYrsXXq1mJntdZBzr

Score

10^/10

rhadamanthys zgrat rat stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2412-0-0x0000000000DB0000-0x000000000133C000-memory.dmp family_zgrat_v1

resource	yara_rule
behavioral2/memory/2412-0-0x0000000000DB0000-0x000000000133C000-memory.dmp	family_zgrat_v1

Detects DLL dropped by Raspberry Robin. 2 IoCs

Raspberry Robin.

Processes:

resource	yara_rule
behavioral2/memory/1520-38-0x0000000075EB0000-0x0000000076072000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4724-44-0x0000000075EB0000-0x0000000076072000-memory.dmp	Raspberry_Robin_DLL_MAY_2022

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MsBuild.exe

description pid process target process

PID 1520 created 2524 1520 MsBuild.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Loads dropped DLL 1 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

pid process

2412 f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

description pid process target process

PID 2412 set thread context of 1520 2412 f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe MsBuild.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1532 1520 WerFault.exe MsBuild.exe
3940 1520 WerFault.exe MsBuild.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MsBuild.exedialer.exe

pid process

1520 MsBuild.exe
1520 MsBuild.exe
4724 dialer.exe
4724 dialer.exe
4724 dialer.exe
4724 dialer.exe

description	pid	process	target process
PID 1520 created 2524	1520	MsBuild.exe	sihost.exe

pid	process
2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe

description	pid	process	target process
PID 2412 set thread context of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe

pid	pid_target	process	target process
1532	1520	WerFault.exe	MsBuild.exe
3940	1520	WerFault.exe	MsBuild.exe

pid	process
1520	MsBuild.exe
1520	MsBuild.exe
4724	dialer.exe
4724	dialer.exe
4724	dialer.exe
4724	dialer.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exeMsBuild.exe

description	pid	process	target process
PID 2412 wrote to memory of 3188	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 3188	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 3188	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 788	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 788	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 788	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 2412 wrote to memory of 1520	2412	f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe	MsBuild.exe
PID 1520 wrote to memory of 4724	1520	MsBuild.exe	dialer.exe
PID 1520 wrote to memory of 4724	1520	MsBuild.exe	dialer.exe
PID 1520 wrote to memory of 4724	1520	MsBuild.exe	dialer.exe
PID 1520 wrote to memory of 4724	1520	MsBuild.exe	dialer.exe
PID 1520 wrote to memory of 4724	1520	MsBuild.exe	dialer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Users\Admin\AppData\Local\Temp\f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe
"C:\Users\Admin\AppData\Local\Temp\f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 500
3⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 480
3⤵
- Program crash
PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/1520-48-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/1520-37-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/1520-38-0x0000000075EB0000-0x0000000076072000-memory.dmp

Filesize
1.8MB

Download
memory/1520-35-0x00007FF9B2A30000-0x00007FF9B2C0B000-memory.dmp

Filesize
1.9MB

Download
memory/1520-33-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/1520-34-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/1520-32-0x0000000004180000-0x0000000004580000-memory.dmp

Filesize
4.0MB

Download
memory/1520-26-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1520-28-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1520-29-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2412-24-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-7-0x0000000005FE0000-0x0000000006072000-memory.dmp

Filesize
584KB

Download
memory/2412-13-0x00000000084F0000-0x0000000008682000-memory.dmp

Filesize
1.6MB

Download
memory/2412-11-0x0000000008240000-0x00000000084E8000-memory.dmp

Filesize
2.7MB

Download
memory/2412-19-0x00000000060E0000-0x00000000060F0000-memory.dmp

Filesize
64KB

Download
memory/2412-23-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-22-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-20-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-21-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-0-0x0000000000DB0000-0x000000000133C000-memory.dmp

Filesize
5.5MB

Download
memory/2412-25-0x0000000008FF0000-0x00000000090F0000-memory.dmp

Filesize
1024KB

Download
memory/2412-10-0x0000000006E60000-0x000000000723A000-memory.dmp

Filesize
3.9MB

Download
memory/2412-9-0x0000000006730000-0x0000000006A80000-memory.dmp

Filesize
3.3MB

Download
memory/2412-8-0x0000000005BF0000-0x0000000005C02000-memory.dmp

Filesize
72KB

Download
memory/2412-31-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-12-0x00000000089F0000-0x0000000008EEE000-memory.dmp

Filesize
5.0MB

Download
memory/2412-6-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/2412-5-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-4-0x0000000006200000-0x000000000672C000-memory.dmp

Filesize
5.2MB

Download
memory/2412-1-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-3-0x0000000005C30000-0x0000000005CCC000-memory.dmp

Filesize
624KB

Download
memory/2412-2-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

Filesize
64KB

Download
memory/4724-41-0x0000000004410000-0x0000000004810000-memory.dmp

Filesize
4.0MB

Download
memory/4724-44-0x0000000075EB0000-0x0000000076072000-memory.dmp

Filesize
1.8MB

Download
memory/4724-42-0x00007FF9B2A30000-0x00007FF9B2C0B000-memory.dmp

Filesize
1.9MB

Download
memory/4724-46-0x00007FF9B2A30000-0x00007FF9B2C0B000-memory.dmp

Filesize
1.9MB

Download
memory/4724-45-0x0000000004410000-0x0000000004810000-memory.dmp

Filesize
4.0MB

Download
memory/4724-47-0x0000000004410000-0x0000000004810000-memory.dmp

Filesize
4.0MB

Download
memory/4724-39-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download