rhadamanthys | c864ab5ef50b025944037f9ee0feec332ca62a734f7650e6c411617d1b7dc174

Analysis

max time kernel
39s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 18:05

Target

run.bat
Size

73B
MD5

ed0af6063e22a6abf2073ba2321a9731
SHA1

0142b9f8e7518951113104f13e53c1fa24bd654a
SHA256

c9ee9421067791957a1382ef092232b20ed90ba30feb6bd2d6c16c86307e9e16
SHA512

02c24d1189114ecacc78adcdd7e0e6331ac8c349e70b382ed964d2d57c9456e7891092cc5bf224a126522073b0164eec1eba3e5e16eff3c81254aba1d1ca9b88

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1160 created 3068	1160	install.exe	51

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1160	1080	cmd.exe	82
PID 1080 wrote to memory of 1160	1080	cmd.exe	82
PID 1080 wrote to memory of 1160	1080	cmd.exe	82
PID 1160 wrote to memory of 3412	1160	install.exe	83
PID 1160 wrote to memory of 3412	1160	install.exe	83
PID 1160 wrote to memory of 3412	1160	install.exe	83
PID 1160 wrote to memory of 3412	1160	install.exe	83
PID 1160 wrote to memory of 3412	1160	install.exe	83

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3068
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "install.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1160

memory/1160-4-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1160-1-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1160-2-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1160-3-0x00007FFBE10D0000-0x00007FFBE12C5000-memory.dmp

Filesize
2.0MB

Download
memory/1160-5-0x00000000037B0000-0x0000000003BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1160-7-0x0000000075290000-0x00000000754A5000-memory.dmp

Filesize
2.1MB

Download
memory/1160-0-0x0000000000560000-0x00000000005C1000-memory.dmp

Filesize
388KB

Download
memory/1160-9-0x0000000002610000-0x000000000268A000-memory.dmp

Filesize
488KB

Download
memory/3412-8-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/3412-13-0x00007FFBE10D0000-0x00007FFBE12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3412-15-0x0000000075290000-0x00000000754A5000-memory.dmp

Filesize
2.1MB

Download
memory/3412-16-0x0000000002BB0000-0x0000000002FB0000-memory.dmp

Filesize
4.0MB

Download
memory/3412-11-0x0000000002BB0000-0x0000000002FB0000-memory.dmp

Filesize
4.0MB

Download
memory/3412-12-0x0000000002BB0000-0x0000000002FB0000-memory.dmp

Filesize
4.0MB

Download
memory/3412-17-0x0000000002BB0000-0x0000000002FB0000-memory.dmp

Filesize
4.0MB

Download