rhadamanthys | 38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e

Analysis

max time kernel
49s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 07:38

Target

hoge.exe
Size

621KB
MD5

be87ad5596852c9930270778e9eced54
SHA1

34a1842d2fd4dbcdc27b892d18ad920ac9d03826
SHA256

38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e
SHA512

a16e49beb95f461ff5d4af63017bdcd9844800e8037d43942e28e0a3dfa71ceb0808e5020f955380902fdb4c9887ed6e092cfce9a9cf24f6be2e3e9586dbef04
SSDEEP

12288:zE50GSHrG6W42JcycysY0V3D9wCV+2nXGwnUP345WRgG3OkGGs/Lwmm:o+GSHrG6W42JcychY0FD9wCVBHw3yeJF

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3932 created 2652	3932	hoge.exe	49

Deletes itself 1 IoCs

pid	Process
3068	dialer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3068	3932	hoge.exe	91
PID 3932 wrote to memory of 3068	3932	hoge.exe	91
PID 3932 wrote to memory of 3068	3932	hoge.exe	91
PID 3932 wrote to memory of 3068	3932	hoge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4768

memory/3068-14-0x00007FFCAB4B0000-0x00007FFCAB56E000-memory.dmp

Filesize
760KB

Download
memory/3068-8-0x00000212C4DD0000-0x00000212C4DD9000-memory.dmp

Filesize
36KB

Download
memory/3068-17-0x00000212C69A0000-0x00000212C6DA0000-memory.dmp

Filesize
4.0MB

Download
memory/3068-15-0x00000212C69A0000-0x00000212C6DA0000-memory.dmp

Filesize
4.0MB

Download
memory/3068-16-0x00007FFCAA8A0000-0x00007FFCAAB69000-memory.dmp

Filesize
2.8MB

Download
memory/3068-13-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-12-0x00000212C69A0000-0x00000212C6DA0000-memory.dmp

Filesize
4.0MB

Download
memory/3932-5-0x00000000032E0000-0x00000000036E0000-memory.dmp

Filesize
4.0MB

Download
memory/3932-9-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3932-7-0x00007FFCAA8A0000-0x00007FFCAAB69000-memory.dmp

Filesize
2.8MB

Download
memory/3932-1-0x00000000032E0000-0x00000000036E0000-memory.dmp

Filesize
4.0MB

Download
memory/3932-6-0x00007FFCAB4B0000-0x00007FFCAB56E000-memory.dmp

Filesize
760KB

Download
memory/3932-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3932-4-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/3932-3-0x00000000032E0000-0x00000000036E0000-memory.dmp

Filesize
4.0MB

Download
memory/3932-2-0x00000000032E0000-0x00000000036E0000-memory.dmp

Filesize
4.0MB

Download