rhadamanthys | 8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
Size

2.2MB
MD5

0234bff4bd4e6dd7a80d3fde4f12fc09
SHA1

7fb0e3bc8c71759028b30c1b2a45362ccdb14fd8
SHA256

8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946
SHA512

ee100be2cbdc3f3a87e0510958a63ff0d8f0346ddf24d724417bcacf443cc675a051ca0b8c2a8c3b4fd9dc5e443c18fdebb60a5967aa8a0f29a42a901bfd0b84
SSDEEP

49152:ileMKip5GL0peV5i38S1y16Bxase11gPSBajGWtA2ZHALmem:dW9g16haIjGz2ZHHem

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 112 created 2672	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	44

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
3196	openwith.exe
3196	openwith.exe
3196	openwith.exe
3196	openwith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
Token: SeDebugPrivilege	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 4744 wrote to memory of 112	4744	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	84
PID 112 wrote to memory of 3196	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	85
PID 112 wrote to memory of 3196	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	85
PID 112 wrote to memory of 3196	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	85
PID 112 wrote to memory of 3196	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	85
PID 112 wrote to memory of 3196	112	8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe	85

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2672
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196

C:\Users\Admin\AppData\Local\Temp\8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
"C:\Users\Admin\AppData\Local\Temp\8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe
  "C:\Users\Admin\AppData\Local\Temp\8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8c415f6e9e4ddc4df9433b33035ee3c9750283cc9306cdf97d4f9b9df1036946.exe.log

Filesize
958B

MD5
2653ec7e43bfbe52024d5bf4ec27a515

SHA1
a08848300075d1c0b385532d840a43e1fd7251fa

SHA256
5d7f555a970cc34988aac2e5deaccfc12ef69b5d9ea55fd8d31a9b4b8377f4f2

SHA512
b3caeb925a71e99121b34cd1644f199e33a9b73b435cafb47bba0ffb7156d71b3b3ac424076cf0a600eeb422cb358420915a29b97c974937ebf9186bea05938d

Download Submit
memory/112-4875-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/112-4874-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/112-4877-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/112-4878-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/112-4891-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/112-4883-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/112-4879-0x0000000005810000-0x0000000005818000-memory.dmp

Filesize
32KB

Download
memory/3196-4896-0x0000000002630000-0x0000000002A30000-memory.dmp

Filesize
4.0MB

Download
memory/3196-4893-0x0000000002630000-0x0000000002A30000-memory.dmp

Filesize
4.0MB

Download
memory/3196-4890-0x0000000002630000-0x0000000002A30000-memory.dmp

Filesize
4.0MB

Download
memory/4744-23-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-13-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-30-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-48-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-46-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-49-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-53-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-51-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-43-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-41-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-39-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-37-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-35-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-33-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-27-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-5-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-21-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-25-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-19-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-17-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-16-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-32-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-11-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-9-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-67-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-65-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-63-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-61-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-59-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-57-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-55-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-4866-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4744-7-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-4-0x0000000005870000-0x0000000005B28000-memory.dmp

Filesize
2.7MB

Download
memory/4744-3-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4744-2-0x0000000005870000-0x0000000005B2E000-memory.dmp

Filesize
2.7MB

Download
memory/4744-1-0x0000000000AE0000-0x0000000000D1A000-memory.dmp

Filesize
2.2MB

Download
memory/4744-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

Filesize
4KB

Download
memory/4744-4867-0x0000000005EF0000-0x0000000005FEC000-memory.dmp

Filesize
1008KB

Download
memory/4744-4868-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/4744-4869-0x00000000066C0000-0x0000000006C64000-memory.dmp

Filesize
5.6MB

Download
memory/4744-4870-0x0000000006000000-0x0000000006054000-memory.dmp

Filesize
336KB

Download
memory/4744-4876-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download