rhadamanthys | 36bfb2c2ee18a261428200382979de5bf383aba6a8e21e3803f206f4a04ca334

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver1.exe
Size

10.8MB
MD5

0d96801162f9328e93406310ce13dcd8
SHA1

1dd705c9eca5bf057ed1ae1d00df266b8d2ee446
SHA256

36bfb2c2ee18a261428200382979de5bf383aba6a8e21e3803f206f4a04ca334
SHA512

4f4235b8d3b61edf6ee5a8a9170b9f18fa9bc077896b4d54a668bea46763f322bd2fb7924292092b85bf46d69f10d7146863205e6f84e19d540149510e2d27dd
SSDEEP

98304:qd9qQ34+7AhdAOHlfY88KC/EFLvcOXhHd/0h+5:qj4+7AhdHHlppFLn9

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3172 created 2656	3172	BitLockerToGo.exe	44

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4584 set thread context of 3172	4584	driver1.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3896	3172	WerFault.exe	92
1328	3172	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3172	BitLockerToGo.exe
3172	BitLockerToGo.exe
2240	openwith.exe
2240	openwith.exe
2240	openwith.exe
2240	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3172	4584	driver1.exe	92
PID 4584 wrote to memory of 3172	4584	driver1.exe	92
PID 4584 wrote to memory of 3172	4584	driver1.exe	92
PID 4584 wrote to memory of 3172	4584	driver1.exe	92
PID 4584 wrote to memory of 3172	4584	driver1.exe	92
PID 3172 wrote to memory of 2240	3172	BitLockerToGo.exe	94
PID 3172 wrote to memory of 2240	3172	BitLockerToGo.exe	94
PID 3172 wrote to memory of 2240	3172	BitLockerToGo.exe	94
PID 3172 wrote to memory of 2240	3172	BitLockerToGo.exe	94
PID 3172 wrote to memory of 2240	3172	BitLockerToGo.exe	94

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

C:\Users\Admin\AppData\Local\Temp\driver1.exe
"C:\Users\Admin\AppData\Local\Temp\driver1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 340
    3⤵
    - Program crash
    PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 432
    3⤵
    - Program crash
    PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 3172
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 3172
1⤵
PID:4780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-16-0x0000000001080000-0x0000000001089000-memory.dmp

Filesize
36KB

Download
memory/2240-24-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2240-20-0x00007FF9F9B50000-0x00007FF9F9D45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-23-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2240-22-0x0000000076A20000-0x0000000076C35000-memory.dmp

Filesize
2.1MB

Download
memory/2240-19-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/3172-8-0x0000000000160000-0x00000000001DE000-memory.dmp

Filesize
504KB

Download
memory/3172-11-0x00000000032B0000-0x00000000036B0000-memory.dmp

Filesize
4.0MB

Download
memory/3172-12-0x00007FF9F9B50000-0x00007FF9F9D45000-memory.dmp

Filesize
2.0MB

Download
memory/3172-10-0x00000000032B0000-0x00000000036B0000-memory.dmp

Filesize
4.0MB

Download
memory/3172-15-0x0000000076A20000-0x0000000076C35000-memory.dmp

Filesize
2.1MB

Download
memory/3172-14-0x00000000032B0000-0x00000000036B0000-memory.dmp

Filesize
4.0MB

Download
memory/3172-9-0x00000000032B0000-0x00000000036B0000-memory.dmp

Filesize
4.0MB

Download
memory/3172-4-0x0000000000160000-0x00000000001DE000-memory.dmp

Filesize
504KB

Download
memory/3172-7-0x0000000000160000-0x00000000001DE000-memory.dmp

Filesize
504KB

Download
memory/3172-6-0x0000000000160000-0x00000000001DE000-memory.dmp

Filesize
504KB

Download
memory/3172-25-0x00000000032B0000-0x00000000036B0000-memory.dmp

Filesize
4.0MB

Download
memory/4584-5-0x00007FF7EFBA0000-0x00007FF7F06FD000-memory.dmp

Filesize
11.4MB

Download