rhadamanthys | 36bfb2c2ee18a261428200382979de5bf383aba6a8e21e3803f206f4a04ca334

Analysis

max time kernel
24s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21/07/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver1.exe
Size

10.8MB
MD5

0d96801162f9328e93406310ce13dcd8
SHA1

1dd705c9eca5bf057ed1ae1d00df266b8d2ee446
SHA256

36bfb2c2ee18a261428200382979de5bf383aba6a8e21e3803f206f4a04ca334
SHA512

4f4235b8d3b61edf6ee5a8a9170b9f18fa9bc077896b4d54a668bea46763f322bd2fb7924292092b85bf46d69f10d7146863205e6f84e19d540149510e2d27dd
SSDEEP

98304:qd9qQ34+7AhdAOHlfY88KC/EFLvcOXhHd/0h+5:qj4+7AhdHHlppFLn9

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3472 created 3036	3472	BitLockerToGo.exe	49

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 3472	4092	driver1.exe	83

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1056	3472	WerFault.exe	83
2900	3472	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3472	BitLockerToGo.exe
3472	BitLockerToGo.exe
1404	openwith.exe
1404	openwith.exe
1404	openwith.exe
1404	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3472	4092	driver1.exe	83
PID 4092 wrote to memory of 3472	4092	driver1.exe	83
PID 4092 wrote to memory of 3472	4092	driver1.exe	83
PID 4092 wrote to memory of 3472	4092	driver1.exe	83
PID 4092 wrote to memory of 3472	4092	driver1.exe	83
PID 3472 wrote to memory of 1404	3472	BitLockerToGo.exe	84
PID 3472 wrote to memory of 1404	3472	BitLockerToGo.exe	84
PID 3472 wrote to memory of 1404	3472	BitLockerToGo.exe	84
PID 3472 wrote to memory of 1404	3472	BitLockerToGo.exe	84
PID 3472 wrote to memory of 1404	3472	BitLockerToGo.exe	84

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3036
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404

C:\Users\Admin\AppData\Local\Temp\driver1.exe
"C:\Users\Admin\AppData\Local\Temp\driver1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 452
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 456
    3⤵
    - Program crash
    PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3472 -ip 3472
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3472 -ip 3472
1⤵
PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-15-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/1404-26-0x00007FFB2FF60000-0x00007FFB30169000-memory.dmp

Filesize
2.0MB

Download
memory/1404-24-0x00000000766B0000-0x0000000076902000-memory.dmp

Filesize
2.3MB

Download
memory/1404-25-0x00007FFB2FF60000-0x00007FFB30169000-memory.dmp

Filesize
2.0MB

Download
memory/1404-19-0x00000000020D0000-0x00000000024D0000-memory.dmp

Filesize
4.0MB

Download
memory/1404-20-0x00007FFB2FF60000-0x00007FFB30169000-memory.dmp

Filesize
2.0MB

Download
memory/3472-16-0x0000000003AD0000-0x0000000003ED0000-memory.dmp

Filesize
4.0MB

Download
memory/3472-11-0x0000000003AD0000-0x0000000003ED0000-memory.dmp

Filesize
4.0MB

Download
memory/3472-4-0x00000000008A0000-0x000000000091E000-memory.dmp

Filesize
504KB

Download
memory/3472-10-0x0000000003AD0000-0x0000000003ED0000-memory.dmp

Filesize
4.0MB

Download
memory/3472-14-0x00000000766B0000-0x0000000076902000-memory.dmp

Filesize
2.3MB

Download
memory/3472-17-0x00007FFB2FF61000-0x00007FFB3008A000-memory.dmp

Filesize
1.2MB

Download
memory/3472-12-0x00007FFB2FF60000-0x00007FFB30169000-memory.dmp

Filesize
2.0MB

Download
memory/3472-9-0x0000000003AD0000-0x0000000003ED0000-memory.dmp

Filesize
4.0MB

Download
memory/3472-8-0x00000000008A0000-0x000000000091E000-memory.dmp

Filesize
504KB

Download
memory/3472-7-0x00000000008A0000-0x000000000091E000-memory.dmp

Filesize
504KB

Download
memory/3472-21-0x0000000003AD0000-0x0000000003ED0000-memory.dmp

Filesize
4.0MB

Download
memory/3472-6-0x00000000008A0000-0x000000000091E000-memory.dmp

Filesize
504KB

Download
memory/4092-5-0x00007FF7AF0D0000-0x00007FF7AFC2D000-memory.dmp

Filesize
11.4MB

Download