rhadamanthys | 34918278f6eb6b5e3afa8da406eb3c5a4cc3b7c4a1cee55320fecdbef4e0a463

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-ja
resource tags

arch:x64arch:x86image:win10v2004-20240802-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-08-2024 13:43

Target

khle.exe
Size

438KB
MD5

ec0f07cb1f1f5b4dd1bd94958c20a5ad
SHA1

84718efb03c2ae32aa2c5800bf135f97275f9a74
SHA256

34918278f6eb6b5e3afa8da406eb3c5a4cc3b7c4a1cee55320fecdbef4e0a463
SHA512

58af6d13d8c43970cc9e964f8418ecb054e177d40f966d2d9e318f540370d219028c4694daf09ba8b101206d54b482f66ce3a2b29ec4716119a21644a899f3d7
SSDEEP

12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

khle.exe

description	pid	Process	procid_target
PID 1324 created 2964	1324	khle.exe	49

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

khle.exeopenwith.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

khle.exe

description	pid	Process	procid_target
PID 1324 wrote to memory of 3484	1324	khle.exe	92
PID 1324 wrote to memory of 3484	1324	khle.exe	92
PID 1324 wrote to memory of 3484	1324	khle.exe	92
PID 1324 wrote to memory of 3484	1324	khle.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2964
- C:\Windows\system32\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

memory/1324-9-0x00007FF72D810000-0x00007FF72D892000-memory.dmp

Filesize
520KB

Download
memory/1324-1-0x0000022200010000-0x0000022200410000-memory.dmp

Filesize
4.0MB

Download
memory/1324-3-0x0000022200010000-0x0000022200410000-memory.dmp

Filesize
4.0MB

Download
memory/1324-2-0x0000022200010000-0x0000022200410000-memory.dmp

Filesize
4.0MB

Download
memory/1324-4-0x00007FFCF8EB0000-0x00007FFCF90A5000-memory.dmp

Filesize
2.0MB

Download
memory/1324-5-0x00007FFCF7590000-0x00007FFCF764E000-memory.dmp

Filesize
760KB

Download
memory/1324-6-0x0000022200010000-0x0000022200410000-memory.dmp

Filesize
4.0MB

Download
memory/1324-7-0x00007FFCF6660000-0x00007FFCF6929000-memory.dmp

Filesize
2.8MB

Download
memory/1324-0-0x00007FF72D810000-0x00007FF72D892000-memory.dmp

Filesize
520KB

Download
memory/3484-8-0x000002D3DA9E0000-0x000002D3DA9EA000-memory.dmp

Filesize
40KB

Download
memory/3484-12-0x000002D3DC440000-0x000002D3DC840000-memory.dmp

Filesize
4.0MB

Download
memory/3484-14-0x00007FFCF7590000-0x00007FFCF764E000-memory.dmp

Filesize
760KB

Download
memory/3484-16-0x000002D3DC440000-0x000002D3DC840000-memory.dmp

Filesize
4.0MB

Download
memory/3484-15-0x00007FFCF6660000-0x00007FFCF6929000-memory.dmp

Filesize
2.8MB

Download
memory/3484-13-0x00007FFCF8EB0000-0x00007FFCF90A5000-memory.dmp

Filesize
2.0MB

Download
memory/3484-17-0x000002D3DC440000-0x000002D3DC840000-memory.dmp

Filesize
4.0MB

Download