rhadamanthys | 34918278f6eb6b5e3afa8da406eb3c5a4cc3b7c4a1cee55320fecdbef4e0a463

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

khle.exe
Size

438KB
MD5

ec0f07cb1f1f5b4dd1bd94958c20a5ad
SHA1

84718efb03c2ae32aa2c5800bf135f97275f9a74
SHA256

34918278f6eb6b5e3afa8da406eb3c5a4cc3b7c4a1cee55320fecdbef4e0a463
SHA512

58af6d13d8c43970cc9e964f8418ecb054e177d40f966d2d9e318f540370d219028c4694daf09ba8b101206d54b482f66ce3a2b29ec4716119a21644a899f3d7
SSDEEP

12288:6uZZani4FaYkizhRpfX54K+uiE8XZzhzJ:6+ZIi4Z95/54K+uiE8Jd

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5064 created 1288	5064	khle.exe	51

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5064	khle.exe
5064	khle.exe
3040	openwith.exe
3040	openwith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3040	5064	khle.exe	87
PID 5064 wrote to memory of 3040	5064	khle.exe	87
PID 5064 wrote to memory of 3040	5064	khle.exe	87
PID 5064 wrote to memory of 3040	5064	khle.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1288
- C:\Windows\system32\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

C:\Users\Admin\AppData\Local\Temp\khle.exe
"C:\Users\Admin\AppData\Local\Temp\khle.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-13-0x0000020DC79D0000-0x0000020DC7DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3040-10-0x0000020DC79D0000-0x0000020DC7DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3040-17-0x0000020DC79D0000-0x0000020DC7DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3040-8-0x0000020DC5F20000-0x0000020DC5F2A000-memory.dmp

Filesize
40KB

Download
memory/3040-11-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/3040-15-0x0000020DC79D0000-0x0000020DC7DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3040-12-0x00007FFBFEC20000-0x00007FFBFECDE000-memory.dmp

Filesize
760KB

Download
memory/3040-14-0x00007FFBFDD10000-0x00007FFBFDFD9000-memory.dmp

Filesize
2.8MB

Download
memory/5064-6-0x00007FFBFEC20000-0x00007FFBFECDE000-memory.dmp

Filesize
760KB

Download
memory/5064-16-0x00007FF6BE050000-0x00007FF6BE0D2000-memory.dmp

Filesize
520KB

Download
memory/5064-1-0x000002CAB9050000-0x000002CAB9450000-memory.dmp

Filesize
4.0MB

Download
memory/5064-7-0x00007FFBFDD10000-0x00007FFBFDFD9000-memory.dmp

Filesize
2.8MB

Download
memory/5064-0-0x00007FF6BE050000-0x00007FF6BE0D2000-memory.dmp

Filesize
520KB

Download
memory/5064-4-0x00007FFC000B0000-0x00007FFC002A5000-memory.dmp

Filesize
2.0MB

Download
memory/5064-5-0x000002CAB9050000-0x000002CAB9450000-memory.dmp

Filesize
4.0MB

Download
memory/5064-2-0x000002CAB9050000-0x000002CAB9450000-memory.dmp

Filesize
4.0MB

Download
memory/5064-3-0x000002CAB9050000-0x000002CAB9450000-memory.dmp

Filesize
4.0MB

Download