Malware Analysis Report

2024-11-13 13:53

Sample ID 240914-cfehassalh
Target eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe
SHA256 eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6
Tags
rhadamanthys discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6

Threat Level: Known bad

The file eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery stealer

Rhadamanthys

Rhadamanthys family

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-14 02:00

Signatures

Rhadamanthys family

rhadamanthys

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-14 02:00

Reported

2024-09-14 02:03

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe"

Signatures

Rhadamanthys

stealer rhadamanthys

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe

"C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe"

Network

N/A

Files

memory/2712-0-0x00000000003D0000-0x000000000044E000-memory.dmp

memory/2712-1-0x00000000003D0000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-14 02:00

Reported

2024-09-14 02:03

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe"

Signatures

Rhadamanthys

stealer rhadamanthys

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe

"C:\Users\Admin\AppData\Local\Temp\eaede80aa7400cd537e6a02385b397f38e76884b4d2122f05e7e6f021846f6a6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/320-0-0x00000000007D0000-0x000000000084E000-memory.dmp

memory/320-1-0x00000000007D0000-0x000000000084E000-memory.dmp