Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
49bae9e069b7f7d515b9dc7c6c4953e0.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
49bae9e069b7f7d515b9dc7c6c4953e0.exe
Resource
win10v2004-20240802-en
General
-
Target
49bae9e069b7f7d515b9dc7c6c4953e0.exe
-
Size
704KB
-
MD5
49bae9e069b7f7d515b9dc7c6c4953e0
-
SHA1
9f0fd6bda7ea272a20a58a3b963ededefc87a1c9
-
SHA256
20653d4b1d392548b5dc636d76ddf39adf31a743ae3282a2f45b8e1dc12fb802
-
SHA512
abed4e987626f88ffa34368e94707c99c07485eb57c4e0f9f60a0f9cab843e1c62f04e8aeac1b8f069d75b90a026b5aa4a0fcd9d22efeca0f9c122d68b6f5f78
-
SSDEEP
12288:5/y4KSeV15SORzbBTInjAD2i2/eFFi3VSS2gf0nhpYRSa18FqxbA7Ndh1UddhYUq:5/K5S0binGi/UFilSnAZv1bEJfKdTYv
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 784 created 1192 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 21 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 1820 dialer.exe 1820 dialer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 784 wrote to memory of 1820 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 31 PID 784 wrote to memory of 1820 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 31 PID 784 wrote to memory of 1820 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 31 PID 784 wrote to memory of 1820 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 31 PID 784 wrote to memory of 1820 784 49bae9e069b7f7d515b9dc7c6c4953e0.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe"C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784
-
-
C:\Windows\system32\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820
-