rhadamanthys | 20653d4b1d392548b5dc636d76ddf39adf31a743ae3282a2f45b8e1dc12fb802

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49bae9e069b7f7d515b9dc7c6c4953e0.exe
Size

704KB
MD5

49bae9e069b7f7d515b9dc7c6c4953e0
SHA1

9f0fd6bda7ea272a20a58a3b963ededefc87a1c9
SHA256

20653d4b1d392548b5dc636d76ddf39adf31a743ae3282a2f45b8e1dc12fb802
SHA512

abed4e987626f88ffa34368e94707c99c07485eb57c4e0f9f60a0f9cab843e1c62f04e8aeac1b8f069d75b90a026b5aa4a0fcd9d22efeca0f9c122d68b6f5f78
SSDEEP

12288:5/y4KSeV15SORzbBTInjAD2i2/eFFi3VSS2gf0nhpYRSa18FqxbA7Ndh1UddhYUq:5/K5S0binGi/UFilSnAZv1bEJfKdTYv

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 784 created 1192	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	21

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
784	49bae9e069b7f7d515b9dc7c6c4953e0.exe
784	49bae9e069b7f7d515b9dc7c6c4953e0.exe
1820	dialer.exe
1820	dialer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1820	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	31
PID 784 wrote to memory of 1820	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	31
PID 784 wrote to memory of 1820	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	31
PID 784 wrote to memory of 1820	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	31
PID 784 wrote to memory of 1820	784	49bae9e069b7f7d515b9dc7c6c4953e0.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe
  "C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:784
- C:\Windows\system32\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-12-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/784-2-0x0000000000680000-0x0000000000726000-memory.dmp

Filesize
664KB

Download
memory/784-11-0x000007FEFCDA0000-0x000007FEFCE0C000-memory.dmp

Filesize
432KB

Download
memory/784-3-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/784-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/784-5-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/784-6-0x000000001B8F0000-0x000000001BCF0000-memory.dmp

Filesize
4.0MB

Download
memory/784-7-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/784-10-0x0000000076C10000-0x0000000076D2F000-memory.dmp

Filesize
1.1MB

Download
memory/784-9-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/784-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

Filesize
4KB

Download
memory/784-1-0x0000000001170000-0x0000000001226000-memory.dmp

Filesize
728KB

Download
memory/784-8-0x000000001B8F0000-0x000000001BCF0000-memory.dmp

Filesize
4.0MB

Download
memory/784-22-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-18-0x0000000076C10000-0x0000000076D2F000-memory.dmp

Filesize
1.1MB

Download
memory/1820-19-0x000007FEFCDA0000-0x000007FEFCE0C000-memory.dmp

Filesize
432KB

Download
memory/1820-21-0x0000000076D31000-0x0000000076E32000-memory.dmp

Filesize
1.0MB

Download
memory/1820-20-0x0000000001BA0000-0x0000000001FA0000-memory.dmp

Filesize
4.0MB

Download
memory/1820-17-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/1820-16-0x0000000001BA0000-0x0000000001FA0000-memory.dmp

Filesize
4.0MB

Download
memory/1820-13-0x0000000000060000-0x000000000006A000-memory.dmp

Filesize
40KB

Download
memory/1820-23-0x0000000001BA0000-0x0000000001FA0000-memory.dmp

Filesize
4.0MB

Download