rhadamanthys | 20653d4b1d392548b5dc636d76ddf39adf31a743ae3282a2f45b8e1dc12fb802

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49bae9e069b7f7d515b9dc7c6c4953e0.exe
Size

704KB
MD5

49bae9e069b7f7d515b9dc7c6c4953e0
SHA1

9f0fd6bda7ea272a20a58a3b963ededefc87a1c9
SHA256

20653d4b1d392548b5dc636d76ddf39adf31a743ae3282a2f45b8e1dc12fb802
SHA512

abed4e987626f88ffa34368e94707c99c07485eb57c4e0f9f60a0f9cab843e1c62f04e8aeac1b8f069d75b90a026b5aa4a0fcd9d22efeca0f9c122d68b6f5f78
SSDEEP

12288:5/y4KSeV15SORzbBTInjAD2i2/eFFi3VSS2gf0nhpYRSa18FqxbA7Ndh1UddhYUq:5/K5S0binGi/UFilSnAZv1bEJfKdTYv

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

49bae9e069b7f7d515b9dc7c6c4953e0.exe

description	pid	Process	procid_target
PID 3084 created 3008	3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe	50

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

49bae9e069b7f7d515b9dc7c6c4953e0.exeopenwith.exe

pid	Process
3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe
3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe
4436	openwith.exe
4436	openwith.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

49bae9e069b7f7d515b9dc7c6c4953e0.exe

description	pid	Process	procid_target
PID 3084 wrote to memory of 4436	3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe	82
PID 3084 wrote to memory of 4436	3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe	82
PID 3084 wrote to memory of 4436	3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe	82
PID 3084 wrote to memory of 4436	3084	49bae9e069b7f7d515b9dc7c6c4953e0.exe	82

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3008
- C:\Windows\system32\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe
"C:\Users\Admin\AppData\Local\Temp\49bae9e069b7f7d515b9dc7c6c4953e0.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-9-0x00007FFFD7170000-0x00007FFFD7365000-memory.dmp

Filesize
2.0MB

Download
memory/3084-16-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/3084-2-0x00000000025D0000-0x0000000002676000-memory.dmp

Filesize
664KB

Download
memory/3084-3-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/3084-5-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/3084-6-0x000000001B6E0000-0x000000001BAE0000-memory.dmp

Filesize
4.0MB

Download
memory/3084-4-0x000000001B180000-0x000000001B188000-memory.dmp

Filesize
32KB

Download
memory/3084-0-0x00007FFFB9073000-0x00007FFFB9075000-memory.dmp

Filesize
8KB

Download
memory/3084-8-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/3084-11-0x00007FFFD4AE0000-0x00007FFFD4DA9000-memory.dmp

Filesize
2.8MB

Download
memory/3084-7-0x000000001B6E0000-0x000000001BAE0000-memory.dmp

Filesize
4.0MB

Download
memory/3084-10-0x00007FFFD6FF0000-0x00007FFFD70AE000-memory.dmp

Filesize
760KB

Download
memory/3084-1-0x00000000004A0000-0x0000000000556000-memory.dmp

Filesize
728KB

Download
memory/4436-14-0x000002C0A1D20000-0x000002C0A2120000-memory.dmp

Filesize
4.0MB

Download
memory/4436-12-0x000002C0A0230000-0x000002C0A023A000-memory.dmp

Filesize
40KB

Download
memory/4436-20-0x00007FFFD4AE0000-0x00007FFFD4DA9000-memory.dmp

Filesize
2.8MB

Download
memory/4436-19-0x00007FFFD6FF0000-0x00007FFFD70AE000-memory.dmp

Filesize
760KB

Download
memory/4436-17-0x00007FFFD7170000-0x00007FFFD7365000-memory.dmp

Filesize
2.0MB

Download
memory/4436-21-0x000002C0A1D20000-0x000002C0A2120000-memory.dmp

Filesize
4.0MB

Download
memory/4436-18-0x000002C0A1D20000-0x000002C0A2120000-memory.dmp

Filesize
4.0MB

Download