rhadamanthys | d6d61523371c36cc73b1047bbdb75d6cd8fada21990362dab4f27dd75cfe41d4

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456-11-0x00000000001C0000-0x000000000023E000-memory.exe
Size

504KB
MD5

790758cfdcf7fbc19e7123163af23485
SHA1

bd2d2eecabd24fbfd173c9fe405d6ca1818ae934
SHA256

d6d61523371c36cc73b1047bbdb75d6cd8fada21990362dab4f27dd75cfe41d4
SHA512

558f41c65e32b536a68f69f3e28c5cc10c1f7eeefab193ce008ef39dba680f21ee162cabd47da94458bd3a0cdeb7425651963b0fd2b2260a025859f0e135c9c4
SSDEEP

12288:MWBqf/qq3R5W8ZB4zmRzbaBElDGJQ7F9:M9f93PW8ZBS+zbMiSQh

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://185.209.161.207:2421/44194499adc4d2b753ee/bduh0f2e.ee92s

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2860 2844 WerFault.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

456-11-0x00000000001C0000-0x000000000023E000-memory.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 456-11-0x00000000001C0000-0x000000000023E000-memory.exe

pid	pid_target	process
2860	2844	WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456-11-0x00000000001C0000-0x000000000023E000-memory.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

456-11-0x00000000001C0000-0x000000000023E000-memory.exe

description	pid	process	target process
PID 2844 wrote to memory of 2860	2844	456-11-0x00000000001C0000-0x000000000023E000-memory.exe	WerFault.exe
PID 2844 wrote to memory of 2860	2844	456-11-0x00000000001C0000-0x000000000023E000-memory.exe	WerFault.exe
PID 2844 wrote to memory of 2860	2844	456-11-0x00000000001C0000-0x000000000023E000-memory.exe	WerFault.exe
PID 2844 wrote to memory of 2860	2844	456-11-0x00000000001C0000-0x000000000023E000-memory.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\456-11-0x00000000001C0000-0x000000000023E000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\456-11-0x00000000001C0000-0x000000000023E000-memory.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 36
  2⤵
  - Program crash
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2844-0-0x00000000001C0000-0x000000000023E000-memory.dmp

Filesize
504KB

Download