Overview

overview

10

Static

static

10

836dfa8ecf...2d.exe

windows10-2004-x64

10

Resubmissions

27-11-2024 10:02

241127-l21gbsvrer 10

12-07-2023 03:45

230712-ea23hsbg48 10

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    836dfa8ecf57ce861f4cacfe4a85572d.exe

  • Size

    448KB

  • MD5

    836dfa8ecf57ce861f4cacfe4a85572d

  • SHA1

    ab1d13d733ce513953143c64440323b1969925a9

  • SHA256

    8af7fadc968927f6d8a4056e3d15808c254bbee4080985d03d377c361e467357

  • SHA512

    32f5c37ca495589c7d31f79c987f2f420e3ead46f09a008c2a8107ff81523986dc993b47a0425ff96be0e761177edeea79d272982e818c4935f087bb4e86ca98

  • SSDEEP

    6144:qlE8DIpjK28t4sL4wlp3z/pSZ+pDKpf9EkQbKxVK+PXItNOapG8RuzRiRh3Zc:SEpj7sLLv/cgu4VGn6OaM+ucj

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 5 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\836dfa8ecf57ce861f4cacfe4a85572d.exe
        "C:\Users\Admin\AppData\Local\Temp\836dfa8ecf57ce861f4cacfe4a85572d.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4832
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
          PID:2720

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2720-5-0x000002E380FA0000-0x000002E380FA3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4832-0-0x00000000022E0000-0x00000000022E7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/4832-1-0x00000000023B0000-0x00000000027B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4832-2-0x00000000023B0000-0x00000000027B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4832-3-0x00000000023B0000-0x00000000027B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4832-4-0x00000000023B0000-0x00000000027B0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4832-6-0x0000000003210000-0x0000000003246000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4832-12-0x00000000023B0000-0x00000000027B0000-memory.dmp

        Filesize

        4.0MB

        Download