Overview

overview

10

Static

static

10

aef5c6fec5...19.exe

windows10-2004-x64

10

Resubmissions

27-11-2024 10:02

241127-l2378ayngy 10

16-07-2023 01:10

230716-bjkcaacb72 10

Analysis

  • max time kernel
    30s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aef5c6fec5ea5f20f0e71f34d3777919.exe

  • Size

    448KB

  • MD5

    aef5c6fec5ea5f20f0e71f34d3777919

  • SHA1

    013c70c60334495904fa1e83a129dd3c369e6acf

  • SHA256

    01c7c28d8fcbded6bb906af11b34e65e19a71bc433fa3c8b5e615130f78028d5

  • SHA512

    bd48e8ec604e074b759b1c08c9d1e6adb90da902b4f23b9f37210ec32183c22a53d0a571d3c46bf43c32f47debc47313c0c98136ac6bc55bf1004b41c19f2774

  • SSDEEP

    6144:L/E8DIpjK28t4snQTlp3z/pSZ+pDKpf9EkQbKxVK+PXItNOapG8RuzRiRh3Zi:dEpj7snAv/cgu4VGn6OaM+ucj

Score
10/10
rhadamanthysdiscoverystealer

Malware Config

Signatures

  • Detect rhadamanthys stealer shellcode 5 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Rhadamanthys family
    rhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3576
      • C:\Users\Admin\AppData\Local\Temp\aef5c6fec5ea5f20f0e71f34d3777919.exe
        "C:\Users\Admin\AppData\Local\Temp\aef5c6fec5ea5f20f0e71f34d3777919.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2164
      • C:\Windows\system32\certreq.exe
        "C:\Windows\system32\certreq.exe"
        2⤵
          PID:5048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2164-0-0x0000000000640000-0x0000000000647000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2164-1-0x0000000002400000-0x0000000002800000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2164-2-0x0000000002400000-0x0000000002800000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2164-3-0x0000000002400000-0x0000000002800000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2164-4-0x0000000002400000-0x0000000002800000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2164-7-0x0000000003140000-0x0000000003176000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2164-12-0x0000000002400000-0x0000000002800000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/5048-5-0x00000217EBA70000-0x00000217EBA73000-memory.dmp

        Filesize

        12KB

        Download