rhadamanthys | 264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59

Analysis

max time kernel
129s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
Size

2.8MB
MD5

be3a9e7523482b273173ede7823d3138
SHA1

93604065f2f9eb4b671408d2e5d05f066c8574f4
SHA256

264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59
SHA512

094693cc6d9e581ab0b8fbf170cb92a1b7f427106c43356d75d15bc65e076f21f66d5182fc591815615f9f17e70eee09a19c58a5353c38852fa74c732a8405fa
SSDEEP

49152:jMgiLc2VcO6SJzo46E2AlPQzPQqvf+3pE5Je:og82aoDfAlPQzYqu3pE5Je

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2064 created 2652	2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	44

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
4576	openwith.exe
4576	openwith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4576	2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	82
PID 2064 wrote to memory of 4576	2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	82
PID 2064 wrote to memory of 4576	2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	82
PID 2064 wrote to memory of 4576	2064	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	82

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2652
- C:\Windows\system32\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

C:\Users\Admin\AppData\Local\Temp\264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
"C:\Users\Admin\AppData\Local\Temp\264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-17-0x0000019FEB420000-0x0000019FEB820000-memory.dmp

Filesize
4.0MB

Download
memory/2064-4-0x0000019FEB420000-0x0000019FEB820000-memory.dmp

Filesize
4.0MB

Download
memory/2064-2-0x0000019FEB2D0000-0x0000019FEB3D0000-memory.dmp

Filesize
1024KB

Download
memory/2064-16-0x00007FF72AD40000-0x00007FF72AFE0000-memory.dmp

Filesize
2.6MB

Download
memory/2064-6-0x0000019FEB420000-0x0000019FEB820000-memory.dmp

Filesize
4.0MB

Download
memory/2064-8-0x00007FFBB5BB0000-0x00007FFBB5E79000-memory.dmp

Filesize
2.8MB

Download
memory/2064-5-0x00007FFBB7E30000-0x00007FFBB8025000-memory.dmp

Filesize
2.0MB

Download
memory/2064-7-0x00007FFBB5F60000-0x00007FFBB601E000-memory.dmp

Filesize
760KB

Download
memory/2064-0-0x0000019FEAEA0000-0x0000019FEAEA9000-memory.dmp

Filesize
36KB

Download
memory/2064-1-0x0000019FEB420000-0x0000019FEB820000-memory.dmp

Filesize
4.0MB

Download
memory/2064-3-0x0000019FEB420000-0x0000019FEB820000-memory.dmp

Filesize
4.0MB

Download
memory/4576-15-0x00007FFBB5BB0000-0x00007FFBB5E79000-memory.dmp

Filesize
2.8MB

Download
memory/4576-14-0x00007FFBB5F60000-0x00007FFBB601E000-memory.dmp

Filesize
760KB

Download
memory/4576-13-0x0000014BE86E0000-0x0000014BE8AE0000-memory.dmp

Filesize
4.0MB

Download
memory/4576-11-0x0000014BE86E0000-0x0000014BE8AE0000-memory.dmp

Filesize
4.0MB

Download
memory/4576-12-0x00007FFBB7E30000-0x00007FFBB8025000-memory.dmp

Filesize
2.0MB

Download
memory/4576-9-0x0000014BE6B90000-0x0000014BE6B9A000-memory.dmp

Filesize
40KB

Download
memory/4576-18-0x0000014BE86E0000-0x0000014BE8AE0000-memory.dmp

Filesize
4.0MB

Download