rhadamanthys | 264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
Size

2.8MB
MD5

be3a9e7523482b273173ede7823d3138
SHA1

93604065f2f9eb4b671408d2e5d05f066c8574f4
SHA256

264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59
SHA512

094693cc6d9e581ab0b8fbf170cb92a1b7f427106c43356d75d15bc65e076f21f66d5182fc591815615f9f17e70eee09a19c58a5353c38852fa74c732a8405fa
SSDEEP

49152:jMgiLc2VcO6SJzo46E2AlPQzPQqvf+3pE5Je:og82aoDfAlPQzYqu3pE5Je

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4908 created 2608	4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	44

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
216	openwith.exe
216	openwith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 216	4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	84
PID 4908 wrote to memory of 216	4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	84
PID 4908 wrote to memory of 216	4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	84
PID 4908 wrote to memory of 216	4908	264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe	84

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2608
- C:\Windows\system32\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:216

C:\Users\Admin\AppData\Local\Temp\264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe
"C:\Users\Admin\AppData\Local\Temp\264bcff0ebbd51f3e73a2dc839f7b6413b0c060ae30710f9201efb4d149b5a59.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-15-0x000001F882820000-0x000001F882C20000-memory.dmp

Filesize
4.0MB

Download
memory/216-17-0x000001F882820000-0x000001F882C20000-memory.dmp

Filesize
4.0MB

Download
memory/216-12-0x000001F882820000-0x000001F882C20000-memory.dmp

Filesize
4.0MB

Download
memory/216-13-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

Filesize
2.0MB

Download
memory/216-10-0x000001F880CA0000-0x000001F880CAA000-memory.dmp

Filesize
40KB

Download
memory/216-14-0x00007FFED1B20000-0x00007FFED1BDE000-memory.dmp

Filesize
760KB

Download
memory/216-16-0x00007FFECFCF0000-0x00007FFECFFB9000-memory.dmp

Filesize
2.8MB

Download
memory/4908-19-0x000001884F670000-0x000001884FA70000-memory.dmp

Filesize
4.0MB

Download
memory/4908-5-0x000001884F670000-0x000001884FA70000-memory.dmp

Filesize
4.0MB

Download
memory/4908-4-0x000001884EFF0000-0x000001884EFF9000-memory.dmp

Filesize
36KB

Download
memory/4908-9-0x00007FFECFCF0000-0x00007FFECFFB9000-memory.dmp

Filesize
2.8MB

Download
memory/4908-7-0x000001884F670000-0x000001884FA70000-memory.dmp

Filesize
4.0MB

Download
memory/4908-8-0x00007FFED1B20000-0x00007FFED1BDE000-memory.dmp

Filesize
760KB

Download
memory/4908-6-0x00007FFED21F0000-0x00007FFED23E5000-memory.dmp

Filesize
2.0MB

Download
memory/4908-3-0x000001884F670000-0x000001884FA70000-memory.dmp

Filesize
4.0MB

Download
memory/4908-1-0x000001884F670000-0x000001884FA70000-memory.dmp

Filesize
4.0MB

Download
memory/4908-0-0x000001884EFF0000-0x000001884EFF9000-memory.dmp

Filesize
36KB

Download
memory/4908-18-0x00007FF7F5340000-0x00007FF7F55E0000-memory.dmp

Filesize
2.6MB

Download
memory/4908-2-0x000001884F4C0000-0x000001884F5C0000-memory.dmp

Filesize
1024KB

Download