rhadamanthys | acab109d5b82f41614043cf632ded46a40f5b22fa54282c2827891048528625f

Analysis

max time kernel
106s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rh_0.9.0.exe
Size

1.1MB
MD5

f213824a811b61ff6f9f950ad23acd76
SHA1

f73abd780741a375c3303397ba7cb0e7c5c70f8d
SHA256

acab109d5b82f41614043cf632ded46a40f5b22fa54282c2827891048528625f
SHA512

b6c209913a365f13d85c1578cdae7709d2b80f30bde6343a47bb96aace994d06c9b322e6b8ce1abbcbaf069f3385db57b276883ec138391c9a70934e9380804e
SSDEEP

12288:Z08XS6a0qohwBXuCzF9K4vvQuLEHu+QDmxzDMDeRGdzhB+6Th249PsanF:VS8WM4xHSfghwnKs

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral1/memory/228-1-0x00000000007A0000-0x00000000008C2000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 228 created 2848	228	rh_0.9.0.exe	49

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
228	rh_0.9.0.exe
228	rh_0.9.0.exe
228	rh_0.9.0.exe
228	rh_0.9.0.exe
2348	svchost.exe
2348	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2348	228	rh_0.9.0.exe	87
PID 228 wrote to memory of 2348	228	rh_0.9.0.exe	87
PID 228 wrote to memory of 2348	228	rh_0.9.0.exe	87
PID 228 wrote to memory of 2348	228	rh_0.9.0.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2848
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

C:\Users\Admin\AppData\Local\Temp\rh_0.9.0.exe
"C:\Users\Admin\AppData\Local\Temp\rh_0.9.0.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-19-0x00007FFDF0230000-0x00007FFDF0CF1000-memory.dmp

Filesize
10.8MB

Download
memory/228-1-0x00000000007A0000-0x00000000008C2000-memory.dmp

Filesize
1.1MB

Download
memory/228-2-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/228-3-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/228-4-0x000000001B610000-0x000000001BA10000-memory.dmp

Filesize
4.0MB

Download
memory/228-5-0x000000001B610000-0x000000001BA10000-memory.dmp

Filesize
4.0MB

Download
memory/228-6-0x00007FFDF0230000-0x00007FFDF0CF1000-memory.dmp

Filesize
10.8MB

Download
memory/228-8-0x00007FFE0D360000-0x00007FFE0D41E000-memory.dmp

Filesize
760KB

Download
memory/228-9-0x00007FFE0BB40000-0x00007FFE0BE09000-memory.dmp

Filesize
2.8MB

Download
memory/228-7-0x00007FFE0E190000-0x00007FFE0E385000-memory.dmp

Filesize
2.0MB

Download
memory/228-0-0x00007FFDF0233000-0x00007FFDF0235000-memory.dmp

Filesize
8KB

Download
memory/228-17-0x00007FFDF0230000-0x00007FFDF0CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2348-13-0x000001DD85200000-0x000001DD85600000-memory.dmp

Filesize
4.0MB

Download
memory/2348-20-0x000001DD85200000-0x000001DD85600000-memory.dmp

Filesize
4.0MB

Download
memory/2348-21-0x000001DD85200000-0x000001DD85600000-memory.dmp

Filesize
4.0MB

Download
memory/2348-18-0x000001DD85200000-0x000001DD85600000-memory.dmp

Filesize
4.0MB

Download
memory/2348-16-0x00007FFE0BB40000-0x00007FFE0BE09000-memory.dmp

Filesize
2.8MB

Download
memory/2348-15-0x00007FFE0D360000-0x00007FFE0D41E000-memory.dmp

Filesize
760KB

Download
memory/2348-14-0x00007FFE0E190000-0x00007FFE0E385000-memory.dmp

Filesize
2.0MB

Download
memory/2348-10-0x000001DD84EB0000-0x000001DD84EBA000-memory.dmp

Filesize
40KB

Download