Overview

overview

10

Static

static

3

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    4363d52fe7027df2212ad2b3333ebaf9

  • SHA1

    beac1fc8c012a28cb9f38f6e4296278543048fcf

  • SHA256

    ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc

  • SHA512

    bb5bcb9f7b42d370b86ad7d4c16605d9bf755fd2291a70716facc2aa62baf45aabf068882c413334332af5819a97c9c4d7703edb9ec84edd8e87c57bab36acee

  • SSDEEP

    24576:ZMm5SH6MIl3LkGDhsmD/U0wA77v+M0yYvh3J9oeVaEJyqH2ai519He:ZMm5Lnl7kSUEXvAyUh3J9oeVaEk5rHe

Score
10/10
rhadamanthysspywarestealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2928
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2584
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:4412
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:2424
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1852
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            2⤵
              PID:4864
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:432
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 452
                3⤵
                • Program crash
                PID:4524
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 448
                3⤵
                • Program crash
                PID:4996
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 432 -ip 432
            1⤵
              PID:4152
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 432 -ip 432
              1⤵
                PID:3448

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/432-38-0x0000000003690000-0x0000000003A90000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/432-28-0x00007FF80A710000-0x00007FF80A905000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/432-27-0x0000000003690000-0x0000000003A90000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/432-26-0x0000000003690000-0x0000000003A90000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/432-25-0x0000000003690000-0x0000000003A90000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/432-30-0x0000000076A70000-0x0000000076C85000-memory.dmp
                Filesize

                2.1MB

                Download
              • memory/432-23-0x0000000000400000-0x000000000046D000-memory.dmp
                Filesize

                436KB

                Download
              • memory/432-31-0x0000000003690000-0x0000000003A90000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/432-21-0x0000000000400000-0x000000000046D000-memory.dmp
                Filesize

                436KB

                Download
              • memory/1852-45-0x00000000088B0000-0x00000000088EC000-memory.dmp
                Filesize

                240KB

                Download
              • memory/1852-43-0x0000000008910000-0x0000000008A1A000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/1852-51-0x000000000AAA0000-0x000000000AFCC000-memory.dmp
                Filesize

                5.2MB

                Download
              • memory/1852-50-0x000000000A3A0000-0x000000000A562000-memory.dmp
                Filesize

                1.8MB

                Download
              • memory/1852-49-0x0000000009420000-0x000000000943E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1852-39-0x0000000000400000-0x0000000000466000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1852-48-0x0000000009470000-0x00000000094E6000-memory.dmp
                Filesize

                472KB

                Download
              • memory/1852-47-0x0000000008B30000-0x0000000008B96000-memory.dmp
                Filesize

                408KB

                Download
              • memory/1852-46-0x0000000008A20000-0x0000000008A6C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/1852-42-0x0000000008DA0000-0x00000000093B8000-memory.dmp
                Filesize

                6.1MB

                Download
              • memory/1852-44-0x0000000008850000-0x0000000008862000-memory.dmp
                Filesize

                72KB

                Download
              • memory/1964-20-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1964-19-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1964-17-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1964-16-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1964-15-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1964-13-0x0000000000400000-0x00000000004C0000-memory.dmp
                Filesize

                768KB

                Download
              • memory/1964-12-0x0000000000400000-0x00000000004C0000-memory.dmp
                Filesize

                768KB

                Download
              • memory/1964-41-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2584-37-0x0000000076A70000-0x0000000076C85000-memory.dmp
                Filesize

                2.1MB

                Download
              • memory/2584-35-0x00007FF80A710000-0x00007FF80A905000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2584-32-0x0000000000F80000-0x0000000000F89000-memory.dmp
                Filesize

                36KB

                Download
              • memory/2584-34-0x0000000002CB0000-0x00000000030B0000-memory.dmp
                Filesize

                4.0MB

                Download
              • memory/2848-10-0x0000000074C4E000-0x0000000074C4F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2848-8-0x00000000073D0000-0x00000000073EA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/2848-18-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2848-14-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2848-11-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2848-24-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2848-9-0x0000000007400000-0x0000000007406000-memory.dmp
                Filesize

                24KB

                Download
              • memory/2848-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2848-7-0x00000000060C0000-0x00000000060CA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/2848-6-0x0000000005EE0000-0x0000000005F24000-memory.dmp
                Filesize

                272KB

                Download
              • memory/2848-5-0x0000000074C40000-0x00000000753F0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2848-4-0x0000000004DC0000-0x0000000004E5C000-memory.dmp
                Filesize

                624KB

                Download
              • memory/2848-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp
                Filesize

                584KB

                Download
              • memory/2848-2-0x0000000005230000-0x00000000057D4000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/2848-1-0x00000000005B0000-0x0000000000760000-memory.dmp
                Filesize

                1.7MB

                Download