rhadamanthys | 38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e

Analysis

max time kernel
79s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 07:38

Target

hoge.exe
Size

621KB
MD5

be87ad5596852c9930270778e9eced54
SHA1

34a1842d2fd4dbcdc27b892d18ad920ac9d03826
SHA256

38c17f2c490cee233f17e6484a1f3c25f3bff8d99ea0d6010f720b848d6a223e
SHA512

a16e49beb95f461ff5d4af63017bdcd9844800e8037d43942e28e0a3dfa71ceb0808e5020f955380902fdb4c9887ed6e092cfce9a9cf24f6be2e3e9586dbef04
SSDEEP

12288:zE50GSHrG6W42JcycysY0V3D9wCV+2nXGwnUP345WRgG3OkGGs/Lwmm:o+GSHrG6W42JcychY0FD9wCVBHw3yeJF

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

hoge.exe

description pid process target process

PID 1316 created 2620 1316 hoge.exe sihost.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

hoge.exedialer.exe

pid process

1316 hoge.exe
1316 hoge.exe
1700 dialer.exe
1700 dialer.exe

description	pid	process	target process
PID 1316 created 2620	1316	hoge.exe	sihost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

hoge.exe

description	pid	process	target process
PID 1316 wrote to memory of 1700	1316	hoge.exe	dialer.exe
PID 1316 wrote to memory of 1700	1316	hoge.exe	dialer.exe
PID 1316 wrote to memory of 1700	1316	hoge.exe	dialer.exe
PID 1316 wrote to memory of 1700	1316	hoge.exe	dialer.exe

C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

memory/1316-7-0x0000000003270000-0x0000000003670000-memory.dmp

Filesize
4.0MB

Download
memory/1316-1-0x0000000003270000-0x0000000003670000-memory.dmp

Filesize
4.0MB

Download
memory/1316-6-0x0000000003270000-0x0000000003670000-memory.dmp

Filesize
4.0MB

Download
memory/1316-5-0x00007FFC13980000-0x00007FFC13C49000-memory.dmp

Filesize
2.8MB

Download
memory/1316-4-0x00007FFC15C30000-0x00007FFC15CEE000-memory.dmp

Filesize
760KB

Download
memory/1316-3-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Filesize
2.0MB

Download
memory/1316-2-0x0000000003270000-0x0000000003670000-memory.dmp

Filesize
4.0MB

Download
memory/1316-11-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1316-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1700-10-0x000002248C290000-0x000002248C690000-memory.dmp

Filesize
4.0MB

Download
memory/1700-15-0x00007FFC13980000-0x00007FFC13C49000-memory.dmp

Filesize
2.8MB

Download
memory/1700-14-0x00007FFC15C30000-0x00007FFC15CEE000-memory.dmp

Filesize
760KB

Download
memory/1700-12-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Filesize
2.0MB

Download
memory/1700-16-0x000002248C290000-0x000002248C690000-memory.dmp

Filesize
4.0MB

Download
memory/1700-8-0x000002248A6F0000-0x000002248A6F9000-memory.dmp

Filesize
36KB

Download
memory/1700-13-0x000002248C290000-0x000002248C690000-memory.dmp

Filesize
4.0MB

Download