rhadamanthys | c571c64b91f117d2c59d80ef624507cb321d2c23a10166137d61ca4256d675ce

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
Size

24.1MB
MD5

329a36f52485ea098ab3432ecbb1952d
SHA1

40f4ebe110f7fd02e84c054be92386640775aa7b
SHA256

c571c64b91f117d2c59d80ef624507cb321d2c23a10166137d61ca4256d675ce
SHA512

86a1f3e30159d8f4f3e6f80c912b526657f1933f3dbc1d64fc998476dffabc6aea154a1a36443a647b6e40238bcfb56c63783c996c1e0053658ca1b6074227fe
SSDEEP

393216:i0qpshZ+HQ7+HaJpecDr63xoIEGOmxlmXu00Mbz4dunERjgZG6xenwLv8PV2:i0ushlXqHEGjlc1b8gG+smv8o

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe

description pid process target process

PID 1940 created 1188 1940 2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe Explorer.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exedialer.exe

pid process

1940 2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
1940 2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
2992 dialer.exe
2992 dialer.exe
2992 dialer.exe
2992 dialer.exe

description	pid	process	target process
PID 1940 created 1188	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	Explorer.EXE

pid	process
1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
2992	dialer.exe
2992	dialer.exe
2992	dialer.exe
2992	dialer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe

description	pid	process	target process
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe
PID 1940 wrote to memory of 2992	1940	2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe	dialer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_329a36f52485ea098ab3432ecbb1952d_avoslocker.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-10-0x00000000046F0000-0x0000000004AF0000-memory.dmp

Filesize
4.0MB

Download
memory/1940-9-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1940-1-0x0000000000404000-0x000000000041E000-memory.dmp

Filesize
104KB

Download
memory/1940-14-0x00000000757F0000-0x0000000075837000-memory.dmp

Filesize
284KB

Download
memory/1940-11-0x00000000046F0000-0x0000000004AF0000-memory.dmp

Filesize
4.0MB

Download
memory/1940-8-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1940-7-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1940-6-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1940-5-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1940-4-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1940-2-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1940-3-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1940-0-0x0000000000400000-0x0000000001C1E000-memory.dmp

Filesize
24.1MB

Download
memory/1940-12-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/2992-20-0x00000000757F0000-0x0000000075837000-memory.dmp

Filesize
284KB

Download
memory/2992-18-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/2992-21-0x0000000001B30000-0x0000000001F30000-memory.dmp

Filesize
4.0MB

Download
memory/2992-22-0x0000000076D41000-0x0000000076E42000-memory.dmp

Filesize
1.0MB

Download
memory/2992-17-0x0000000001B30000-0x0000000001F30000-memory.dmp

Filesize
4.0MB

Download
memory/2992-15-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2992-23-0x0000000001B30000-0x0000000001F30000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads