rhadamanthys | ae382ff94d4b7cd0c69e340471f97d67f49d5e12e1d93cbb2ef8c81e5dfffbb2

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
Size

13.7MB
MD5

fb6ec588da60c54f47c5e48d3366e9c6
SHA1

98f844c3ead82b459ec528f10beeea2627e05b21
SHA256

ae382ff94d4b7cd0c69e340471f97d67f49d5e12e1d93cbb2ef8c81e5dfffbb2
SHA512

103c3d85dcea3fb4963ec1d8e8f58eed4aca04e276217929ffa89fb4bc85db9052ac789dc7d9977db19000edd260af194e4ff023e84a0949d3296e1860e0041c
SSDEEP

196608:68iq85xX6BQylJbueRpRb6J45lvvvBSzQItvYx9KPNEFTHhqhAYG:+PXmNLmzQKYvKPAaG

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

description pid process target process

PID 2664 created 1196 2664 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe Explorer.EXE
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

pid process

1740 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exedialer.exe

pid process

2664 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2664 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2680 dialer.exe
2680 dialer.exe
2680 dialer.exe
2680 dialer.exe

description	pid	process	target process
PID 2664 created 1196	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	Explorer.EXE

pid	process
1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

pid	process
2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2680	dialer.exe
2680	dialer.exe
2680	dialer.exe
2680	dialer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

description	pid	process	target process
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 1740 wrote to memory of 2664	1740	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 2664 wrote to memory of 2680	2664	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2680

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-12-0x0000000005192000-0x00000000051BC000-memory.dmp

Filesize
168KB

Download
memory/1740-0-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/1740-2-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/1740-3-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1740-4-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1740-1-0x0000000000407000-0x0000000000421000-memory.dmp

Filesize
104KB

Download
memory/2664-8-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2664-10-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x00000000000B0000-0x000000000013B000-memory.dmp

Filesize
556KB

Download
memory/2664-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-5-0x00000000000B0000-0x000000000013B000-memory.dmp

Filesize
556KB

Download
memory/2664-14-0x00000000089D0000-0x0000000008DD0000-memory.dmp

Filesize
4.0MB

Download
memory/2664-15-0x00000000089D0000-0x0000000008DD0000-memory.dmp

Filesize
4.0MB

Download
memory/2664-17-0x0000000075350000-0x0000000075397000-memory.dmp

Filesize
284KB

Download
memory/2680-18-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2680-20-0x0000000001C40000-0x0000000002040000-memory.dmp

Filesize
4.0MB

Download
memory/2680-23-0x0000000075350000-0x0000000075397000-memory.dmp

Filesize
284KB

Download
memory/2680-21-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads