rhadamanthys | ae382ff94d4b7cd0c69e340471f97d67f49d5e12e1d93cbb2ef8c81e5dfffbb2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
Size

13.7MB
MD5

fb6ec588da60c54f47c5e48d3366e9c6
SHA1

98f844c3ead82b459ec528f10beeea2627e05b21
SHA256

ae382ff94d4b7cd0c69e340471f97d67f49d5e12e1d93cbb2ef8c81e5dfffbb2
SHA512

103c3d85dcea3fb4963ec1d8e8f58eed4aca04e276217929ffa89fb4bc85db9052ac789dc7d9977db19000edd260af194e4ff023e84a0949d3296e1860e0041c
SSDEEP

196608:68iq85xX6BQylJbueRpRb6J45lvvvBSzQItvYx9KPNEFTHhqhAYG:+PXmNLmzQKYvKPAaG

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

description pid process target process

PID 4044 created 2444 4044 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe sihost.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

pid process

3140 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3492 4044 WerFault.exe 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exedialer.exe

pid process

4044 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
4044 2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2040 dialer.exe
2040 dialer.exe
2040 dialer.exe
2040 dialer.exe

description	pid	process	target process
PID 4044 created 2444	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	sihost.exe

pid	process
3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

pid	pid_target	process	target process
3492	4044	WerFault.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

pid	process
4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
2040	dialer.exe
2040	dialer.exe
2040	dialer.exe
2040	dialer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe

description	pid	process	target process
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 3140 wrote to memory of 4044	3140	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
PID 4044 wrote to memory of 2040	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 4044 wrote to memory of 2040	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 4044 wrote to memory of 2040	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 4044 wrote to memory of 2040	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe
PID 4044 wrote to memory of 2040	4044	2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2444

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_fb6ec588da60c54f47c5e48d3366e9c6_mafia_magniber.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 440
3⤵
- Program crash
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4044 -ip 4044
1⤵
PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-20-0x0000000000EC0000-0x0000000000EC9000-memory.dmp

Filesize
36KB

Download
memory/2040-22-0x00000000029E0000-0x0000000002DE0000-memory.dmp

Filesize
4.0MB

Download
memory/2040-25-0x0000000075A30000-0x0000000075C45000-memory.dmp

Filesize
2.1MB

Download
memory/2040-23-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp

Filesize
2.0MB

Download
memory/3140-8-0x000000000517A000-0x000000000517E000-memory.dmp

Filesize
16KB

Download
memory/3140-9-0x000000000517E000-0x000000000518C000-memory.dmp

Filesize
56KB

Download
memory/3140-10-0x0000000005182000-0x000000000518C000-memory.dmp

Filesize
40KB

Download
memory/3140-7-0x0000000005177000-0x000000000517E000-memory.dmp

Filesize
28KB

Download
memory/3140-5-0x000000000516F000-0x0000000005176000-memory.dmp

Filesize
28KB

Download
memory/3140-4-0x000000000518D000-0x00000000051BC000-memory.dmp

Filesize
188KB

Download
memory/3140-1-0x0000000000407000-0x0000000000421000-memory.dmp

Filesize
104KB

Download
memory/3140-0-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/3140-13-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/3140-11-0x0000000005192000-0x00000000051BC000-memory.dmp

Filesize
168KB

Download
memory/3140-27-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/4044-2-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/4044-17-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp

Filesize
2.0MB

Download
memory/4044-19-0x0000000075A30000-0x0000000075C45000-memory.dmp

Filesize
2.1MB

Download
memory/4044-16-0x0000000008EE0000-0x00000000092E0000-memory.dmp

Filesize
4.0MB

Download
memory/4044-15-0x0000000008EE0000-0x00000000092E0000-memory.dmp

Filesize
4.0MB

Download
memory/4044-14-0x0000000000400000-0x00000000051CA000-memory.dmp

Filesize
77.8MB

Download
memory/4044-12-0x00000000000C0000-0x000000000014B000-memory.dmp

Filesize
556KB

Download
memory/4044-6-0x00000000000C0000-0x000000000014B000-memory.dmp

Filesize
556KB

Download