rhadamanthys | 64a49ff6862b2c924280d5e906bc36168112c85d9acc2eb778b72ea1d4c17895

Analysis

max time kernel
323s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prezi-desktop-6-26-0.exe
Size

24.0MB
MD5

c1883a829c7cfafc5c50802a01f4b03b
SHA1

f803939b6f8048be5a98c60e33f01910206c8960
SHA256

64a49ff6862b2c924280d5e906bc36168112c85d9acc2eb778b72ea1d4c17895
SHA512

db502c418342d49c827e34659d0121ff9d9c0bb7ad7b7aadac3befdedaf6768e15aa90544937521453a4b67928ff54737995cb877dd5af3be3d2053773afbf2d
SSDEEP

98304:4wOKyyWVopdoc65D+BS/9jWCsDeTm+xvsoXRpGCx5jCwkU8gfM6q/0EY0yg5jUDC:HYKUKsXRpNyUnfM6qlYIVU4a4

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BitLockerToGo.exe

description pid process target process

PID 2796 created 2252 2796 BitLockerToGo.exe sihost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

prezi-desktop-6-26-0.exe

description pid process target process

PID 1008 set thread context of 2796 1008 prezi-desktop-6-26-0.exe BitLockerToGo.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4964 2796 WerFault.exe BitLockerToGo.exe
2132 2796 WerFault.exe BitLockerToGo.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

BitLockerToGo.exedialer.exe

pid process

2796 BitLockerToGo.exe
2796 BitLockerToGo.exe
5040 dialer.exe
5040 dialer.exe
5040 dialer.exe
5040 dialer.exe

description	pid	process	target process
PID 2796 created 2252	2796	BitLockerToGo.exe	sihost.exe

description	pid	process	target process
PID 1008 set thread context of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe

pid	pid_target	process	target process
4964	2796	WerFault.exe	BitLockerToGo.exe
2132	2796	WerFault.exe	BitLockerToGo.exe

pid	process
2796	BitLockerToGo.exe
2796	BitLockerToGo.exe
5040	dialer.exe
5040	dialer.exe
5040	dialer.exe
5040	dialer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

prezi-desktop-6-26-0.exeBitLockerToGo.exe

description	pid	process	target process
PID 1008 wrote to memory of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe
PID 1008 wrote to memory of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe
PID 1008 wrote to memory of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe
PID 1008 wrote to memory of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe
PID 1008 wrote to memory of 2796	1008	prezi-desktop-6-26-0.exe	BitLockerToGo.exe
PID 2796 wrote to memory of 5040	2796	BitLockerToGo.exe	dialer.exe
PID 2796 wrote to memory of 5040	2796	BitLockerToGo.exe	dialer.exe
PID 2796 wrote to memory of 5040	2796	BitLockerToGo.exe	dialer.exe
PID 2796 wrote to memory of 5040	2796	BitLockerToGo.exe	dialer.exe
PID 2796 wrote to memory of 5040	2796	BitLockerToGo.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2252

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Users\Admin\AppData\Local\Temp\prezi-desktop-6-26-0.exe
"C:\Users\Admin\AppData\Local\Temp\prezi-desktop-6-26-0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 464
3⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 472
3⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2796 -ip 2796
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2796 -ip 2796
1⤵
PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-8-0x00007FF640160000-0x00007FF6419CD000-memory.dmp

Filesize
24.4MB

Download
memory/1008-2-0x00007FF640160000-0x00007FF6419CD000-memory.dmp

Filesize
24.4MB

Download
memory/2796-14-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/2796-25-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/2796-7-0x0000000000750000-0x00000000007BD000-memory.dmp

Filesize
436KB

Download
memory/2796-10-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/2796-11-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/2796-13-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/2796-5-0x0000000000750000-0x00000000007BD000-memory.dmp

Filesize
436KB

Download
memory/2796-12-0x00007FFA8DA70000-0x00007FFA8DC65000-memory.dmp

Filesize
2.0MB

Download
memory/2796-16-0x00000000771F0000-0x0000000077405000-memory.dmp

Filesize
2.1MB

Download
memory/2796-9-0x0000000000750000-0x00000000007BD000-memory.dmp

Filesize
436KB

Download
memory/5040-17-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/5040-23-0x00000000023B0000-0x00000000027B0000-memory.dmp

Filesize
4.0MB

Download
memory/5040-24-0x00000000023B0000-0x00000000027B0000-memory.dmp

Filesize
4.0MB

Download
memory/5040-22-0x00000000771F0000-0x0000000077405000-memory.dmp

Filesize
2.1MB

Download
memory/5040-20-0x00007FFA8DA70000-0x00007FFA8DC65000-memory.dmp

Filesize
2.0MB

Download
memory/5040-19-0x00000000023B0000-0x00000000027B0000-memory.dmp

Filesize
4.0MB

Download
memory/5040-26-0x00000000023B0000-0x00000000027B0000-memory.dmp

Filesize
4.0MB

Download