rhadamanthys | 837f6441b7784d5f83e3b1d883cfe0d1ee2b97b0a6ed23300206120b9ec42030

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 22:06

Target

RubixLauncher.exe
Size

355KB
MD5

8a6f1580a5b9b94d7cd47cc6b1af1b9a
SHA1

e68768afd59e18091d345cb300e859572e8d4c5c
SHA256

bb1464e75c750d90c0c49d148c9e64eefe0c29b2f670d708c8085ddd3104dbfe
SHA512

1663a9e0868b3f5d7e1edd30259024e419c2d190ec8c31e76e66aef0c8a0e02da0c829584214b9e2f76cbd349a53bf77d01d03e9b0e9c8a99eb18021b1d53309
SSDEEP

6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqhsb:gf2R/EEkCQFYDwRqW

Score

10^/10

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RubixLauncher.exe

description pid process target process

PID 3808 created 3048 3808 RubixLauncher.exe sihost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RubixLauncher.exedialer.exe

pid process

3808 RubixLauncher.exe
3808 RubixLauncher.exe
3208 dialer.exe
3208 dialer.exe
3208 dialer.exe
3208 dialer.exe

description	pid	process	target process
PID 3808 created 3048	3808	RubixLauncher.exe	sihost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

RubixLauncher.exe

description	pid	process	target process
PID 3808 wrote to memory of 3208	3808	RubixLauncher.exe	dialer.exe
PID 3808 wrote to memory of 3208	3808	RubixLauncher.exe	dialer.exe
PID 3808 wrote to memory of 3208	3808	RubixLauncher.exe	dialer.exe
PID 3808 wrote to memory of 3208	3808	RubixLauncher.exe	dialer.exe
PID 3808 wrote to memory of 3208	3808	RubixLauncher.exe	dialer.exe

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:4764

memory/3208-16-0x00000000769D0000-0x0000000076BE5000-memory.dmp

Filesize
2.1MB

Download
memory/3208-15-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/3208-12-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/3208-17-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/3208-14-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/3208-8-0x0000000000C50000-0x0000000000C59000-memory.dmp

Filesize
36KB

Download
memory/3208-10-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/3808-1-0x0000000003FF0000-0x00000000043F0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-7-0x00000000769D0000-0x0000000076BE5000-memory.dmp

Filesize
2.1MB

Download
memory/3808-0-0x0000000000EC0000-0x0000000000F2D000-memory.dmp

Filesize
436KB

Download
memory/3808-11-0x0000000000EC0000-0x0000000000F2D000-memory.dmp

Filesize
436KB

Download
memory/3808-5-0x0000000003FF0000-0x00000000043F0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-4-0x00007FF801F30000-0x00007FF802125000-memory.dmp

Filesize
2.0MB

Download
memory/3808-3-0x0000000003FF0000-0x00000000043F0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-2-0x0000000003FF0000-0x00000000043F0000-memory.dmp

Filesize
4.0MB

Download