Overview

overview

10

Static

static

3

Additional...rs.dll

windows11-21h2-x64

1

Additional...V2.dll

windows11-21h2-x64

1

Software_Setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    20s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-06-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Software_Setup.exe

  • Size

    63.9MB

  • MD5

    9ff7e52416b7d3ca8b7e035d4b15f60d

  • SHA1

    ecf06e8679da62922f3d52d2b9e756ba311e4203

  • SHA256

    ec4cd02feeae2e57341cb7ff396fac7d635c914775357b95a0ae3bb73ced8703

  • SHA512

    974b9d2d21ffc0d780fb5bb531db3f4edf979e032e2b0fa9048310885fa7cac06fc138b4aa5a9d6bb19a7fc7676c72e98a9ba9c60b35428a699774b34af474af

  • SSDEEP

    1572864:jDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/z:j6/6/6/6/6f

Score
10/10
rhadamanthysstealer

Malware Config

Signatures

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2872
      • C:\Windows\SysWOW64\openwith.exe
        "C:\Windows\system32\openwith.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3336
    • C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\winhlp32.exe
        "C:\Windows\winhlp32.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 456
          3⤵
          • Program crash
          PID:468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 352
          3⤵
          • Program crash
          PID:5040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2032 -ip 2032
      1⤵
        PID:2100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2032 -ip 2032
        1⤵
          PID:2712

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2032-13-0x0000000003800000-0x0000000003C00000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2032-10-0x0000000003800000-0x0000000003C00000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2032-7-0x0000000000400000-0x000000000047E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/2032-8-0x0000000000400000-0x000000000047E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/2032-5-0x0000000000400000-0x000000000047E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/2032-11-0x0000000003800000-0x0000000003C00000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2032-6-0x0000000000400000-0x000000000047E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/2032-12-0x00007FFA6C620000-0x00007FFA6C829000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/2032-9-0x0000000003800000-0x0000000003C00000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/2032-14-0x00007FFA6C621000-0x00007FFA6C74A000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2032-16-0x0000000075FA0000-0x00000000761F2000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/2032-23-0x0000000003800000-0x0000000003C00000-memory.dmp
          Filesize

          4.0MB

          Download
        • memory/3336-17-0x00000000006C0000-0x00000000006C9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3336-20-0x00007FFA6C620000-0x00007FFA6C829000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/3336-22-0x0000000075FA0000-0x00000000761F2000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/3336-19-0x0000000002410000-0x0000000002810000-memory.dmp
          Filesize

          4.0MB

          Download