rhadamanthys | 25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe
Size

550KB
MD5

c9579061bc52d1d79e58f8c55a14635a
SHA1

211b38575049b00d772c03f4968e5686b961c5a8
SHA256

25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb
SHA512

c73ce474100df0931b665e13fa6c243088d4349da10300d7b1ab422df066d12ef5e6235f5a8f4919e87d40747003ad357229058f473934f9b0eb3d7be0cbb2e6
SSDEEP

6144:CqxhHcRlnPwc+me+x3aDOYD0VeXQLKYK8W8u2V+pz7tVPPhIYQQ36L7Zo+Oq5SNi:LxhywBDPieALxI20pVhPudN7Z/OvwQY

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 2708 created 1188 2708 RegAsm.exe Explorer.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe

description pid process target process

PID 2416 set thread context of 2708 2416 25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exedialer.exe

pid process

2708 RegAsm.exe
2708 RegAsm.exe
2672 dialer.exe
2672 dialer.exe
2672 dialer.exe
2672 dialer.exe

description	pid	process	target process
PID 2708 created 1188	2708	RegAsm.exe	Explorer.EXE

description	pid	process	target process
PID 2416 set thread context of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe

pid	process
2708	RegAsm.exe
2708	RegAsm.exe
2672	dialer.exe
2672	dialer.exe
2672	dialer.exe
2672	dialer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exeRegAsm.exe

description	pid	process	target process
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2884	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2416 wrote to memory of 2708	2416	25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe	RegAsm.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe
PID 2708 wrote to memory of 2672	2708	RegAsm.exe	dialer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe
"C:\Users\Admin\AppData\Local\Temp\25eca29c2b8c8f74a4bbbe57cf02ec740063635ab45c4043184eaae7ae64defb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000140000-0x00000000001D0000-memory.dmp

Filesize
576KB

Download
memory/2416-13-0x00000000021C0000-0x00000000041C0000-memory.dmp

Filesize
32.0MB

Download
memory/2416-16-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-34-0x00000000771E0000-0x0000000077389000-memory.dmp

Filesize
1.7MB

Download
memory/2672-33-0x0000000076920000-0x0000000076967000-memory.dmp

Filesize
284KB

Download
memory/2672-30-0x00000000771E0000-0x0000000077389000-memory.dmp

Filesize
1.7MB

Download
memory/2672-29-0x0000000001C00000-0x0000000002000000-memory.dmp

Filesize
4.0MB

Download
memory/2672-26-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2708-5-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-23-0x0000000076920000-0x0000000076967000-memory.dmp

Filesize
284KB

Download
memory/2708-6-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-12-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-18-0x0000000003680000-0x0000000003A80000-memory.dmp

Filesize
4.0MB

Download
memory/2708-20-0x0000000003680000-0x0000000003A80000-memory.dmp

Filesize
4.0MB

Download
memory/2708-19-0x0000000003680000-0x0000000003A80000-memory.dmp

Filesize
4.0MB

Download
memory/2708-21-0x00000000771E0000-0x0000000077389000-memory.dmp

Filesize
1.7MB

Download
memory/2708-7-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-25-0x00000000771E1000-0x00000000772E2000-memory.dmp

Filesize
1.0MB

Download
memory/2708-24-0x0000000003680000-0x0000000003A80000-memory.dmp

Filesize
4.0MB

Download
memory/2708-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-27-0x0000000003680000-0x0000000003A80000-memory.dmp

Filesize
4.0MB

Download
memory/2708-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-17-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2708-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads