rhadamanthys | 4daaba19d412cdf3838a0c373cdc9b7cfc26423723307482e4b0f946909c726e

Analysis

max time kernel
84s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OBS/OBS.exe
Size

726.7MB
MD5

1f0664bc6de1cb394c6fdcb4e8792d26
SHA1

734a5f8223ac62bd6ae12e881d5841791b1b7071
SHA256

0afc18a6890970fa87b32ea90270db1f723190bba3a4fb24957a901cbacc7de2
SHA512

e84ac11ad875d3cf9f853c535697818dba4ec666dbcc66cb2350379d0df091598b7ed5d2b1d59f4379d53b1e5c558d85e5c194b766b6b0b472803a0c7fa68b5d
SSDEEP

196608:ech1JnwRSDaTvKuXwk2SA9lE6PI/GR8x1MA8Ran:dJOBKZk2S0P6hvMXan

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5024-140-0x0000000002C90000-0x0000000002CAD000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

OBS.exe

pid process

5024 OBS.exe
5024 OBS.exe
5024 OBS.exe
5024 OBS.exe
5024 OBS.exe

pid	process
5024	OBS.exe
5024	OBS.exe
5024	OBS.exe
5024	OBS.exe
5024	OBS.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OBS.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	OBS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	OBS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	OBS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	OBS.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	OBS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OBS.exe

pid process

5024 OBS.exe
5024 OBS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OBS.exe

description pid process

Token: SeShutdownPrivilege 5024 OBS.exe
Token: SeCreatePagefilePrivilege 5024 OBS.exe

pid	process
5024	OBS.exe
5024	OBS.exe

description	pid	process
Token: SeShutdownPrivilege	5024	OBS.exe
Token: SeCreatePagefilePrivilege	5024	OBS.exe

C:\Users\Admin\AppData\Local\Temp\OBS\OBS.exe
"C:\Users\Admin\AppData\Local\Temp\OBS\OBS.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5024-135-0x0000000000400000-0x0000000000E22000-memory.dmp

Filesize
10.1MB

Download
memory/5024-138-0x0000000000400000-0x0000000000E22000-memory.dmp

Filesize
10.1MB

Download
memory/5024-139-0x0000000000E4F000-0x0000000000E63000-memory.dmp

Filesize
80KB

Download
memory/5024-140-0x0000000002C90000-0x0000000002CAD000-memory.dmp

Filesize
116KB

Download
memory/5024-141-0x0000000003360000-0x0000000004360000-memory.dmp

Filesize
16.0MB

Download
memory/5024-142-0x0000000000400000-0x0000000000E22000-memory.dmp

Filesize
10.1MB

Download