rhadamanthys | 8b7e4a85e6ea41caee36f287430d45350f3be89c3b616e28bb520cd0b6d69496

General

Target

PDF Editor/Setup.exe
Size

2.2MB
MD5

57eec9f4c439f340671dacfcf681d57e
SHA1

d85ce1c62994c82d9c8ffcb91a1853a8c6214826
SHA256

140f170d8b83611cb8897164be174495dc51961dc34fbccc9a714917cc341b8f
SHA512

e105343b60bcfedd35d2b304f4d28f23e594db3a4f6b2e4ee00ad9240a34653150320514eca62c3336196e27ce2e6b17032818d34686602815aea6caf8a3e842
SSDEEP

24576:yEG5HvVgakU0978UD+xESC+j5EJlTQNEux5PvuOEVi9RPXSqvmoh1WX/S4G75wAc:yxyCnUCg+kF+emEOjWuwP

Score

10^/10

rhadamanthys collection discovery evasion spyware stealer trojan

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/896-69-0x00000000001F0000-0x000000000020D000-memory.dmp	family_rhadamanthys
behavioral1/memory/896-79-0x00000000001F0000-0x000000000020D000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1728	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
896	AppLaunch.exe
896	AppLaunch.exe
896	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 896	1320	Setup.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 1320 wrote to memory of 896	1320	Setup.exe	29
PID 896 wrote to memory of 1728	896	AppLaunch.exe	30
PID 896 wrote to memory of 1728	896	AppLaunch.exe	30
PID 896 wrote to memory of 1728	896	AppLaunch.exe	30
PID 896 wrote to memory of 1728	896	AppLaunch.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\PDF Editor\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\PDF Editor\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\rundll32.exe
    "C:\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll",Options_RunDLL 0900cc00-02a0-04de-11cc-ab2a47527ebd
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - outlook_office_path
    - outlook_win_path
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll

Filesize
53KB

MD5
ecc6432063c706088a71c5e692a03599

SHA1
3c36afaff437f9411ba7f3610161866daefc747e

SHA256
8d9f4294155fb7e67818e16cadc3410b426f476ee82d4400bc4426a13fa82ab4

SHA512
bcc9899dc307edf56bbd19846a5f643a0808996dc39330c03603eac407ffe60b9159a8e7daa9c33d7bbf76759b6f3e26eced8bbe6f296c32944b7377a7458487

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll

Filesize
53KB

MD5
ecc6432063c706088a71c5e692a03599

SHA1
3c36afaff437f9411ba7f3610161866daefc747e

SHA256
8d9f4294155fb7e67818e16cadc3410b426f476ee82d4400bc4426a13fa82ab4

SHA512
bcc9899dc307edf56bbd19846a5f643a0808996dc39330c03603eac407ffe60b9159a8e7daa9c33d7bbf76759b6f3e26eced8bbe6f296c32944b7377a7458487

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll

Filesize
53KB

MD5
ecc6432063c706088a71c5e692a03599

SHA1
3c36afaff437f9411ba7f3610161866daefc747e

SHA256
8d9f4294155fb7e67818e16cadc3410b426f476ee82d4400bc4426a13fa82ab4

SHA512
bcc9899dc307edf56bbd19846a5f643a0808996dc39330c03603eac407ffe60b9159a8e7daa9c33d7bbf76759b6f3e26eced8bbe6f296c32944b7377a7458487

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll

Filesize
53KB

MD5
ecc6432063c706088a71c5e692a03599

SHA1
3c36afaff437f9411ba7f3610161866daefc747e

SHA256
8d9f4294155fb7e67818e16cadc3410b426f476ee82d4400bc4426a13fa82ab4

SHA512
bcc9899dc307edf56bbd19846a5f643a0808996dc39330c03603eac407ffe60b9159a8e7daa9c33d7bbf76759b6f3e26eced8bbe6f296c32944b7377a7458487

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6c23e6.dll

Filesize
53KB

MD5
ecc6432063c706088a71c5e692a03599

SHA1
3c36afaff437f9411ba7f3610161866daefc747e

SHA256
8d9f4294155fb7e67818e16cadc3410b426f476ee82d4400bc4426a13fa82ab4

SHA512
bcc9899dc307edf56bbd19846a5f643a0808996dc39330c03603eac407ffe60b9159a8e7daa9c33d7bbf76759b6f3e26eced8bbe6f296c32944b7377a7458487

Download Submit
memory/896-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-69-0x00000000001F0000-0x000000000020D000-memory.dmp

Filesize
116KB

Download
memory/896-70-0x0000000002810000-0x0000000003810000-memory.dmp

Filesize
16.0MB

Download
memory/896-79-0x00000000001F0000-0x000000000020D000-memory.dmp

Filesize
116KB

Download
memory/896-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/896-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1320-67-0x00000000001C0000-0x0000000000400000-memory.dmp

Filesize
2.2MB

Download
memory/1320-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1320-55-0x00000000001C1000-0x00000000001C5000-memory.dmp

Filesize
16KB

Download
memory/1728-78-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1728-77-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1728-80-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1728-81-0x000007FEFB440000-0x000007FEFB452000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads