rhadamanthys | a130810e663458a3c4037ec1fff7fc151d1974cda568574346fe9834f858153a

General

Target

Audacity lnstallSetup.exe
Size

805.0MB
MD5

9cc1ace92bdea826528ddf9ed9e6ff15
SHA1

29d3d26a7e9f4a42816a78a272ba1b92a7b4f7bb
SHA256

c9cb8c7e23a392d404db0530819d76d31c2011110872517226171b9c5441096f
SHA512

140e94e1212e1b606163259df5ee0fee9e71db3ed072dcbea196fbde56547e89120fd4330294c633bf22b82265d570c6073178a1685769166c091c2d3bcccd42
SSDEEP

6144:jkfcNplrEPyT/BvyhN2YWh5kr355555555555555555555555555555555555554:acNpDdyh61

Score

10^/10

rhadamanthys collection discovery spyware stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 1 IoCs

resource	yara_rule
behavioral1/memory/848-56-0x0000000000160000-0x0000000000199000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1236	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1236	rundll32.exe
1236	rundll32.exe
1236	rundll32.exe
1236	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1236	rundll32.exe
1236	rundll32.exe
1236	rundll32.exe
1236	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1236	848	Audacity lnstallSetup.exe	28
PID 848 wrote to memory of 1236	848	Audacity lnstallSetup.exe	28
PID 848 wrote to memory of 1236	848	Audacity lnstallSetup.exe	28
PID 848 wrote to memory of 1236	848	Audacity lnstallSetup.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Audacity lnstallSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Audacity lnstallSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\system32\rundll32.exe
  "C:\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll",Options_RunDLL 0900cc00-0040-0495-103a-c82e7dff5915
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll

Filesize
53KB

MD5
8db7f10952736955f22fc2c162fd73b5

SHA1
64d502c2dcb720a29d102c8f5d568216e52d3893

SHA256
d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2

SHA512
2168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll

Filesize
53KB

MD5
8db7f10952736955f22fc2c162fd73b5

SHA1
64d502c2dcb720a29d102c8f5d568216e52d3893

SHA256
d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2

SHA512
2168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll

Filesize
53KB

MD5
8db7f10952736955f22fc2c162fd73b5

SHA1
64d502c2dcb720a29d102c8f5d568216e52d3893

SHA256
d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2

SHA512
2168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll

Filesize
53KB

MD5
8db7f10952736955f22fc2c162fd73b5

SHA1
64d502c2dcb720a29d102c8f5d568216e52d3893

SHA256
d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2

SHA512
2168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794

Download Submit
\Users\Admin\AppData\Roaming\vcredist_6ca3ee.dll

Filesize
53KB

MD5
8db7f10952736955f22fc2c162fd73b5

SHA1
64d502c2dcb720a29d102c8f5d568216e52d3893

SHA256
d62418951680bca014016076370389805aa93d8dd92cbc9af762f845762146c2

SHA512
2168066f071050bebb1f653eaacdf379b0ac7f06e4873d09e83e8088f918229d31b345efae2110a477e151c6b240a5e8eebe311d56032919395d6af233b2e794

Download Submit
memory/848-65-0x0000000000513000-0x000000000052D000-memory.dmp

Filesize
104KB

Download
memory/848-55-0x0000000000513000-0x000000000052D000-memory.dmp

Filesize
104KB

Download
memory/848-56-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1236-64-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1236-63-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1236-66-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1236-67-0x000007FEF7880000-0x000007FEF7892000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing