rhadamanthys | 694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6

General

Target

694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe
Size

343KB
MD5

74bbec002db7d472768165d91d9500f4
SHA1

47fd00a05318ff7d4b35eca94cf96758cfc42f12
SHA256

694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6
SHA512

944320f2440f8b135a8a665a6eface0926fab9b8e6c5fbe382ecf950983bc2861b74563c8e655aaaddac31302b6c411b4cb926afc92fc035346a197c1ff025cf
SSDEEP

6144:COC5LACYNi6fxj7thdimb16DwuQj9xia:CT5MRN7fpdGwlja

Score

10^/10

rhadamanthys collection discovery spyware stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1304-160-0x0000000002360000-0x000000000237D000-memory.dmp	family_rhadamanthys
behavioral1/memory/1304-177-0x0000000002360000-0x000000000237D000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 4120 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4120 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
2	4120	rundll32.exe

pid	process
4120	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2468 4120 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2468	4120	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4120 rundll32.exe
4120 rundll32.exe
4120 rundll32.exe
4120 rundll32.exe

pid	process
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe

description	pid	process	target process
PID 1304 wrote to memory of 4120	1304	694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe	rundll32.exe
PID 1304 wrote to memory of 4120	1304	694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe
"C:\Users\Admin\AppData\Local\Temp\694a1b535cf2d815237e696ea04880a649bddc27ed9919498e66c1067b041af6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\rundll32.exe
"C:\Users\Admin\AppData\Roaming\nsis_unse56b50c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Fn|ADEAaABCAGm|AFgAQQBIRwBC7ikCWABWLQJZSIP|7CjoBAIAAEj|g8Qow8zMzEz|iUQkGEiJVCS|EEiJTCQIXQFI|4tEJDBIiQQk9oEBOEhvAAhIx0TbJBAtAesOgQEQSNeDwAGPARCBAUBI7TmWAHMlnwOLDCT|SAPISIvBSIv1TKsBVHsAA9FIi3|KigmICOvBZgW|ZUiLBCVg8|Az|8lIi1AYSDvR|3Q2SIPCIEiL|wJIO8J0KmaD|3hIGHUaTItA|1BmQYM4a3QH7hERS3UIERB4EC7|dAVIiwDr1Ujri0j9AMFqAEBTVf9WV0FUQVVBVvtBV10BZoE5TVr|TYv4TIvySIvv2Q+F|PPwTGNJ|zxBgTwJUEUA7wAPherz8EGLhPsJiPPwhcBIjTzvAQ+E1moRg7wJ3YwtAQ+Ex|PwRIv|ZyBEi18ci3f|JESLTxhMA+H|TAPZSAPxM8m|RYXJD4Sk8|BN|4vEQYsQRTPS|0gD04oChMB0|x1BwcoND77A3voAAUQD0L8Rdez|QYH6qvwNfHT|DoPBAUmDwAT|QTvJc2nrxov|wQ+3DE5Fiyz|i0wD63RYM+2+qhB0UUGLFMEA0|8zyYoCTIvC67cPwcnIEQPI5RAB90GKANUQ7TPAM5|2QTsMtuAQpgCD|8YBg|gIcu7r|wpIi8tB|9VJ34kE94PF5BDEBN87bxhyr2YBQV||QV5BXUFcX177XVszF0iB7GAB|mQAi+noZv7||79IhcAPhJh1IEz1ja8BiysQyDP|6P2bfSCNXwRMjUX|RjPSi8v|VCT9aIAgTIvgD4RrenUgRagQM8CL05EgX0iJfCQgpiBwgCA|SIvwD4RLdSCmIP9QSI1WCESNR99ASI2MJIURSIvv2Oh8|X4gjVZIat4gEOIhzPPw6GfvID9EiwaNVwhBIKYgvVjKIYmEJICHEt728|CLDtogWImMJNhxEQcwkSDoMe8gi5z+LTJMi106SIP7+2xIiiAwTIlkJO84TIukGjJMiVxuhAGEJNyHEYaSjRG7jUdLMIwk8PPwSd+L1Ojp|AUwipzueDJIjYR4MkGA838hjU9sRDAYpAJ|g+kBdfOBvHgy|yFSZXh1TYuEuyT0IjGUJPg1AcL|SDvYcjiD+my|djNEjUlA+gCUp0G4AJgApiBAyiL453QZRLYwwDFJjVT7JGyRIEmD6Gzo3WuCMEiLzqYgeEj|hf90EotVQkz8jjAbMUiNTCRA|w|XSIHEdCFhJC0ILQE=
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4120 -s 644
3⤵
- Program crash
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nsis_unse56b50c.dll
Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
\Users\Admin\AppData\Roaming\nsis_unse56b50c.dll
Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
memory/1304-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-148-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1304-149-0x00000000021D0000-0x00000000021F5000-memory.dmp

Filesize
148KB

Download
memory/1304-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-153-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-158-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1304-157-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-159-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1304-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-160-0x0000000002360000-0x000000000237D000-memory.dmp

Filesize
116KB

Download
memory/1304-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1304-176-0x00000000021D0000-0x00000000021F5000-memory.dmp

Filesize
148KB

Download
memory/1304-177-0x0000000002360000-0x000000000237D000-memory.dmp

Filesize
116KB

Download
memory/4120-169-0x0000000000000000-mapping.dmp

Download
memory/4120-172-0x0000017935FB0000-0x0000017935FB7000-memory.dmp

Filesize
28KB

Download
memory/4120-175-0x00007FF794A20000-0x00007FF794B1A000-memory.dmp

Filesize
1000KB

Download
memory/4120-178-0x00007FF794A20000-0x00007FF794B1A000-memory.dmp

Filesize
1000KB

Download
memory/4120-179-0x00007FFD593B0000-0x00007FFD593C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads