rhadamanthys | f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4

General

Target

f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe
Size

251KB
MD5

9a2b9262e1450701cfdf957b4051f162
SHA1

4adeadc106d1405268998b9069700aacf098823f
SHA256

f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4
SHA512

8b11d5760cf6c23fdc257a7e0e89e8bcce6b7bb693be41b9ca251ec4871944e2cef69864a674975cbadbd2901dc211e495970e49b422856206b34e7cda718250
SSDEEP

6144:lhi7B5LlFlUWndGzPkLVgs1MzhDi8W7y5:lhi7B5JFrUzPkBPcE

Score

10^/10

rhadamanthys collection discovery spyware stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/900-59-0x0000000000260000-0x000000000027D000-memory.dmp	family_rhadamanthys
behavioral1/memory/900-71-0x0000000000260000-0x000000000027D000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1164	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1164	900	f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe	27
PID 900 wrote to memory of 1164	900	f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe	27
PID 900 wrote to memory of 1164	900	f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe	27
PID 900 wrote to memory of 1164	900	f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe
"C:\Users\Admin\AppData\Local\Temp\f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\rundll32.exe
  "C:\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8HLrADkbAFEhAHQAU|8ASQBoADEAVO8ANABHKwRZSIP|7CjoBAIAAEj|g8Qow8zMzEz|iUQkGEiJVCS|EEiJTCQIXQFI|4tEJDBIiQQk9oEBOEhvAAhIx0TbJBAtAesOgQEQSNeDwAGPARCBAUBI7TmWAHMlnwOLDCT|SAPISIvBSIv1TKsBVHsAA9FIi3|KigmICOvBZgW|ZUiLBCVg8|Az|8lIi1AYSDvR|3Q2SIPCIEiL|wJIO8J0KmaD|3hIGHUaTItA|1BmQYM4a3QH7hERS3UIERB4EC7|dAVIiwDr1Ujri0j9AMFqAEBTVf9WV0FUQVVBVvtBV10BZoE5TVr|TYv4TIvySIvv2Q+F|PPwTGNJ|zxBgTwJUEUA7wAPherz8EGLhPsJiPPwhcBIjTzvAQ+E1moRg7wJ3YwtAQ+Ex|PwRIv|ZyBEi18ci3f|JESLTxhMA+H|TAPZSAPxM8m|RYXJD4Sk8|BN|4vEQYsQRTPS|0gD04oChMB0|x1BwcoND77A3voAAUQD0L8Rdez|QYH6qvwNfHT|DoPBAUmDwAT|QTvJc2nrxov|wQ+3DE5Fiyz|i0wD63RYM+2+qhB0UUGLFMEA0|8zyYoCTIvC67cPwcnIEQPI5RAB90GKANUQ7TPAM5|2QTsMtuAQpgCD|8YBg|gIcu7r|wpIi8tB|9VJ34kE94PF5BDEBN87bxhyr2YBQV||QV5BXUFcX177XVszF0iB7GAB|mQAi+noZv7||79IhcAPhJh1IEz1ja8BiysQyDP|6P2bfSCNXwRMjUX|RjPSi8v|VCT9aIAgTIvgD4RrenUgRagQM8CL05EgX0iJfCQgpiBwgCA|SIvwD4RLdSCmIP9QSI1WCESNR99ASI2MJIURSIvv2Oh8|X4gjVZIat4gEOIhzPPw6GfvID9EiwaNVwhBIKYgvVjKIYmEJICHEt728|CLDtogWImMJNhxEQcwkSDoMe8gi5z+LTJMi106SIP7+2xIiiAwTIlkJO84TIukGjJMiVxuhAGEJNyHEYaSjRG7jUdLMIwk8PPwSd+L1Ojp|AUwipzueDJIjYR4MkGA838hjU9sRDAYpAJ|g+kBdfOBvHgy|yFSZXh1TYuEuyT0IjGUJPg1AcL|SDvYcjiD+my|djNEjUlA+gCUp0G4AJgApiBAyiL453QZRLYwwDFJjVT7JGyRIEmD6Gzo3WuCMEiLzqYgeEj|hf90EotVQkz8jjAbMUiNTCRA|w|XSIHEdCFhJC0ILQE=
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll

Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll

Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll

Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll

Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
\Users\Admin\AppData\Roaming\nsis_uns6c1f45.dll

Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
memory/900-59-0x0000000000260000-0x000000000027D000-memory.dmp

Filesize
116KB

Download
memory/900-69-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/900-54-0x00000000006CB000-0x00000000006EC000-memory.dmp

Filesize
132KB

Download
memory/900-58-0x00000000006EF000-0x0000000000701000-memory.dmp

Filesize
72KB

Download
memory/900-57-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/900-55-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/900-71-0x0000000000260000-0x000000000027D000-memory.dmp

Filesize
116KB

Download
memory/900-70-0x00000000006EF000-0x0000000000701000-memory.dmp

Filesize
72KB

Download
memory/900-68-0x00000000006CB000-0x00000000006EC000-memory.dmp

Filesize
132KB

Download
memory/1164-67-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1164-66-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/1164-72-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1164-73-0x000007FEFB530000-0x000007FEFB542000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing