rhadamanthys | 2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6

General

Target

2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe
Size

2.1MB
MD5

5e301df2dbea93396ebca06768da3846
SHA1

a723e38bded7a02aa51d08d0589a385406eaa9df
SHA256

2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6
SHA512

809709579ed76aadfdeccb94b60d81f54cb1a5589bcc9cd6abb1479a1e096e417326387bdacd9cbebae2982a2a67300254911871a941d978b4bd65e8ecbb54e4
SSDEEP

24576:idtm5KNlea8fiEpuNDS4LwGaVr0jEYnt7Fs1JaPGzfR69AwDUJ32Y0w4syC73A8a:+Tlea8fRkNhtwYnVCaSEy44r7i

Score

10^/10

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral2/memory/1236-170-0x0000000000FD0000-0x0000000000FEC000-memory.dmp	family_rhadamanthys
behavioral2/memory/1236-172-0x0000000000FD0000-0x0000000000FEC000-memory.dmp	family_rhadamanthys
behavioral2/memory/1236-175-0x0000000000FD0000-0x0000000000FEC000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1236	RegAsm.exe
1236	RegAsm.exe
1236	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
4516	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe
Token: SeShutdownPrivilege	1236	RegAsm.exe
Token: SeCreatePagefilePrivilege	1236	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4516	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	66
PID 4452 wrote to memory of 4516	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	66
PID 4452 wrote to memory of 4516	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	66
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69
PID 4452 wrote to memory of 1236	4452	2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe	69

C:\Users\Admin\AppData\Local\Temp\2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe
"C:\Users\Admin\AppData\Local\Temp\2b2e95a48b3fb8c4c4cf15ed435cba20901264df8f80d86fb640394160ffc7b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xd2nnjgl.zgh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1236-173-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/1236-167-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-164-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-176-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-175-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

Filesize
112KB

Download
memory/1236-174-0x0000000000FF0000-0x0000000000FF3000-memory.dmp

Filesize
12KB

Download
memory/1236-172-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

Filesize
112KB

Download
memory/1236-170-0x0000000000FD0000-0x0000000000FEC000-memory.dmp

Filesize
112KB

Download
memory/1236-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4452-122-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/4452-160-0x00000000061B0000-0x0000000006242000-memory.dmp

Filesize
584KB

Download
memory/4452-120-0x0000000000350000-0x000000000057C000-memory.dmp

Filesize
2.2MB

Download
memory/4452-121-0x0000000004F10000-0x0000000005076000-memory.dmp

Filesize
1.4MB

Download
memory/4452-125-0x0000000005160000-0x00000000054B0000-memory.dmp

Filesize
3.3MB

Download
memory/4452-124-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/4452-153-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4452-123-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4452-161-0x0000000006750000-0x0000000006C4E000-memory.dmp

Filesize
5.0MB

Download
memory/4516-130-0x00000000076B0000-0x0000000007716000-memory.dmp

Filesize
408KB

Download
memory/4516-155-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/4516-154-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/4516-152-0x0000000008E80000-0x0000000008E9A000-memory.dmp

Filesize
104KB

Download
memory/4516-151-0x00000000098F0000-0x0000000009F68000-memory.dmp

Filesize
6.5MB

Download
memory/4516-136-0x0000000008050000-0x00000000080C6000-memory.dmp

Filesize
472KB

Download
memory/4516-135-0x00000000082A0000-0x00000000082EB000-memory.dmp

Filesize
300KB

Download
memory/4516-134-0x0000000007850000-0x000000000786C000-memory.dmp

Filesize
112KB

Download
memory/4516-133-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/4516-132-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4516-131-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/4516-129-0x0000000007080000-0x00000000076A8000-memory.dmp

Filesize
6.2MB

Download
memory/4516-128-0x0000000001100000-0x0000000001136000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing