rhadamanthys | 576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e

General

Target

576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
Size

2.3MB
MD5

c05d093d1274562a0fa00e0b2c8bea5d
SHA1

e91b1526bb9ad0d80a785de7423baab366d5480e
SHA256

576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e
SHA512

0d66ea8b0eb79c68fb9a7136a8c13962b70b457269af2dcce157289d85c8016dbdac0395d66764581456bde7856a77655e168490ebc63cb5f3501650c648a065
SSDEEP

24576:SR7d5Ic2Yc637ccFU/+VxjETkFqW0KbzYKVocc3Sxe31HZsGutdf7D1PGhWgOpBJ:wjIcK6hUSfchcHH1PEABhj

Score

10^/10

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral2/memory/3688-171-0x0000000001370000-0x000000000138C000-memory.dmp	family_rhadamanthys
behavioral2/memory/3688-173-0x0000000001370000-0x000000000138C000-memory.dmp	family_rhadamanthys
behavioral2/memory/3688-176-0x0000000001370000-0x000000000138C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3688	RegAsm.exe
3688	RegAsm.exe
3688	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
Token: SeShutdownPrivilege	3688	RegAsm.exe
Token: SeCreatePagefilePrivilege	3688	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2516	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	66
PID 2168 wrote to memory of 2516	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	66
PID 2168 wrote to memory of 2516	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	66
PID 2168 wrote to memory of 5088	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	69
PID 2168 wrote to memory of 5088	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	69
PID 2168 wrote to memory of 5088	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	69
PID 2168 wrote to memory of 3704	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	70
PID 2168 wrote to memory of 3704	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	70
PID 2168 wrote to memory of 3704	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	70
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71
PID 2168 wrote to memory of 3688	2168	576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe	71

C:\Users\Admin\AppData\Local\Temp\576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe
"C:\Users\Admin\AppData\Local\Temp\576f2b2a8d4adb743a7e9d7c163e37411b2a5ca25011156df57d3cf54a0a7e1e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:5088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x10jug1s.tj5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2168-122-0x0000000005AD0000-0x0000000005C32000-memory.dmp

Filesize
1.4MB

Download
memory/2168-123-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2168-124-0x0000000005A70000-0x0000000005A92000-memory.dmp

Filesize
136KB

Download
memory/2168-126-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2168-125-0x0000000005C30000-0x0000000005F80000-memory.dmp

Filesize
3.3MB

Download
memory/2168-162-0x0000000007220000-0x000000000771E000-memory.dmp

Filesize
5.0MB

Download
memory/2168-161-0x0000000006C80000-0x0000000006D12000-memory.dmp

Filesize
584KB

Download
memory/2168-154-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/2168-121-0x0000000000CB0000-0x0000000000F0A000-memory.dmp

Filesize
2.4MB

Download
memory/2516-153-0x0000000009270000-0x000000000928A000-memory.dmp

Filesize
104KB

Download
memory/2516-130-0x00000000074D0000-0x0000000007AF8000-memory.dmp

Filesize
6.2MB

Download
memory/2516-135-0x0000000007B60000-0x0000000007B7C000-memory.dmp

Filesize
112KB

Download
memory/2516-136-0x0000000008400000-0x000000000844B000-memory.dmp

Filesize
300KB

Download
memory/2516-137-0x00000000084E0000-0x0000000008556000-memory.dmp

Filesize
472KB

Download
memory/2516-134-0x0000000007D60000-0x0000000007DC6000-memory.dmp

Filesize
408KB

Download
memory/2516-132-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2516-152-0x0000000009CC0000-0x000000000A338000-memory.dmp

Filesize
6.5MB

Download
memory/2516-131-0x0000000007450000-0x00000000074B6000-memory.dmp

Filesize
408KB

Download
memory/2516-156-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2516-155-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2516-133-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/2516-129-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/3688-163-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-166-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-171-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/3688-174-0x0000000001570000-0x0000000001572000-memory.dmp

Filesize
8KB

Download
memory/3688-173-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/3688-175-0x0000000001570000-0x0000000001573000-memory.dmp

Filesize
12KB

Download
memory/3688-176-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/3688-177-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing