rhadamanthys | 02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Size

363KB
MD5

1170fd144bb40cdedf5359dca11e1d6b
SHA1

832135a9f88aa5bec5532d3ee8ed90ed3fc507c4
SHA256

02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e
SHA512

f028d07889889ac7c33483fd73b033f973fb5d4d308c4fb5e8667e7a6a384818717f59bc17ddd3344ac26e2d6505cf5c8d7a680c244dc153f9164abecd56e345
SSDEEP

6144:nHsQLQZOv4Y8/l9gNW7swjVBJA0/kh0R6:nnsZOvF8/l5NRS

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral1/memory/4184-138-0x0000000002C50000-0x0000000002C6C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4184-140-0x0000000002C50000-0x0000000002C6C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4184-143-0x0000000002C50000-0x0000000002C6C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4184	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
4184	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
4184	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4184	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
Token: SeCreatePagefilePrivilege	4184	02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe

C:\Users\Admin\AppData\Local\Temp\02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe
"C:\Users\Admin\AppData\Local\Temp\02c1445ae78d151ad1732b8764b7e73eab55f2fb1d5a35a3965b0bdfd09e328e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4184-134-0x0000000004870000-0x000000000489E000-memory.dmp

Filesize
184KB

Download
memory/4184-135-0x0000000000400000-0x0000000002B1F000-memory.dmp

Filesize
39.1MB

Download
memory/4184-138-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/4184-140-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/4184-141-0x00000000048A0000-0x00000000048BA000-memory.dmp

Filesize
104KB

Download
memory/4184-142-0x0000000004B40000-0x0000000005B40000-memory.dmp

Filesize
16.0MB

Download
memory/4184-143-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/4184-144-0x0000000000400000-0x0000000002B1F000-memory.dmp

Filesize
39.1MB

Download