rhadamanthys | a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f

General

Target

688774feec1cc9685acaece804dc7a26.exe
Size

2.8MB
MD5

688774feec1cc9685acaece804dc7a26
SHA1

68afac92caeb49c2bb96970138738844aa7b8f99
SHA256

a54493e71a7f28fe61e607ba4c089ada71e13ff9e1df6cef5619a4163e2b0a1f
SHA512

68467b861e163b4b0ff7477c3c780eb3141ae069e8145431798576a1da74347b0da6fa0a0ad19defc3e0d29bdfb29240bffa12ef2d1904697a6e52f965da041a
SSDEEP

24576:oafQKgqtAyrUFdRZTbwcXE1Rw2qs9kpu2ny/v/LtGZsYjot0+iEzyLU/E5h8bV2:oNwcXFoaU/E5h8bKlsyKqiB8tFg

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/564-74-0x0000000000140000-0x000000000015C000-memory.dmp	family_rhadamanthys
behavioral1/memory/564-76-0x0000000000140000-0x000000000015C000-memory.dmp	family_rhadamanthys
behavioral1/memory/564-78-0x0000000000140000-0x000000000015C000-memory.dmp	family_rhadamanthys
behavioral1/memory/564-80-0x0000000000140000-0x000000000015C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

688774feec1cc9685acaece804dc7a26.exe

pid process

564 688774feec1cc9685acaece804dc7a26.exe
564 688774feec1cc9685acaece804dc7a26.exe
564 688774feec1cc9685acaece804dc7a26.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

688774feec1cc9685acaece804dc7a26.exe

description pid process target process

PID 2032 set thread context of 564 2032 688774feec1cc9685acaece804dc7a26.exe 688774feec1cc9685acaece804dc7a26.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe688774feec1cc9685acaece804dc7a26.exe688774feec1cc9685acaece804dc7a26.exe

pid process

920 powershell.exe
2032 688774feec1cc9685acaece804dc7a26.exe
564 688774feec1cc9685acaece804dc7a26.exe
564 688774feec1cc9685acaece804dc7a26.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe688774feec1cc9685acaece804dc7a26.exe

description pid process

Token: SeDebugPrivilege 920 powershell.exe
Token: SeDebugPrivilege 2032 688774feec1cc9685acaece804dc7a26.exe

pid	process
564	688774feec1cc9685acaece804dc7a26.exe
564	688774feec1cc9685acaece804dc7a26.exe
564	688774feec1cc9685acaece804dc7a26.exe

description	pid	process	target process
PID 2032 set thread context of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe

pid	process
920	powershell.exe
2032	688774feec1cc9685acaece804dc7a26.exe
564	688774feec1cc9685acaece804dc7a26.exe
564	688774feec1cc9685acaece804dc7a26.exe

description	pid	process
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2032	688774feec1cc9685acaece804dc7a26.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

688774feec1cc9685acaece804dc7a26.exe688774feec1cc9685acaece804dc7a26.exe

C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe
"C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe
C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe
2⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe
C:\Users\Admin\AppData\Local\Temp\688774feec1cc9685acaece804dc7a26.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
3⤵
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-74-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/564-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/564-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-78-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/564-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-80-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/564-76-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/564-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/564-75-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/920-60-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2032-55-0x0000000004D20000-0x0000000004E6A000-memory.dmp

Filesize
1.3MB

Download
memory/2032-54-0x00000000011C0000-0x000000000148A000-memory.dmp

Filesize
2.8MB

Download
memory/2032-56-0x0000000000C10000-0x0000000000CA2000-memory.dmp

Filesize
584KB

Download
memory/2032-61-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2032-57-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 2032 wrote to memory of 920	2032	688774feec1cc9685acaece804dc7a26.exe	powershell.exe
PID 2032 wrote to memory of 920	2032	688774feec1cc9685acaece804dc7a26.exe	powershell.exe
PID 2032 wrote to memory of 920	2032	688774feec1cc9685acaece804dc7a26.exe	powershell.exe
PID 2032 wrote to memory of 920	2032	688774feec1cc9685acaece804dc7a26.exe	powershell.exe
PID 2032 wrote to memory of 928	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 928	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 928	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 928	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 2032 wrote to memory of 564	2032	688774feec1cc9685acaece804dc7a26.exe	688774feec1cc9685acaece804dc7a26.exe
PID 564 wrote to memory of 1436	564	688774feec1cc9685acaece804dc7a26.exe	dllhost.exe
PID 564 wrote to memory of 1436	564	688774feec1cc9685acaece804dc7a26.exe	dllhost.exe
PID 564 wrote to memory of 1436	564	688774feec1cc9685acaece804dc7a26.exe	dllhost.exe
PID 564 wrote to memory of 1436	564	688774feec1cc9685acaece804dc7a26.exe	dllhost.exe

Analysis

Sharing