rhadamanthys | 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895

General

Target

4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
Size

328KB
MD5

aee31f8b7afa6a4bbf9f7a7473e638d3
SHA1

801ffca9b94ae2740abf307cea114abc106aaa56
SHA256

4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895
SHA512

f4bd2d45740e796a398bd8b4cb4e7492820d645270531f497f3167800f8c042bcc7f43b9992bb11939669da9f02c4b0d5dcb4200b09b64f0b9602dba7bf6d43a
SSDEEP

6144:2laWWuXL1Od/qAQSsldolm8ctEUOJVqdA5pujRw:YpXZOxqAQSsldz8cRO3t5Sm

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4884-138-0x0000000002340000-0x000000000235C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4884-140-0x0000000002340000-0x000000000235C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4884-143-0x0000000002340000-0x000000000235C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4884-151-0x0000000002340000-0x000000000235C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe

pid	process
4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4540 4884 WerFault.exe 4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe

pid	pid_target	process	target process
4540	4884	WerFault.exe	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exedllhost.exe

pid	process
4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe

description	pid	process	target process
PID 4884 wrote to memory of 2616	4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe	dllhost.exe
PID 4884 wrote to memory of 2616	4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe	dllhost.exe
PID 4884 wrote to memory of 2616	4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe	dllhost.exe
PID 4884 wrote to memory of 2616	4884	4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe	dllhost.exe

outlook_office_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe
"C:\Users\Admin\AppData\Local\Temp\4b1694b03a91d8b9b31705045b65ac133051b28b419abca21b380cd137823895.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 700
2⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4884 -ip 4884
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2616-149-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-154-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-146-0x0000025CED050000-0x0000025CED057000-memory.dmp

Filesize
28KB

Download
memory/2616-147-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-153-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-152-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-148-0x00007FF4D99B0000-0x00007FF4D9AAA000-memory.dmp

Filesize
1000KB

Download
memory/2616-144-0x0000025CECD40000-0x0000025CECD41000-memory.dmp

Filesize
4KB

Download
memory/4884-138-0x0000000002340000-0x000000000235C000-memory.dmp

Filesize
112KB

Download
memory/4884-135-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/4884-140-0x0000000002340000-0x000000000235C000-memory.dmp

Filesize
112KB

Download
memory/4884-143-0x0000000002340000-0x000000000235C000-memory.dmp

Filesize
112KB

Download
memory/4884-134-0x0000000002310000-0x000000000233E000-memory.dmp

Filesize
184KB

Download
memory/4884-150-0x0000000000400000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/4884-151-0x0000000002340000-0x000000000235C000-memory.dmp

Filesize
112KB

Download
memory/4884-142-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/4884-141-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/4884-145-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads