rhadamanthys | bf3ecb3f8f771f6fc5f04c6a30aa6e92686a920e77680516f1e64fc26d74aa38

General

Target

6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe
Size

302KB
MD5

7b9742c442c28ca29907a0ffcaca47fa
SHA1

d59023f60d89c785da29165a5df7d8b80f790d87
SHA256

6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9
SHA512

e4810b23a677b9eac6946ce33f1d30e6ce7be826889791fc94667fa123416279a5dfb50fbf54f6b22e8e971e3a121d42219ceadac6a2313c507763d0c921453d
SSDEEP

6144:/DB9/8sAqMQ107vvjmokAxGnHZIkIx1P7:bB9/8JE1OvCixGnm

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-65-0x0000000000090000-0x00000000000AC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1584-66-0x0000000000090000-0x00000000000AC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1584-68-0x0000000000090000-0x00000000000AC000-memory.dmp	family_rhadamanthys
behavioral1/memory/1584-75-0x0000000000090000-0x00000000000AC000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe

description	pid	process	target process
PID 904 set thread context of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

460 904 WerFault.exe 6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe

pid	pid_target	process	target process
460	904	WerFault.exe	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exedllhost.exe

pid process

1584 AppLaunch.exe
1584 AppLaunch.exe
1636 dllhost.exe
1636 dllhost.exe
1636 dllhost.exe
1636 dllhost.exe

pid	process
1584	AppLaunch.exe
1584	AppLaunch.exe
1636	dllhost.exe
1636	dllhost.exe
1636	dllhost.exe
1636	dllhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exeAppLaunch.exe

description	pid	process	target process
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 1584	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	AppLaunch.exe
PID 904 wrote to memory of 460	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	WerFault.exe
PID 904 wrote to memory of 460	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	WerFault.exe
PID 904 wrote to memory of 460	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	WerFault.exe
PID 904 wrote to memory of 460	904	6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe	WerFault.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe
PID 1584 wrote to memory of 1636	1584	AppLaunch.exe	dllhost.exe

outlook_office_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

Processes:

dllhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe
"C:\Users\Admin\AppData\Local\Temp\6d615929475897b42f7bbc9ae8a5fdc591a15a08ab4696dbabb3ff912fb5cbf9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 36
2⤵
- Program crash
PID:460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-68-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1584-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-75-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1584-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-65-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1584-66-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1584-67-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1584-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1636-77-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-71-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-72-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-73-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-74-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-70-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/1636-76-0x000007FFFFEB0000-0x000007FFFFFAA000-memory.dmp

Filesize
1000KB

Download
memory/1636-69-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads