rhadamanthys | 454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388

General

Target

454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
Size

307KB
MD5

15ccf8c9bac338729ac1b12e740b7fb7
SHA1

f894d4e657b61b9548da60229809421206ed6064
SHA256

454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388
SHA512

fa06e9dd79ca2df21b2f0d65d2b8be7a176aa8002ad3de0159dfbaa1bd6059c86baa9782e77cad1807e5b8bd5e92b7b650d5d80c74b50f92198f40bb0e88895c
SSDEEP

3072:o6GXZ+QKkLDnm3AQuh7jYFv55hT7kdYdwxB3uYCIfsCrou+0aavqPXX5eShM4:o5VKkLDpDqvDFZdwxBeYeMq0aWqP4q

Score

10^/10

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/3068-127-0x0000000000780000-0x000000000079C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3068-129-0x0000000000780000-0x000000000079C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3068-132-0x0000000000780000-0x000000000079C000-memory.dmp	family_rhadamanthys
behavioral1/memory/3068-140-0x0000000000780000-0x000000000079C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
4192	dllhost.exe
4192	dllhost.exe
4192	dllhost.exe
4192	dllhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4192	3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe	66
PID 3068 wrote to memory of 4192	3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe	66
PID 3068 wrote to memory of 4192	3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe	66
PID 3068 wrote to memory of 4192	3068	454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe	66

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe
"C:\Users\Admin\AppData\Local\Temp\454f54246c0e1a6ed2d493fc442292b93f1b66ccffc9f57bdf2307ef6d6d0388.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\dllhost.exe
  "C:\Windows\system32\dllhost.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-139-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3068-140-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/3068-124-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/3068-122-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/3068-129-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/3068-130-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3068-131-0x0000000000660000-0x0000000000663000-memory.dmp

Filesize
12KB

Download
memory/3068-132-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/3068-123-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3068-127-0x0000000000780000-0x000000000079C000-memory.dmp

Filesize
112KB

Download
memory/4192-135-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-138-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-134-0x000002C674EF0000-0x000002C674EF7000-memory.dmp

Filesize
28KB

Download
memory/4192-133-0x000002C674F40000-0x000002C674F41000-memory.dmp

Filesize
4KB

Download
memory/4192-141-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-142-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-143-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-144-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download
memory/4192-145-0x00007FF61D1A0000-0x00007FF61D29A000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing