rhadamanthys | 25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e

Analysis

max time kernel
150s
max time network
110s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2023, 07:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
Size

347KB
MD5

c441b42d9f7a3382f0f9407c8815b4e5
SHA1

362f403e55a0fd98a88332a185ce90de5e8986c3
SHA256

25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e
SHA512

fdea6438373c817cba5e35655aedb5922cee34223da9b698d13a6dab9f9694f5868236f6eddca5570e480111d3fb1f64f046764ce7b5d75af867fb27d5f6d337
SSDEEP

3072:I6rLNSpQbbhQ0WVG04st+1YdYacOqaL4uLWlc4EzVHw5T0G5y5aXr81MetljUeXe:3rvBFQGDst+M1TY5EzkTh8ntllVe

Score

10^/10

rhadamanthys smokeloader pub4 backdoor collection stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

rhadamanthys

http://179.43.142.201/img/favicon.png

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/4624-170-0x0000000002410000-0x000000000242C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4624-171-0x0000000002410000-0x000000000242C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4624-173-0x0000000002410000-0x000000000242C000-memory.dmp	family_rhadamanthys
behavioral1/memory/4624-182-0x0000000002410000-0x000000000242C000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
3164	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
4624	3539.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	dllhost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
4024	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4024	25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4624	3164	Process not Found	66
PID 3164 wrote to memory of 4624	3164	Process not Found	66
PID 3164 wrote to memory of 4624	3164	Process not Found	66
PID 4624 wrote to memory of 368	4624	3539.exe	67
PID 4624 wrote to memory of 368	4624	3539.exe	67
PID 4624 wrote to memory of 368	4624	3539.exe	67
PID 4624 wrote to memory of 368	4624	3539.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe
"C:\Users\Admin\AppData\Local\Temp\25b0f934a3df024b1a982afbd082cbe8683da911c7660c0d68094e2078b1430e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4024

C:\Users\Admin\AppData\Local\Temp\3539.exe
C:\Users\Admin\AppData\Local\Temp\3539.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\system32\dllhost.exe
  "C:\Windows\system32\dllhost.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3539.exe

Filesize
419KB

MD5
90157449149bf3cad718f0b63f2317f3

SHA1
012f344a4311ea599744cbd592ff40a8513616fe

SHA256
8892ef93cc4f1251745347eec7449fa445e88e3cf1a96e18a0e457cd2067cd52

SHA512
6b3d844480b99984800400401e1afb83dd0efa3cb3406b1d59ca3f3774a1120fa4c43100e2d66c141a3b2f848fe5992adada6781617193bb9d173083f44212b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3539.exe

Filesize
419KB

MD5
90157449149bf3cad718f0b63f2317f3

SHA1
012f344a4311ea599744cbd592ff40a8513616fe

SHA256
8892ef93cc4f1251745347eec7449fa445e88e3cf1a96e18a0e457cd2067cd52

SHA512
6b3d844480b99984800400401e1afb83dd0efa3cb3406b1d59ca3f3774a1120fa4c43100e2d66c141a3b2f848fe5992adada6781617193bb9d173083f44212b0

Download Submit
memory/368-186-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-185-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-184-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-183-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-180-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-177-0x00007FF7C95B0000-0x00007FF7C96AA000-memory.dmp

Filesize
1000KB

Download
memory/368-176-0x0000026C10450000-0x0000026C10457000-memory.dmp

Filesize
28KB

Download
memory/368-174-0x0000026C104A0000-0x0000026C104A1000-memory.dmp

Filesize
4KB

Download
memory/3164-209-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-211-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-144-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-145-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-146-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-147-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-148-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-151-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-152-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-153-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-154-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-158-0x0000000001450000-0x0000000001454000-memory.dmp

Filesize
16KB

Download
memory/3164-159-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download
memory/3164-160-0x0000000001450000-0x0000000001454000-memory.dmp

Filesize
16KB

Download
memory/3164-140-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-139-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-235-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-234-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-233-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-232-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-231-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-230-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-138-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-229-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-137-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-135-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-133-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download
memory/3164-228-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-225-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-131-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-129-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3164-222-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-123-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

Filesize
88KB

Download
memory/3164-187-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3164-188-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-191-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-192-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-193-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-194-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-195-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-198-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-201-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-202-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-203-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-204-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-205-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-208-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-221-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-210-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-143-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-212-0x0000000005710000-0x000000000571D000-memory.dmp

Filesize
52KB

Download
memory/3164-213-0x0000000005710000-0x000000000571D000-memory.dmp

Filesize
52KB

Download
memory/3164-214-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3164-215-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-218-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-219-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3164-220-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/4024-122-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/4024-124-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/4624-182-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/4624-181-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/4624-175-0x0000000002430000-0x0000000002433000-memory.dmp

Filesize
12KB

Download
memory/4624-173-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/4624-172-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/4624-171-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/4624-170-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/4624-167-0x0000000000400000-0x000000000080E000-memory.dmp

Filesize
4.1MB

Download
memory/4624-166-0x00000000023E0000-0x000000000240E000-memory.dmp

Filesize
184KB

Download