rhadamanthys | b90c51ddd52842e6062f1ec389ac8b36f26d2f149134decee452690bef7adf4b

General

Target

b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
Size

446KB
MD5

82753bed041d05b32e560a5f6e96e560
SHA1

66f82f505e50c9a63328bab4dfb2aaa6fe5dc1e8
SHA256

b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595
SHA512

dbea9ce63a9e3186f92074db7b4e6a855f1b2673e1e4e1efbe0f72a88414234633ab4f7903c1ce25e266130dfa28c34701f6d8407909e50dbb1c8c41b2ff89a9
SSDEEP

12288:XXNYUuRiQi9eh4q/T4Yu9aXvWmMQszY+/CJW:XdUVi9ER/3Xvtnscpk

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-57-0x0000000001EC0000-0x00000000022C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2000-58-0x0000000001EC0000-0x00000000022C0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe

description pid process target process

PID 2000 created 1272 2000 b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe Explorer.EXE
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

1488 certreq.exe

description	pid	process	target process
PID 2000 created 1272	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	Explorer.EXE

pid	process
1488	certreq.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.execertreq.exe

pid	process
2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
1488	certreq.exe
1488	certreq.exe
1488	certreq.exe
1488	certreq.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe

description	pid	process	target process
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe
PID 2000 wrote to memory of 1488	2000	b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe	certreq.exe

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe
"C:\Users\Admin\AppData\Local\Temp\b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-71-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1488-79-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-72-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-60-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1488-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-75-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-73-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-70-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1488-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-78-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-76-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1488-74-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/2000-61-0x00000000008C0000-0x00000000008F6000-memory.dmp

Filesize
216KB

Download
memory/2000-69-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2000-57-0x0000000001EC0000-0x00000000022C0000-memory.dmp

Filesize
4.0MB

Download
memory/2000-67-0x00000000008C0000-0x00000000008F6000-memory.dmp

Filesize
216KB

Download
memory/2000-56-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/2000-59-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2000-58-0x0000000001EC0000-0x00000000022C0000-memory.dmp

Filesize
4.0MB

Download
memory/2000-55-0x0000000000220000-0x0000000000291000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads