rhadamanthys | bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910

General

Target

ee1a7366583000add321abdd79949f01.exe
Size

438KB
MD5

ee1a7366583000add321abdd79949f01
SHA1

db9201bf7bb4345670b1aaf0b89937099f8bb1e6
SHA256

bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910
SHA512

ab580e02bb8c0d70ac5edfa8f59848df029f724fbb00b6c92075a9e0497fb1559ece07cd95e5a59b85f05060c76290247dd4265ad41dd045b3af8a13cd5e8372
SSDEEP

12288:avBo236cRReRKARDf6U0m7e5J1NezYneTIR7q6wNvJ:aJ3XReRZfH0m7e5J7STIRO

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1040-57-0x0000000003740000-0x0000000003B40000-memory.dmp	family_rhadamanthys
behavioral1/memory/1040-58-0x0000000003740000-0x0000000003B40000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ee1a7366583000add321abdd79949f01.exe

description pid process target process

PID 1040 created 1372 1040 ee1a7366583000add321abdd79949f01.exe Explorer.EXE
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

1720 certreq.exe

description	pid	process	target process
PID 1040 created 1372	1040	ee1a7366583000add321abdd79949f01.exe	Explorer.EXE

pid	process
1720	certreq.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ee1a7366583000add321abdd79949f01.execertreq.exe

pid	process
1040	ee1a7366583000add321abdd79949f01.exe
1040	ee1a7366583000add321abdd79949f01.exe
1040	ee1a7366583000add321abdd79949f01.exe
1040	ee1a7366583000add321abdd79949f01.exe
1720	certreq.exe
1720	certreq.exe
1720	certreq.exe
1720	certreq.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ee1a7366583000add321abdd79949f01.exe

description	pid	process	target process
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe
PID 1040 wrote to memory of 1720	1040	ee1a7366583000add321abdd79949f01.exe	certreq.exe

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\ee1a7366583000add321abdd79949f01.exe
  "C:\Users\Admin\AppData\Local\Temp\ee1a7366583000add321abdd79949f01.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1040
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-70-0x0000000000400000-0x0000000001B6F000-memory.dmp

Filesize
23.4MB

Download
memory/1040-56-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/1040-57-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/1040-58-0x0000000003740000-0x0000000003B40000-memory.dmp

Filesize
4.0MB

Download
memory/1040-59-0x0000000000400000-0x0000000001B6F000-memory.dmp

Filesize
23.4MB

Download
memory/1040-55-0x0000000000220000-0x0000000000291000-memory.dmp

Filesize
452KB

Download
memory/1040-61-0x0000000001BB0000-0x0000000001BE6000-memory.dmp

Filesize
216KB

Download
memory/1040-68-0x0000000001BB0000-0x0000000001BE6000-memory.dmp

Filesize
216KB

Download
memory/1720-72-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/1720-77-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-60-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/1720-73-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-74-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-75-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-76-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-71-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/1720-79-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download
memory/1720-84-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads