rhadamanthys | 1385238544c6b990a0a3b9a6d36fe0569ff25e2406acf472134bc637931a2869

General

Target

tmp.exe
Size

434KB
MD5

813348aad9403a44eceff45d57889456
SHA1

1f6dfb5131171b0a691673e93c359a6b39f8a602
SHA256

1385238544c6b990a0a3b9a6d36fe0569ff25e2406acf472134bc637931a2869
SHA512

7fa2e6068e06035e3aa8f823d86d9691ffb5104494e78f9ae265f8fbaaaa3db22e81ba226b5cb01cec66a97fddf0de116759a232ea09c60ada7d2db79956b8a5
SSDEEP

6144:izL6Lv4jxi5QPoM3S8Gqa7g2OVO/IFKupE7uoB9Csx91I+N+hiTfQ1mFq:qGLvjQlGqK20uGLCsZ3NXv

Score

10^/10

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral2/memory/4600-136-0x00000000024C0000-0x00000000028C0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4600-137-0x00000000024C0000-0x00000000028C0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4600 created 3264	4600	tmp.exe	29

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4400	4600	WerFault.exe	44

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4600	tmp.exe
4600	tmp.exe
4600	tmp.exe
4600	tmp.exe
232	certreq.exe
232	certreq.exe
232	certreq.exe
232	certreq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 232	4600	tmp.exe	88
PID 4600 wrote to memory of 232	4600	tmp.exe	88
PID 4600 wrote to memory of 232	4600	tmp.exe	88
PID 4600 wrote to memory of 232	4600	tmp.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 844
    3⤵
    - Program crash
    PID:4400
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4600 -ip 4600
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-155-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-159-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-152-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-150-0x000001D259570000-0x000001D259577000-memory.dmp

Filesize
28KB

Download
memory/232-138-0x000001D257500000-0x000001D257503000-memory.dmp

Filesize
12KB

Download
memory/232-161-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-160-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-154-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-151-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-149-0x000001D257500000-0x000001D257503000-memory.dmp

Filesize
12KB

Download
memory/232-162-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-158-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-157-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/232-153-0x00007FF415340000-0x00007FF41546D000-memory.dmp

Filesize
1.2MB

Download
memory/4600-145-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4600-134-0x0000000002230000-0x00000000022A1000-memory.dmp

Filesize
452KB

Download
memory/4600-148-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4600-136-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/4600-146-0x00000000032C0000-0x00000000032F6000-memory.dmp

Filesize
216KB

Download
memory/4600-135-0x0000000002200000-0x0000000002207000-memory.dmp

Filesize
28KB

Download
memory/4600-139-0x00000000032C0000-0x00000000032F6000-memory.dmp

Filesize
216KB

Download
memory/4600-137-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing