rhadamanthys | fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe
Size

1.4MB
MD5

fa6ec356a90ef16403ad579d87b05ee5
SHA1

5a3495958104ab9784083fc2df2010a47abeea62
SHA256

fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181
SHA512

2997829f3fb29f0e62d5e30a9915ab7cd9f48fed161ec36fd6a3ee44745e0662e47c3acd625610f8837d6114b1007818518d2ec1c714824023020d3ec6e78e52
SSDEEP

24576:Yky3+X6hglz/V6qDgwTnElepnsH/lRM+8rWai3ryfgss7bDfFjoVySw:83zhglzdfBCepnsflRIrWaiRl9k

Score

10^/10

rhadamanthys persistence stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral1/memory/2180-1484-0x0000000002A10000-0x0000000002E10000-memory.dmp	family_rhadamanthys
behavioral1/memory/2180-1486-0x0000000002A10000-0x0000000002E10000-memory.dmp	family_rhadamanthys
behavioral1/memory/2180-2096-0x0000000002A10000-0x0000000002E10000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2180 created 3208	2180	glassadequate.exe	43

Executes dropped EXE 3 IoCs

pid	Process
3644	glassadequate.exe
2180	glassadequate.exe
1640	glassadlequate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3644 set thread context of 2180	3644	glassadequate.exe	96

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	glassadequate.exe
2180	glassadequate.exe
2180	glassadequate.exe
2180	glassadequate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	glassadequate.exe
Token: SeDebugPrivilege	1640	glassadlequate.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3644	2456	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe	84
PID 2456 wrote to memory of 3644	2456	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe	84
PID 2456 wrote to memory of 3644	2456	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe	84
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 3644 wrote to memory of 2180	3644	glassadequate.exe	96
PID 2456 wrote to memory of 1640	2456	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe	97
PID 2456 wrote to memory of 1640	2456	fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe	97
PID 2180 wrote to memory of 4620	2180	glassadequate.exe	98
PID 2180 wrote to memory of 4620	2180	glassadequate.exe	98
PID 2180 wrote to memory of 4620	2180	glassadequate.exe	98
PID 2180 wrote to memory of 4620	2180	glassadequate.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe
  "C:\Users\Admin\AppData\Local\Temp\fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2180
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadlequate.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadlequate.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe

Filesize
1.9MB

MD5
f0240a9b77a56875b9ebe4992bd7da27

SHA1
468b8cf4bb798df48c6d01eabe77afe2ba1a919e

SHA256
fd70dbd41b41893c3a0535baa1fd5210dfbd95322d4e48262ef9473a6a849ef6

SHA512
bee2c8fe6b2bad9a5d9f653000bc5dcef2a50db95057d576400c5bd77ff44588c985f769115b17f743ec4569bbab580cd976fbee849453030eb4b3d17674f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe

Filesize
1.9MB

MD5
f0240a9b77a56875b9ebe4992bd7da27

SHA1
468b8cf4bb798df48c6d01eabe77afe2ba1a919e

SHA256
fd70dbd41b41893c3a0535baa1fd5210dfbd95322d4e48262ef9473a6a849ef6

SHA512
bee2c8fe6b2bad9a5d9f653000bc5dcef2a50db95057d576400c5bd77ff44588c985f769115b17f743ec4569bbab580cd976fbee849453030eb4b3d17674f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadequate.exe

Filesize
1.9MB

MD5
f0240a9b77a56875b9ebe4992bd7da27

SHA1
468b8cf4bb798df48c6d01eabe77afe2ba1a919e

SHA256
fd70dbd41b41893c3a0535baa1fd5210dfbd95322d4e48262ef9473a6a849ef6

SHA512
bee2c8fe6b2bad9a5d9f653000bc5dcef2a50db95057d576400c5bd77ff44588c985f769115b17f743ec4569bbab580cd976fbee849453030eb4b3d17674f906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadlequate.exe

Filesize
2.0MB

MD5
e1a357d0c68a131c1c8a295cbd34bae1

SHA1
a5af3dae1a29be238b999e321239b288427ab628

SHA256
95354d551978ab8e52a84147e5c3481de47755e1fd8de4dd66339c9c9fb882c6

SHA512
a5a2032b5f4d1d89d99f76333d1335a1aa2f4a944b21e82a380eb0372453021ff23c7a3eb57528a8bc2e436f326977da0ce9b122a042253d1e931e853840bf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\glassadlequate.exe

Filesize
2.0MB

MD5
e1a357d0c68a131c1c8a295cbd34bae1

SHA1
a5af3dae1a29be238b999e321239b288427ab628

SHA256
95354d551978ab8e52a84147e5c3481de47755e1fd8de4dd66339c9c9fb882c6

SHA512
a5a2032b5f4d1d89d99f76333d1335a1aa2f4a944b21e82a380eb0372453021ff23c7a3eb57528a8bc2e436f326977da0ce9b122a042253d1e931e853840bf5f

Download Submit
memory/1640-1924-0x000002C3BF350000-0x000002C3BF360000-memory.dmp

Filesize
64KB

Download
memory/1640-1802-0x00007FF842150000-0x00007FF842C11000-memory.dmp

Filesize
10.8MB

Download
memory/1640-1481-0x000002C3BF350000-0x000002C3BF360000-memory.dmp

Filesize
64KB

Download
memory/1640-1480-0x00007FF842150000-0x00007FF842C11000-memory.dmp

Filesize
10.8MB

Download
memory/1640-1479-0x000002C3BD3F0000-0x000002C3BD5E8000-memory.dmp

Filesize
2.0MB

Download
memory/1640-2820-0x000002C3BF2A0000-0x000002C3BF2A1000-memory.dmp

Filesize
4KB

Download
memory/2180-1486-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2180-1484-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2180-1804-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2180-2096-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2180-1474-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3644-160-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-205-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-168-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-170-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-172-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-174-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-176-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-178-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-180-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-182-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-186-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3644-184-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-187-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-189-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-191-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-193-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-195-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-197-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-199-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-201-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-203-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-166-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-207-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-693-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3644-1467-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/3644-1468-0x00000000074B0000-0x0000000007A54000-memory.dmp

Filesize
5.6MB

Download
memory/3644-164-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-162-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-1475-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3644-158-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-156-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-154-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-152-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-150-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-148-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-146-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-144-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-143-0x0000000006970000-0x0000000006A6E000-memory.dmp

Filesize
1016KB

Download
memory/3644-142-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3644-141-0x0000000000D90000-0x0000000000F86000-memory.dmp

Filesize
2.0MB

Download
memory/3644-140-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download