rhadamanthys | 257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af

Analysis

max time kernel
127s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2023 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe
Size

3.4MB
MD5

09ab5b40d8ea72b0fc02000284e22169
SHA1

5afe7d2fc292f9db5108ca422bd335644fadf974
SHA256

257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af
SHA512

2281ef62c309862f969c0319a42ffd39fbd0ef2ac2d60aac1576d1a7475198b5591221d8f09cf0d365a78303a79b4c6f7e3bd71a9da6913107d536087d71390d
SSDEEP

98304:QaweQ/fMnA/uuR6NSfxSVFBq0TjgAgxdj2zAqg0VYu6T:QzPSA/uKO/TI12zAMwT

Score

10^/10

rhadamanthys collection stealer vmprotect

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral1/memory/3308-2003-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral1/memory/3308-2005-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys
behavioral1/memory/3308-2016-0x0000000002890000-0x0000000002C90000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3308 created 3268	3308	1.exe	50

Executes dropped EXE 1 IoCs

pid	Process
3308	1.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b00000000063f-1994.dat	vmprotect
behavioral1/files/0x000b00000000063f-1996.dat	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3308	1.exe
3308	1.exe
3308	1.exe
3308	1.exe
4424	certreq.exe
4424	certreq.exe
4424	certreq.exe
4424	certreq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3308	4676	257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe	70
PID 4676 wrote to memory of 3308	4676	257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe	70
PID 4676 wrote to memory of 3308	4676	257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe	70
PID 3308 wrote to memory of 4424	3308	1.exe	72
PID 3308 wrote to memory of 4424	3308	1.exe	72
PID 3308 wrote to memory of 4424	3308	1.exe	72
PID 3308 wrote to memory of 4424	3308	1.exe	72

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe
  "C:\Users\Admin\AppData\Local\Temp\257f4f173d326f1d6434afc11fa462d4b861e0ad078173f1642e02c7318255af.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\Temp\1.exe
    "C:\Windows\Temp\1.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3308
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\1.exe

Filesize
3.3MB

MD5
0a753ee0c7917fad4d589e0125a9a0ce

SHA1
c65937e25be503b7bc9a28507f910324969be19f

SHA256
52c0cdb749907afa296b83a203a04e2c22307abbef94936e57979ea6dcd43a41

SHA512
70bc412498a57e5a563be7b297bd0d6aacebf264c771cbf8fe60d3d1880e80055677e8c04e9a01571b7452a29d70b4107eefa801e82a4e72b3548d704e14409a

Download Submit
C:\Windows\Temp\1.exe

Filesize
3.3MB

MD5
0a753ee0c7917fad4d589e0125a9a0ce

SHA1
c65937e25be503b7bc9a28507f910324969be19f

SHA256
52c0cdb749907afa296b83a203a04e2c22307abbef94936e57979ea6dcd43a41

SHA512
70bc412498a57e5a563be7b297bd0d6aacebf264c771cbf8fe60d3d1880e80055677e8c04e9a01571b7452a29d70b4107eefa801e82a4e72b3548d704e14409a

Download Submit
memory/3308-2003-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/3308-2005-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/3308-2016-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/4424-2041-0x00007FFD4D5B0000-0x00007FFD4D78B000-memory.dmp

Filesize
1.9MB

Download
memory/4424-2040-0x00007FF694D00000-0x00007FF694E2D000-memory.dmp

Filesize
1.2MB

Download
memory/4424-2035-0x00007FFD4D5B0000-0x00007FFD4D78B000-memory.dmp

Filesize
1.9MB

Download
memory/4424-2030-0x00007FF694D00000-0x00007FF694E2D000-memory.dmp

Filesize
1.2MB

Download
memory/4424-2027-0x00007FF694D00000-0x00007FF694E2D000-memory.dmp

Filesize
1.2MB

Download
memory/4424-2022-0x0000027BEA5A0000-0x0000027BEA5A7000-memory.dmp

Filesize
28KB

Download
memory/4676-158-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-170-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-128-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-130-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-132-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-134-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-136-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-138-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-140-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-142-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-144-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-146-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-148-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-150-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-152-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-154-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-156-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-126-0x00000000053F0000-0x0000000005770000-memory.dmp

Filesize
3.5MB

Download
memory/4676-160-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-162-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-164-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-166-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-168-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-127-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-172-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-174-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-176-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-178-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-180-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-182-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-184-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-186-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-188-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-190-0x00000000053F0000-0x000000000576A000-memory.dmp

Filesize
3.5MB

Download
memory/4676-211-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/4676-310-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-370-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-427-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-125-0x0000000005B00000-0x0000000005FFE000-memory.dmp

Filesize
5.0MB

Download
memory/4676-124-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-123-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-122-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-120-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/4676-121-0x0000000005780000-0x0000000005B02000-memory.dmp

Filesize
3.5MB

Download
memory/4676-1989-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4676-1990-0x00000000076C0000-0x0000000007A14000-memory.dmp

Filesize
3.3MB

Download
memory/4676-1997-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download