rhadamanthys | 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf

Resubmissions

27-11-2024 10:03

241127-l3ldssvrhk 10

20-07-2023 00:44

230720-a3sx4abh74 10

Analysis

max time kernel
36s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

black.exe
Size

444KB
MD5

c3ec8ce62adc05301e89a5db1694d79d
SHA1

033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA256

97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512

cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d
SSDEEP

6144:IjKvnAzRPqkroWvcrTIhB1uA2dOJhhgWbMbitWGFNuldsfiy3NiGA:Ijzgk08oIuA6ahE+F0/y36

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral1/memory/456-134-0x0000000002580000-0x0000000002980000-memory.dmp	family_rhadamanthys
behavioral1/memory/456-135-0x0000000002580000-0x0000000002980000-memory.dmp	family_rhadamanthys
behavioral1/memory/456-136-0x0000000002580000-0x0000000002980000-memory.dmp	family_rhadamanthys
behavioral1/memory/456-137-0x0000000002580000-0x0000000002980000-memory.dmp	family_rhadamanthys
behavioral1/memory/456-146-0x0000000002580000-0x0000000002980000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 456 created 3168	456	black.exe	38

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
456	black.exe
456	black.exe
456	black.exe
456	black.exe
3264	certreq.exe
3264	certreq.exe
3264	certreq.exe
3264	certreq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3264	456	black.exe	92
PID 456 wrote to memory of 3264	456	black.exe	92
PID 456 wrote to memory of 3264	456	black.exe	92
PID 456 wrote to memory of 3264	456	black.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\black.exe
  "C:\Users\Admin\AppData\Local\Temp\black.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:456
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:3264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-146-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/456-134-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/456-135-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/456-136-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/456-137-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/456-133-0x00000000021D0000-0x00000000021D7000-memory.dmp

Filesize
28KB

Download
memory/456-139-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/456-145-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/3264-152-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-156-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-148-0x000001B48C410000-0x000001B48C417000-memory.dmp

Filesize
28KB

Download
memory/3264-149-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-150-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-151-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-138-0x000001B48C170000-0x000001B48C173000-memory.dmp

Filesize
12KB

Download
memory/3264-154-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-153-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-147-0x000001B48C170000-0x000001B48C173000-memory.dmp

Filesize
12KB

Download
memory/3264-157-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-158-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-159-0x00007FF9B94B0000-0x00007FF9B96A5000-memory.dmp

Filesize
2.0MB

Download
memory/3264-160-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-161-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-162-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-163-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-164-0x000001B48C410000-0x000001B48C417000-memory.dmp

Filesize
28KB

Download
memory/3264-165-0x00007FF4140C0000-0x00007FF4141ED000-memory.dmp

Filesize
1.2MB

Download
memory/3264-166-0x00007FF9B94B0000-0x00007FF9B96A5000-memory.dmp

Filesize
2.0MB

Download