rhadamanthys | cc47a755cad89d339a18d728e66aa2ff7caadff4af4adfd03ff55c86487fb1b9

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2023 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.0MB
MD5

ff4935241191b1017e3ef60e158fb28f
SHA1

464fd2f9530339ce4861c6d2e23dadee87084521
SHA256

cc47a755cad89d339a18d728e66aa2ff7caadff4af4adfd03ff55c86487fb1b9
SHA512

1842801d7edbf5123920164ed3cf133f4c4ea2a2b1fd7c3b585de17c21e9fc9ba6a09596e02660ea394123ef76a0d22190114774ee685ac9c1ba225c9778709d
SSDEEP

12288:V7TFRh2N5x3BJm7ACTUGpzXn+2/zPObQEoOk:RFj2tjm7JTUGNXn+Bb4O

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral2/memory/4008-141-0x0000000002C80000-0x0000000003080000-memory.dmp	family_rhadamanthys
behavioral2/memory/4008-142-0x0000000002C80000-0x0000000003080000-memory.dmp	family_rhadamanthys
behavioral2/memory/4008-143-0x0000000002C80000-0x0000000003080000-memory.dmp	family_rhadamanthys
behavioral2/memory/4008-144-0x0000000002C80000-0x0000000003080000-memory.dmp	family_rhadamanthys
behavioral2/memory/4008-145-0x0000000002C80000-0x0000000003080000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 4008	3444	tmp.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	3444	WerFault.exe	84

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4008	AppLaunch.exe
4008	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4008	AppLaunch.exe
Token: SeCreatePagefilePrivilege	4008	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4304	3444	tmp.exe	94
PID 3444 wrote to memory of 4304	3444	tmp.exe	94
PID 3444 wrote to memory of 4304	3444	tmp.exe	94
PID 3444 wrote to memory of 4004	3444	tmp.exe	95
PID 3444 wrote to memory of 4004	3444	tmp.exe	95
PID 3444 wrote to memory of 4004	3444	tmp.exe	95
PID 3444 wrote to memory of 4008	3444	tmp.exe	96
PID 3444 wrote to memory of 4008	3444	tmp.exe	96
PID 3444 wrote to memory of 4008	3444	tmp.exe	96
PID 3444 wrote to memory of 4008	3444	tmp.exe	96
PID 3444 wrote to memory of 4008	3444	tmp.exe	96

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 444
  2⤵
  - Program crash
  PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3444 -ip 3444
1⤵
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-133-0x0000000000010000-0x000000000021C000-memory.dmp

Filesize
2.0MB

Download
memory/4008-134-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4008-139-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4008-140-0x0000000000F70000-0x0000000000F77000-memory.dmp

Filesize
28KB

Download
memory/4008-141-0x0000000002C80000-0x0000000003080000-memory.dmp

Filesize
4.0MB

Download
memory/4008-142-0x0000000002C80000-0x0000000003080000-memory.dmp

Filesize
4.0MB

Download
memory/4008-143-0x0000000002C80000-0x0000000003080000-memory.dmp

Filesize
4.0MB

Download
memory/4008-144-0x0000000002C80000-0x0000000003080000-memory.dmp

Filesize
4.0MB

Download
memory/4008-145-0x0000000002C80000-0x0000000003080000-memory.dmp

Filesize
4.0MB

Download