rhadamanthys | 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983

General

Target

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
Size

495KB
MD5

4c224ad23e402d58bbd23023bf883dc0
SHA1

67cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA256

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA512

5aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
SSDEEP

12288:hwp22VqKfpoJfgq+mugd256TJzxpQodc5X:hwp26PfOJfgbmBT5c5

Score

10^/10

rhadamanthys systembc stealer trojan

Malware Config

Extracted

Family

systembc

C2

discordcdn8839248.com:4327

chinabar821994.com:4327

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3396-125-0x0000000004270000-0x0000000004670000-memory.dmp	family_rhadamanthys
behavioral1/memory/3396-126-0x0000000004270000-0x0000000004670000-memory.dmp	family_rhadamanthys
behavioral1/memory/3396-127-0x0000000004270000-0x0000000004670000-memory.dmp	family_rhadamanthys
behavioral1/memory/3396-128-0x0000000004270000-0x0000000004670000-memory.dmp	family_rhadamanthys
behavioral1/memory/3396-143-0x0000000004270000-0x0000000004670000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe

description pid process target process

PID 3396 created 3200 3396 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2424 certreq.exe
Executes dropped EXE 1 IoCs

Processes:

oO-kPfmOUA.exe

pid process

3444 oO-kPfmOUA.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2604 3396 WerFault.exe 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe

description	pid	process	target process
PID 3396 created 3200	3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe	Explorer.EXE

pid	process
2424	certreq.exe

pid	process
3444	oO-kPfmOUA.exe

pid	pid_target	process	target process
2604	3396	WerFault.exe	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.execertreq.exe

pid	process
3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
2424	certreq.exe
2424	certreq.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe

description	pid	process	target process
PID 3396 wrote to memory of 2424	3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe	certreq.exe
PID 3396 wrote to memory of 2424	3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe	certreq.exe
PID 3396 wrote to memory of 2424	3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe	certreq.exe
PID 3396 wrote to memory of 2424	3396	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe
"C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 704
3⤵
- Program crash
PID:2604

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Users\Admin\AppData\Local\Microsoft\oO-kPfmOUA.exe
"C:\Users\Admin\AppData\Local\Microsoft\oO-kPfmOUA.exe"
1⤵
- Executes dropped EXE
PID:3444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\oO-kPfmOUA.exe
Filesize
274KB

MD5
0ec87a33cee1594c1808267bc677d827

SHA1
1e078fb607d12ccdd11da03f9503ca64cb9fde32

SHA256
111cc14cd4d6e43d11cd1bef261e75313c9f7f9528abf6dc0f98878cc14b189a

SHA512
03613e2615d47701893e784f39a82fdcb8d30f563d65f3f890d73e0ccfd07a38cbcd2e8976cabc64478880b03cf3c334e4712f6c20ed25f2c562ea942abf4551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\oO-kPfmOUA.exe
Filesize
274KB

MD5
0ec87a33cee1594c1808267bc677d827

SHA1
1e078fb607d12ccdd11da03f9503ca64cb9fde32

SHA256
111cc14cd4d6e43d11cd1bef261e75313c9f7f9528abf6dc0f98878cc14b189a

SHA512
03613e2615d47701893e784f39a82fdcb8d30f563d65f3f890d73e0ccfd07a38cbcd2e8976cabc64478880b03cf3c334e4712f6c20ed25f2c562ea942abf4551

Download Submit
memory/2424-165-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-175-0x00007FFBB6890000-0x00007FFBB6A6B000-memory.dmp

Filesize
1.9MB

Download
memory/2424-152-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-174-0x0000024CAAD50000-0x0000024CAAD55000-memory.dmp

Filesize
20KB

Download
memory/2424-169-0x00007FFBB6890000-0x00007FFBB6A6B000-memory.dmp

Filesize
1.9MB

Download
memory/2424-164-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-163-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-130-0x0000024CAA930000-0x0000024CAA933000-memory.dmp

Filesize
12KB

Download
memory/2424-153-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-154-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-161-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-159-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-160-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-157-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-146-0x0000024CAA930000-0x0000024CAA933000-memory.dmp

Filesize
12KB

Download
memory/2424-149-0x0000024CAAD50000-0x0000024CAAD57000-memory.dmp

Filesize
28KB

Download
memory/2424-151-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-150-0x00007FF7AB7E0000-0x00007FF7AB90F000-memory.dmp

Filesize
1.2MB

Download
memory/2424-162-0x00007FFBB6890000-0x00007FFBB6A6B000-memory.dmp

Filesize
1.9MB

Download
memory/3396-140-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/3396-121-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/3396-144-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3396-143-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3396-141-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3396-124-0x00000000023A0000-0x00000000023A7000-memory.dmp

Filesize
28KB

Download
memory/3396-134-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/3396-129-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/3396-128-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3396-133-0x0000000003FA0000-0x0000000004010000-memory.dmp

Filesize
448KB

Download
memory/3396-123-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3396-122-0x0000000003FA0000-0x0000000004010000-memory.dmp

Filesize
448KB

Download
memory/3396-127-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3396-125-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3396-126-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/3444-173-0x0000000000400000-0x00000000022EB000-memory.dmp

Filesize
30.9MB

Download
memory/3444-172-0x0000000002310000-0x0000000002315000-memory.dmp

Filesize
20KB

Download
memory/3444-171-0x0000000002440000-0x0000000002540000-memory.dmp

Filesize
1024KB

Download
memory/3444-176-0x0000000002440000-0x0000000002540000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads