rhadamanthys | 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2023 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
Size

495KB
MD5

4c224ad23e402d58bbd23023bf883dc0
SHA1

67cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA256

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA512

5aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
SSDEEP

12288:hwp22VqKfpoJfgq+mugd256TJzxpQodc5X:hwp26PfOJfgbmBT5c5

Score

10^/10

rhadamanthys systembc stealer trojan

Malware Config

Extracted

Family

systembc

discordcdn8839248.com:4327

chinabar821994.com:4327

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3004-138-0x00000000042B0000-0x00000000046B0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3004-139-0x00000000042B0000-0x00000000046B0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3004-140-0x00000000042B0000-0x00000000046B0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3004-141-0x00000000042B0000-0x00000000046B0000-memory.dmp	family_rhadamanthys
behavioral2/memory/3004-154-0x00000000042B0000-0x00000000046B0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe

description pid process target process

PID 3004 created 3148 3004 SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

H$EtWeY.exe

pid process

2992 H$EtWeY.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5052 3004 WerFault.exe SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe

description	pid	process	target process
PID 3004 created 3148	3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe	Explorer.EXE

pid	process
2992	H$EtWeY.exe

pid	pid_target	process	target process
5052	3004	WerFault.exe	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.execertreq.exe

pid	process
3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
464	certreq.exe
464	certreq.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe

description	pid	process	target process
PID 3004 wrote to memory of 464	3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe	certreq.exe
PID 3004 wrote to memory of 464	3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe	certreq.exe
PID 3004 wrote to memory of 464	3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe	certreq.exe
PID 3004 wrote to memory of 464	3004	SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 740
    3⤵
    - Program crash
    PID:5052
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3004 -ip 3004
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Microsoft\H$EtWeY.exe
"C:\Users\Admin\AppData\Local\Microsoft\H$EtWeY.exe"
1⤵
- Executes dropped EXE
PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\H$EtWeY.exe

Filesize
274KB

MD5
0ec87a33cee1594c1808267bc677d827

SHA1
1e078fb607d12ccdd11da03f9503ca64cb9fde32

SHA256
111cc14cd4d6e43d11cd1bef261e75313c9f7f9528abf6dc0f98878cc14b189a

SHA512
03613e2615d47701893e784f39a82fdcb8d30f563d65f3f890d73e0ccfd07a38cbcd2e8976cabc64478880b03cf3c334e4712f6c20ed25f2c562ea942abf4551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\H$EtWeY.exe

Filesize
274KB

MD5
0ec87a33cee1594c1808267bc677d827

SHA1
1e078fb607d12ccdd11da03f9503ca64cb9fde32

SHA256
111cc14cd4d6e43d11cd1bef261e75313c9f7f9528abf6dc0f98878cc14b189a

SHA512
03613e2615d47701893e784f39a82fdcb8d30f563d65f3f890d73e0ccfd07a38cbcd2e8976cabc64478880b03cf3c334e4712f6c20ed25f2c562ea942abf4551

Download Submit
memory/464-172-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-159-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-166-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-161-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-181-0x000001A25A550000-0x000001A25A555000-memory.dmp

Filesize
20KB

Download
memory/464-164-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-169-0x00007FFF5BE30000-0x00007FFF5C025000-memory.dmp

Filesize
2.0MB

Download
memory/464-143-0x000001A2584A0000-0x000001A2584A3000-memory.dmp

Filesize
12KB

Download
memory/464-160-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-182-0x00007FFF5BE30000-0x00007FFF5C025000-memory.dmp

Filesize
2.0MB

Download
memory/464-177-0x00007FFF5BE30000-0x00007FFF5C025000-memory.dmp

Filesize
2.0MB

Download
memory/464-171-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-170-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-162-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-156-0x000001A2584A0000-0x000001A2584A3000-memory.dmp

Filesize
12KB

Download
memory/464-157-0x000001A25A550000-0x000001A25A557000-memory.dmp

Filesize
28KB

Download
memory/464-167-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-158-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/464-168-0x00007FF42BC10000-0x00007FF42BD3F000-memory.dmp

Filesize
1.2MB

Download
memory/2992-179-0x0000000003DF0000-0x0000000003DF5000-memory.dmp

Filesize
20KB

Download
memory/2992-178-0x0000000002370000-0x0000000002470000-memory.dmp

Filesize
1024KB

Download
memory/2992-180-0x0000000000400000-0x00000000022EB000-memory.dmp

Filesize
30.9MB

Download
memory/2992-184-0x0000000002370000-0x0000000002470000-memory.dmp

Filesize
1024KB

Download
memory/3004-152-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/3004-144-0x0000000003F70000-0x0000000003FE0000-memory.dmp

Filesize
448KB

Download
memory/3004-155-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3004-154-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download
memory/3004-151-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3004-134-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/3004-136-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/3004-135-0x0000000003F70000-0x0000000003FE0000-memory.dmp

Filesize
448KB

Download
memory/3004-137-0x0000000003FF0000-0x0000000003FF7000-memory.dmp

Filesize
28KB

Download
memory/3004-145-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/3004-142-0x00000000023F0000-0x00000000024F0000-memory.dmp

Filesize
1024KB

Download
memory/3004-141-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download
memory/3004-140-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download
memory/3004-139-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download
memory/3004-138-0x00000000042B0000-0x00000000046B0000-memory.dmp

Filesize
4.0MB

Download