rhadamanthys | 112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
11-08-2023 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

456KB
MD5

5c805d4466345b26b820ff887eab561a
SHA1

478d40e07351d59b7854c9b4140b3592ff19c841
SHA256

112f7af149d6833b954c301582d2b3178833724a12e86b0162a69000192cbff2
SHA512

d3656925bb6c1776f6b8ca5592d527e4f77d5ade621c715bed5042ac4a2e1a9344febb73eb927b7fb1ba4511488da1062e01c470326bf28e0a4d671b830f3502
SSDEEP

12288:ItjtEVJvfW1kGh0ZbIfl6dtcj4BtRt6D2cehTAI:I7EV4io5jet5fhMI

Score

10^/10

rhadamanthys systembc stealer trojan

Malware Config

Extracted

Family

systembc

discordcdn8839248.com:4327

chinabar821994.com:4327

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-67-0x00000000033B0000-0x00000000037B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2168-66-0x00000000033B0000-0x00000000037B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2168-68-0x00000000033B0000-0x00000000037B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2168-69-0x00000000033B0000-0x00000000037B0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2168-78-0x00000000033B0000-0x00000000037B0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 2168 created 1356 2168 tmp.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2900 certreq.exe
Executes dropped EXE 1 IoCs

Processes:

3A6M8.exe

pid process

2596 3A6M8.exe
Loads dropped DLL 3 IoCs

Processes:

WerFault.exe

pid process

2760 WerFault.exe
2760 WerFault.exe
2760 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

3A6M8.exe

description pid process target process

PID 2596 set thread context of 2836 2596 3A6M8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2760 2596 WerFault.exe 3A6M8.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tmp.execertreq.exe

pid process

2168 tmp.exe
2168 tmp.exe
2168 tmp.exe
2168 tmp.exe
2900 certreq.exe
2900 certreq.exe

description	pid	process	target process
PID 2168 created 1356	2168	tmp.exe	Explorer.EXE

pid	process
2900	certreq.exe

pid	process
2596	3A6M8.exe

pid	process
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

description	pid	process	target process
PID 2596 set thread context of 2836	2596	3A6M8.exe	AppLaunch.exe

pid	pid_target	process	target process
2760	2596	WerFault.exe	3A6M8.exe

pid	process
2168	tmp.exe
2168	tmp.exe
2168	tmp.exe
2168	tmp.exe
2900	certreq.exe
2900	certreq.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

tmp.exe3A6M8.exe

description	pid	process	target process
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2168 wrote to memory of 2900	2168	tmp.exe	certreq.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2836	2596	3A6M8.exe	AppLaunch.exe
PID 2596 wrote to memory of 2760	2596	3A6M8.exe	WerFault.exe
PID 2596 wrote to memory of 2760	2596	3A6M8.exe	WerFault.exe
PID 2596 wrote to memory of 2760	2596	3A6M8.exe	WerFault.exe
PID 2596 wrote to memory of 2760	2596	3A6M8.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe
"C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 108
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
\Users\Admin\AppData\Local\Microsoft\3A6M8.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
memory/2168-65-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/2168-79-0x0000000000400000-0x00000000018F0000-memory.dmp

Filesize
20.9MB

Download
memory/2168-58-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2168-67-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/2168-66-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/2168-68-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/2168-69-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/2168-54-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2168-71-0x00000000031B0000-0x00000000031E6000-memory.dmp

Filesize
216KB

Download
memory/2168-77-0x00000000031B0000-0x00000000031E6000-memory.dmp

Filesize
216KB

Download
memory/2168-78-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/2168-59-0x0000000001960000-0x00000000019D0000-memory.dmp

Filesize
448KB

Download
memory/2168-55-0x0000000001960000-0x00000000019D0000-memory.dmp

Filesize
448KB

Download
memory/2168-57-0x0000000000400000-0x00000000018F0000-memory.dmp

Filesize
20.9MB

Download
memory/2168-56-0x0000000000400000-0x00000000018F0000-memory.dmp

Filesize
20.9MB

Download
memory/2596-118-0x0000000000DD0000-0x0000000000F13000-memory.dmp

Filesize
1.3MB

Download
memory/2596-101-0x0000000000DD0000-0x0000000000F13000-memory.dmp

Filesize
1.3MB

Download
memory/2596-100-0x0000000000DD0000-0x0000000000F13000-memory.dmp

Filesize
1.3MB

Download
memory/2836-112-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2836-111-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2836-109-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-104-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2836-102-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2900-70-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2900-94-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-95-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-96-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-97-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2900-93-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2900-90-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-91-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-92-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-86-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-87-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-85-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-84-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-83-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-82-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2900-81-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2900-116-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2900-117-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2900-80-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download