rhadamanthys | 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
Size

495KB
MD5

4c224ad23e402d58bbd23023bf883dc0
SHA1

67cbaf4b24ccf90ca845626d1ed97831ef0dd55b
SHA256

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA512

5aad2b848d6098c8cdbf58ce115ac832826e82f803aaaca5625197c445d3849f6cb256aaeeebed4bd3a5b0db92f0f957ee5de79312f4fc4b9769f8deae0b5766
SSDEEP

12288:hwp22VqKfpoJfgq+mugd256TJzxpQodc5X:hwp26PfOJfgbmBT5c5

Score

10^/10

rhadamanthys systembc stealer trojan

Malware Config

Extracted

Family

systembc

discordcdn8839248.com:4327

chinabar821994.com:4327

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2720-138-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys
behavioral2/memory/2720-139-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys
behavioral2/memory/2720-140-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys
behavioral2/memory/2720-141-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys
behavioral2/memory/2720-153-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys
behavioral2/memory/2720-156-0x0000000004190000-0x0000000004590000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe

description pid process target process

PID 2720 created 684 2720 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

8L[N6{J.exe

pid process

4656 8L[N6{J.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

8L[N6{J.exe

description pid process target process

PID 4656 set thread context of 3792 4656 8L[N6{J.exe AppLaunch.exe

description	pid	process	target process
PID 2720 created 684	2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe	Explorer.EXE

pid	process
4656	8L[N6{J.exe

description	pid	process	target process
PID 4656 set thread context of 3792	4656	8L[N6{J.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
816	2720	WerFault.exe	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
2552	4656	WerFault.exe	8L[N6{J.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.execertreq.exe

pid	process
2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
652	certreq.exe
652	certreq.exe
652	certreq.exe
652	certreq.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe8L[N6{J.exe

description	pid	process	target process
PID 2720 wrote to memory of 652	2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe	certreq.exe
PID 2720 wrote to memory of 652	2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe	certreq.exe
PID 2720 wrote to memory of 652	2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe	certreq.exe
PID 2720 wrote to memory of 652	2720	74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe	certreq.exe
PID 4656 wrote to memory of 3792	4656	8L[N6{J.exe	AppLaunch.exe
PID 4656 wrote to memory of 3792	4656	8L[N6{J.exe	AppLaunch.exe
PID 4656 wrote to memory of 3792	4656	8L[N6{J.exe	AppLaunch.exe
PID 4656 wrote to memory of 3792	4656	8L[N6{J.exe	AppLaunch.exe
PID 4656 wrote to memory of 3792	4656	8L[N6{J.exe	AppLaunch.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:684
- C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983exeexe_JC.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 788
    3⤵
    - Program crash
    PID:816
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2720 -ip 2720
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe
"C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 296
  2⤵
  - Program crash
  PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4656 -ip 4656
1⤵
PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\8L[N6{J.exe

Filesize
961KB

MD5
648e1bf1672068d725a9b8434627947e

SHA1
c21e0bd251e33d4464fdd376ae46fe4f01c533cf

SHA256
4a5fe40bf37ab130d9110fab42764841ee9f9b49af7f9bef1fb79bc377fa14e2

SHA512
c735fadc81e2851f930491095fbd0fb023da9a53037efdf7c989583952636023d4205aa72dd3c217935f44e53fb34cb7a0d5ef9e4baac192f4515780e59de725

Download Submit
memory/652-175-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-157-0x000001E5201D0000-0x000001E5201D3000-memory.dmp

Filesize
12KB

Download
memory/652-192-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/652-163-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-162-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-177-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/652-174-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-143-0x000001E5201D0000-0x000001E5201D3000-memory.dmp

Filesize
12KB

Download
memory/652-173-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-172-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-171-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-170-0x00007FFB8D670000-0x00007FFB8D865000-memory.dmp

Filesize
2.0MB

Download
memory/652-169-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-168-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-167-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-165-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-158-0x000001E520590000-0x000001E520597000-memory.dmp

Filesize
28KB

Download
memory/652-159-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-160-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-161-0x00007FF409E70000-0x00007FF409F9F000-memory.dmp

Filesize
1.2MB

Download
memory/652-191-0x000001E520590000-0x000001E520595000-memory.dmp

Filesize
20KB

Download
memory/2720-139-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/2720-141-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/2720-156-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/2720-155-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/2720-153-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/2720-152-0x0000000004F10000-0x0000000004F46000-memory.dmp

Filesize
216KB

Download
memory/2720-151-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/2720-145-0x0000000004F10000-0x0000000004F46000-memory.dmp

Filesize
216KB

Download
memory/2720-144-0x00000000024B0000-0x0000000002520000-memory.dmp

Filesize
448KB

Download
memory/2720-142-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/2720-134-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/2720-137-0x0000000003FD0000-0x0000000003FD7000-memory.dmp

Filesize
28KB

Download
memory/2720-136-0x0000000000400000-0x0000000002322000-memory.dmp

Filesize
31.1MB

Download
memory/2720-135-0x00000000024B0000-0x0000000002520000-memory.dmp

Filesize
448KB

Download
memory/2720-138-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/2720-140-0x0000000004190000-0x0000000004590000-memory.dmp

Filesize
4.0MB

Download
memory/3792-182-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3792-188-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3792-189-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4656-190-0x0000000000790000-0x00000000008D3000-memory.dmp

Filesize
1.3MB

Download
memory/4656-181-0x0000000000790000-0x00000000008D3000-memory.dmp

Filesize
1.3MB

Download
memory/4656-180-0x0000000000790000-0x00000000008D3000-memory.dmp

Filesize
1.3MB

Download