rhadamanthys | 28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2023, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe
Size

83KB
MD5

7dc3df0b2a354597a2e176f058a89987
SHA1

09cc1d2a0634043986bbbf5f6c35ba637dca8fe2
SHA256

28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633
SHA512

e0b77fcc8ee3dbb2ab2115aa8f86bd812276d20c9de55bb0599f391462becb01c1df037a114d73c6c73b563dd87a14c546039f5aae24b0262135183215196bb0
SSDEEP

1536:tZC45DT2B4cRW4BaG1+GThdcR4EnviR2Ttm9Y5:uCGThdcSZY5

Score

10^/10

rhadamanthys spyware stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/5008-4632-0x0000000002F10000-0x0000000003310000-memory.dmp	family_rhadamanthys
behavioral1/memory/5008-4639-0x0000000002F10000-0x0000000003310000-memory.dmp	family_rhadamanthys
behavioral1/memory/5008-5232-0x0000000002F10000-0x0000000003310000-memory.dmp	family_rhadamanthys
behavioral1/memory/5008-5237-0x0000000002F10000-0x0000000003310000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5008 created 2420	5008	Vaqjmew.exe	49

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3956	Vaqjmew.exe
920	Hjejary.exe
5008	Vaqjmew.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 3956 set thread context of 5008	3956	Vaqjmew.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1596	RegAsm.exe
1596	RegAsm.exe
5008	Vaqjmew.exe
5008	Vaqjmew.exe
5008	Vaqjmew.exe
5008	Vaqjmew.exe
1060	certreq.exe
1060	certreq.exe
1060	certreq.exe
1060	certreq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe
Token: SeDebugPrivilege	1596	RegAsm.exe
Token: SeDebugPrivilege	3956	Vaqjmew.exe
Token: SeDebugPrivilege	920	Hjejary.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 2276 wrote to memory of 1596	2276	28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe	70
PID 1596 wrote to memory of 3956	1596	RegAsm.exe	71
PID 1596 wrote to memory of 3956	1596	RegAsm.exe	71
PID 1596 wrote to memory of 3956	1596	RegAsm.exe	71
PID 3956 wrote to memory of 920	3956	Vaqjmew.exe	73
PID 3956 wrote to memory of 920	3956	Vaqjmew.exe	73
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 3956 wrote to memory of 5008	3956	Vaqjmew.exe	74
PID 5008 wrote to memory of 1060	5008	Vaqjmew.exe	75
PID 5008 wrote to memory of 1060	5008	Vaqjmew.exe	75
PID 5008 wrote to memory of 1060	5008	Vaqjmew.exe	75
PID 5008 wrote to memory of 1060	5008	Vaqjmew.exe	75

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2420
- C:\Users\Admin\AppData\Local\Temp\28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe
  "C:\Users\Admin\AppData\Local\Temp\28c3d3c7eaeda6d725a37485794dd08a79225440a66d4595c76698979a92c633.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe
      "C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\Hjejary.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Hjejary.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe
        
        C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5008
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hjejary.exe

Filesize
83KB

MD5
7141cd0b50defb4e1539475686b1ffbe

SHA1
68adaedd7b62ed3a29f406d2ced5b4ae8dd76101

SHA256
e06efa2b34b9d5744ea32b729234ae09ef015527ccc1b70086cf693b50368191

SHA512
e7069135f5e5ba86376cd078bfbde654b257fb2e26a56d61fb4a91ced8c133ac1e7481d6215745a2d48988942a3cd0e7b9eb57ec90a6d32d079a57d13d03d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hjejary.exe

Filesize
83KB

MD5
7141cd0b50defb4e1539475686b1ffbe

SHA1
68adaedd7b62ed3a29f406d2ced5b4ae8dd76101

SHA256
e06efa2b34b9d5744ea32b729234ae09ef015527ccc1b70086cf693b50368191

SHA512
e7069135f5e5ba86376cd078bfbde654b257fb2e26a56d61fb4a91ced8c133ac1e7481d6215745a2d48988942a3cd0e7b9eb57ec90a6d32d079a57d13d03d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe

Filesize
83KB

MD5
a65e7d38e28e2e993462addd9364086c

SHA1
59bbabe51bb063e5610e11dfe76678e4bd8d3ca0

SHA256
246694b07e7f0bdf64cbec8550686d211a844de1888d689a834391a22b66617d

SHA512
1363b586c4a56532e6b5eb275721df8d9bab45b8948e8945633520004b5c47acd5ea7800b40998dd42fb36af032454981f31b635324765ecfda9a1bf336e6a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe

Filesize
83KB

MD5
a65e7d38e28e2e993462addd9364086c

SHA1
59bbabe51bb063e5610e11dfe76678e4bd8d3ca0

SHA256
246694b07e7f0bdf64cbec8550686d211a844de1888d689a834391a22b66617d

SHA512
1363b586c4a56532e6b5eb275721df8d9bab45b8948e8945633520004b5c47acd5ea7800b40998dd42fb36af032454981f31b635324765ecfda9a1bf336e6a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vaqjmew.exe

Filesize
83KB

MD5
a65e7d38e28e2e993462addd9364086c

SHA1
59bbabe51bb063e5610e11dfe76678e4bd8d3ca0

SHA256
246694b07e7f0bdf64cbec8550686d211a844de1888d689a834391a22b66617d

SHA512
1363b586c4a56532e6b5eb275721df8d9bab45b8948e8945633520004b5c47acd5ea7800b40998dd42fb36af032454981f31b635324765ecfda9a1bf336e6a7f

Download Submit
memory/920-5602-0x00000256779B0000-0x00000256779B1000-memory.dmp

Filesize
4KB

Download
memory/920-5202-0x00000256778F0000-0x0000025677900000-memory.dmp

Filesize
64KB

Download
memory/920-5007-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/920-4504-0x0000025678F90000-0x00000256790F8000-memory.dmp

Filesize
1.4MB

Download
memory/920-5603-0x0000025679100000-0x00000256791E2000-memory.dmp

Filesize
904KB

Download
memory/920-4497-0x00000256778F0000-0x0000025677900000-memory.dmp

Filesize
64KB

Download
memory/920-4496-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/920-4494-0x0000025675B10000-0x0000025675B2C000-memory.dmp

Filesize
112KB

Download
memory/1060-5617-0x00007FF6DE110000-0x00007FF6DE23F000-memory.dmp

Filesize
1.2MB

Download
memory/1060-5609-0x000001DA93760000-0x000001DA93767000-memory.dmp

Filesize
28KB

Download
memory/1060-5614-0x00007FF6DE110000-0x00007FF6DE23F000-memory.dmp

Filesize
1.2MB

Download
memory/1060-5622-0x00007FF8A4320000-0x00007FF8A44FB000-memory.dmp

Filesize
1.9MB

Download
memory/1596-3898-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-1206-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/1596-3387-0x00000272E5B10000-0x00000272E5B8A000-memory.dmp

Filesize
488KB

Download
memory/1596-3368-0x00000272CD0E0000-0x00000272CD106000-memory.dmp

Filesize
152KB

Download
memory/1596-3367-0x00000272CCF20000-0x00000272CCFBE000-memory.dmp

Filesize
632KB

Download
memory/1596-3111-0x00000272CCF10000-0x00000272CCF20000-memory.dmp

Filesize
64KB

Download
memory/1596-2980-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-1210-0x00000272CCF10000-0x00000272CCF20000-memory.dmp

Filesize
64KB

Download
memory/1596-1208-0x00000272CCFD0000-0x00000272CD0D8000-memory.dmp

Filesize
1.0MB

Download
memory/1596-1207-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-157-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-159-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-171-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-173-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-175-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-177-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-179-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-181-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-183-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-185-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-723-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-957-0x0000023A1F290000-0x0000023A1F2A0000-memory.dmp

Filesize
64KB

Download
memory/2276-1200-0x0000023A1F320000-0x0000023A1F321000-memory.dmp

Filesize
4KB

Download
memory/2276-1201-0x0000023A3A510000-0x0000023A3A608000-memory.dmp

Filesize
992KB

Download
memory/2276-1202-0x0000023A20D50000-0x0000023A20D9C000-memory.dmp

Filesize
304KB

Download
memory/2276-1203-0x0000023A1F290000-0x0000023A1F2A0000-memory.dmp

Filesize
64KB

Download
memory/2276-167-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-163-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-1209-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-165-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-161-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-135-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-118-0x0000023A1EE80000-0x0000023A1EE9C000-memory.dmp

Filesize
112KB

Download
memory/2276-155-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-153-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-151-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-149-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-147-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-119-0x00007FF888A30000-0x00007FF88941C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-120-0x0000023A1F290000-0x0000023A1F2A0000-memory.dmp

Filesize
64KB

Download
memory/2276-121-0x0000023A3A390000-0x0000023A3A50E000-memory.dmp

Filesize
1.5MB

Download
memory/2276-169-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-123-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-122-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-125-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-145-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-127-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-129-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-131-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-133-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-143-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-141-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-139-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/2276-137-0x0000023A3A390000-0x0000023A3A507000-memory.dmp

Filesize
1.5MB

Download
memory/3956-3403-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3956-3406-0x0000000007DD0000-0x0000000007EC6000-memory.dmp

Filesize
984KB

Download
memory/3956-3400-0x0000000000F60000-0x0000000000F7C000-memory.dmp

Filesize
112KB

Download
memory/3956-4503-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-4487-0x0000000008250000-0x00000000082B6000-memory.dmp

Filesize
408KB

Download
memory/3956-4488-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-3401-0x0000000073C20000-0x000000007430E000-memory.dmp

Filesize
6.9MB

Download
memory/3956-4486-0x0000000008080000-0x00000000080F2000-memory.dmp

Filesize
456KB

Download
memory/3956-4485-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3956-3402-0x0000000005CF0000-0x00000000061EE000-memory.dmp

Filesize
5.0MB

Download
memory/3956-3404-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/3956-3405-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/5008-4632-0x0000000002F10000-0x0000000003310000-memory.dmp

Filesize
4.0MB

Download
memory/5008-5234-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5008-5237-0x0000000002F10000-0x0000000003310000-memory.dmp

Filesize
4.0MB

Download
memory/5008-5232-0x0000000002F10000-0x0000000003310000-memory.dmp

Filesize
4.0MB

Download
memory/5008-5230-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5008-4639-0x0000000002F10000-0x0000000003310000-memory.dmp

Filesize
4.0MB

Download
memory/5008-4502-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download