rhadamanthys | 7d5455411512b3e4fa266722bc5bfd18d73b84edf984543f12b40bfc274a70c7

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wininstal.exe
Size

607KB
MD5

dd81fe6d37b5200c80eccb98bc8b91d9
SHA1

55371613874ea2109b6fc42f929e15f8544cb532
SHA256

7d5455411512b3e4fa266722bc5bfd18d73b84edf984543f12b40bfc274a70c7
SHA512

fc2525ec43c03ab7f2c9dfed92f18ec58ef79e962bc2089da90bc565d5d8d8564d9bf4d545c26fdb271c5b88d5ba47c73225f37f49ca1ffff17d427361aefb4a
SSDEEP

12288:bisrBllxd6M2YYKZ7UcxrGJnFdz87yrqE3Wopb7z1fbJBRi1rMM17o4:bdNllr6MWKZ7Uc0JnLpqED7z1frw1MMB

Score

10^/10

rhadamanthys collection persistence stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

resource	yara_rule
behavioral2/memory/1856-30-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-31-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-32-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-33-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-46-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-48-0x0000000002960000-0x0000000002D60000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1856 created 3172	1856	severalmaintain.exe	52

Executes dropped EXE 3 IoCs

pid	Process
3836	severalmaintain.exe
1856	severalmaintain.exe
2160	severalmaintaiin.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wininstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 1856	3836	severalmaintain.exe	91

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1856	severalmaintain.exe
1856	severalmaintain.exe
1856	severalmaintain.exe
1856	severalmaintain.exe
1072	certreq.exe
1072	certreq.exe
1072	certreq.exe
1072	certreq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	severalmaintain.exe
Token: SeDebugPrivilege	2160	severalmaintaiin.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3836	4628	wininstal.exe	84
PID 4628 wrote to memory of 3836	4628	wininstal.exe	84
PID 4628 wrote to memory of 3836	4628	wininstal.exe	84
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 3836 wrote to memory of 1856	3836	severalmaintain.exe	91
PID 4628 wrote to memory of 2160	4628	wininstal.exe	92
PID 4628 wrote to memory of 2160	4628	wininstal.exe	92
PID 1856 wrote to memory of 1072	1856	severalmaintain.exe	93
PID 1856 wrote to memory of 1072	1856	severalmaintain.exe	93
PID 1856 wrote to memory of 1072	1856	severalmaintain.exe	93
PID 1856 wrote to memory of 1072	1856	severalmaintain.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\wininstal.exe
  "C:\Users\Admin\AppData\Local\Temp\wininstal.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1856
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe

Filesize
703KB

MD5
f676adcd6e17c185e3a247b5479c1f75

SHA1
afc864f3e57a191b9457a198ff40e6db9988505d

SHA256
eaa564c2467ce8b62e2e23ce7020badb6450b6ef68d8e1182d32653ec5ee0f65

SHA512
9fdbce1cc0e13612cf573d0491e22c63a25fba9102822bfd6b682b6c7a92f8e57b6b417a5194000b9b2948f8a63d9e5263bd9ad260e335130ba150d9a6ba20f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintaiin.exe

Filesize
703KB

MD5
f676adcd6e17c185e3a247b5479c1f75

SHA1
afc864f3e57a191b9457a198ff40e6db9988505d

SHA256
eaa564c2467ce8b62e2e23ce7020badb6450b6ef68d8e1182d32653ec5ee0f65

SHA512
9fdbce1cc0e13612cf573d0491e22c63a25fba9102822bfd6b682b6c7a92f8e57b6b417a5194000b9b2948f8a63d9e5263bd9ad260e335130ba150d9a6ba20f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe

Filesize
691KB

MD5
86dd34758b6ce7454cc907357c47d697

SHA1
9abc68a284b8f8969649c77f05020c0cabc9f517

SHA256
e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

SHA512
3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe

Filesize
691KB

MD5
86dd34758b6ce7454cc907357c47d697

SHA1
9abc68a284b8f8969649c77f05020c0cabc9f517

SHA256
e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

SHA512
3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe

Filesize
691KB

MD5
86dd34758b6ce7454cc907357c47d697

SHA1
9abc68a284b8f8969649c77f05020c0cabc9f517

SHA256
e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

SHA512
3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

Download Submit
memory/1072-55-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-36-0x0000020008AB0000-0x0000020008AB3000-memory.dmp

Filesize
12KB

Download
memory/1072-70-0x00007FFB3E410000-0x00007FFB3E605000-memory.dmp

Filesize
2.0MB

Download
memory/1072-68-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-67-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-66-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-65-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-64-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-63-0x00007FFB3E410000-0x00007FFB3E605000-memory.dmp

Filesize
2.0MB

Download
memory/1072-62-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-61-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-60-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-58-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-56-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-54-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-53-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-52-0x00007FF484CC0000-0x00007FF484DEF000-memory.dmp

Filesize
1.2MB

Download
memory/1072-51-0x000002000AB60000-0x000002000AB67000-memory.dmp

Filesize
28KB

Download
memory/1072-50-0x0000020008AB0000-0x0000020008AB3000-memory.dmp

Filesize
12KB

Download
memory/1072-69-0x000002000AB60000-0x000002000AB65000-memory.dmp

Filesize
20KB

Download
memory/1856-31-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/1856-29-0x0000000002740000-0x0000000002747000-memory.dmp

Filesize
28KB

Download
memory/1856-45-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-33-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/1856-38-0x0000000003770000-0x00000000037A6000-memory.dmp

Filesize
216KB

Download
memory/1856-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-32-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/1856-44-0x0000000003770000-0x00000000037A6000-memory.dmp

Filesize
216KB

Download
memory/1856-46-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/1856-47-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-48-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/1856-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1856-30-0x0000000002960000-0x0000000002D60000-memory.dmp

Filesize
4.0MB

Download
memory/2160-28-0x000001B2F4720000-0x000001B2F4730000-memory.dmp

Filesize
64KB

Download
memory/2160-34-0x000001B2F5490000-0x000001B2F5598000-memory.dmp

Filesize
1.0MB

Download
memory/2160-37-0x00007FFB1F000000-0x00007FFB1FAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-35-0x000001B2F55A0000-0x000001B2F5696000-memory.dmp

Filesize
984KB

Download
memory/2160-26-0x00007FFB1F000000-0x00007FFB1FAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-25-0x000001B2DA1A0000-0x000001B2DA252000-memory.dmp

Filesize
712KB

Download
memory/2160-49-0x000001B2F4720000-0x000001B2F4730000-memory.dmp

Filesize
64KB

Download
memory/3836-20-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3836-9-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3836-8-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3836-10-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3836-11-0x00000000061E0000-0x0000000006258000-memory.dmp

Filesize
480KB

Download
memory/3836-15-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3836-14-0x0000000006E00000-0x0000000006E4C000-memory.dmp

Filesize
304KB

Download
memory/3836-13-0x0000000006D90000-0x0000000006DF8000-memory.dmp

Filesize
416KB

Download
memory/3836-7-0x0000000000820000-0x00000000008D4000-memory.dmp

Filesize
720KB

Download
memory/3836-12-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download