rhadamanthys | 28cfcf483bbe8d2325b9d5b837379d803207d21bfaccde025d5543fc895815a6

General

Target

buildcreate.exe
Size

916KB
MD5

015f3b383e71a5e9c497bc04723ce7ac
SHA1

f2bd3a71e07524db00b657731db1e8326bc505e8
SHA256

28cfcf483bbe8d2325b9d5b837379d803207d21bfaccde025d5543fc895815a6
SHA512

807390c15267d5d82e3838ad4c399d67d40636078aef82b6e8617868ba1ca58ecc8218dd5841b0672383aad71931854ddbf6cd3574c6be389631549fb6a10d75
SSDEEP

24576:Cgj9azxeqTtcA9U8CY9whhbHHxDeqk9eEzjGGFQjc:Ta1N2A96hRleq1EzjGGFl

Score

10^/10

rhadamanthys collection persistence stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2252-39-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-42-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-41-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-56-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-58-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AddInProcess32.exe

description pid process target process

PID 2252 created 1268 2252 AddInProcess32.exe Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

parentperformance.exeparenttperformance.exe

pid process

1996 parentperformance.exe
2548 parenttperformance.exe

description	pid	process	target process
PID 2252 created 1268	2252	AddInProcess32.exe	Explorer.EXE

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

buildcreate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	buildcreate.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

parentperformance.exe

description pid process target process

PID 1996 set thread context of 2252 1996 parentperformance.exe AddInProcess32.exe

description	pid	process	target process
PID 1996 set thread context of 2252	1996	parentperformance.exe	AddInProcess32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

parentperformance.exeparenttperformance.exeAddInProcess32.execertreq.exe

pid	process
1996	parentperformance.exe
1996	parentperformance.exe
1996	parentperformance.exe
2548	parenttperformance.exe
2548	parenttperformance.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2548	parenttperformance.exe
2308	certreq.exe
2308	certreq.exe
2308	certreq.exe
2308	certreq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

parentperformance.exeparenttperformance.exe

description pid process

Token: SeDebugPrivilege 1996 parentperformance.exe
Token: SeDebugPrivilege 2548 parenttperformance.exe

description	pid	process
Token: SeDebugPrivilege	1996	parentperformance.exe
Token: SeDebugPrivilege	2548	parenttperformance.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

buildcreate.exeparentperformance.exeAddInProcess32.exe

description	pid	process	target process
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	parentperformance.exe
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	parentperformance.exe
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	parentperformance.exe
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	parentperformance.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	AddInProcess32.exe
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	parenttperformance.exe
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	parenttperformance.exe
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	parenttperformance.exe
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	parenttperformance.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	certreq.exe

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\buildcreate.exe
"C:\Users\Admin\AppData\Local\Temp\buildcreate.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
Filesize
1.1MB

MD5
6fd4cb22557a5c357736ef38187d83d5

SHA1
4d84f6b8f36667a699ce0cb2b182b9b511139208

SHA256
465f0d56c2b9e1d615baaba0e31b0d640652d59e4dbcf669b27dbe1b8927da86

SHA512
fb54aed47cba7fd28b49ba66e6295af24566a4647abe1bd4c4a2666deb18aa20886c4ccc7b4a8ea86d55b6b45645cedc2fc540f75097fca76d63963db37be2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
Filesize
1.1MB

MD5
6fd4cb22557a5c357736ef38187d83d5

SHA1
4d84f6b8f36667a699ce0cb2b182b9b511139208

SHA256
465f0d56c2b9e1d615baaba0e31b0d640652d59e4dbcf669b27dbe1b8927da86

SHA512
fb54aed47cba7fd28b49ba66e6295af24566a4647abe1bd4c4a2666deb18aa20886c4ccc7b4a8ea86d55b6b45645cedc2fc540f75097fca76d63963db37be2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
Filesize
1.1MB

MD5
95175fc43f1512a931adca0c84e13e29

SHA1
07ec892d9aeba678db91f28f17c433f0ceca0461

SHA256
ad3231047c5c02a86fe56261fb087b58adfe25dc77bd57f3698e676500191295

SHA512
5d7e79e90127ae88ae9c09d910c0cfe5779753d3def9f8a1dc4ed234e1513796cb6e28d9599250f968993a5131de49827aa9e704ef9b2639a72b03a40acf489c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
Filesize
1.1MB

MD5
95175fc43f1512a931adca0c84e13e29

SHA1
07ec892d9aeba678db91f28f17c433f0ceca0461

SHA256
ad3231047c5c02a86fe56261fb087b58adfe25dc77bd57f3698e676500191295

SHA512
5d7e79e90127ae88ae9c09d910c0cfe5779753d3def9f8a1dc4ed234e1513796cb6e28d9599250f968993a5131de49827aa9e704ef9b2639a72b03a40acf489c

Download Submit
memory/1996-8-0x0000000000950000-0x0000000000A7A000-memory.dmp

Filesize
1.2MB

Download
memory/1996-9-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-10-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-11-0x0000000005AF0000-0x0000000005B32000-memory.dmp

Filesize
264KB

Download
memory/1996-12-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-13-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-14-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-15-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1996-16-0x0000000001F80000-0x0000000001F86000-memory.dmp

Filesize
24KB

Download
memory/1996-29-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-47-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/2252-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-38-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2252-39-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-42-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-41-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-58-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-17-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-54-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/2252-56-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2308-65-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-73-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-79-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2308-78-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/2308-77-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-76-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-45-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2308-43-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2308-60-0x00000000004B0000-0x00000000004B7000-memory.dmp

Filesize
28KB

Download
memory/2308-61-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-62-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-63-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-64-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-75-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-67-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-69-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-70-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-71-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-72-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2308-74-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2548-46-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-35-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-36-0x0000000000190000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-37-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2548-55-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2548-53-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads