rhadamanthys | 28cfcf483bbe8d2325b9d5b837379d803207d21bfaccde025d5543fc895815a6

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-09-2023 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

buildcreate.exe
Size

916KB
MD5

015f3b383e71a5e9c497bc04723ce7ac
SHA1

f2bd3a71e07524db00b657731db1e8326bc505e8
SHA256

28cfcf483bbe8d2325b9d5b837379d803207d21bfaccde025d5543fc895815a6
SHA512

807390c15267d5d82e3838ad4c399d67d40636078aef82b6e8617868ba1ca58ecc8218dd5841b0672383aad71931854ddbf6cd3574c6be389631549fb6a10d75
SSDEEP

24576:Cgj9azxeqTtcA9U8CY9whhbHHxDeqk9eEzjGGFQjc:Ta1N2A96hRleq1EzjGGFl

Score

10^/10

rhadamanthys collection persistence stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

resource	yara_rule
behavioral1/memory/2252-39-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-42-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-41-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-56-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys
behavioral1/memory/2252-58-0x0000000002260000-0x0000000002660000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2252 created 1268	2252	AddInProcess32.exe	17

Executes dropped EXE 2 IoCs

pid	Process
1996	parentperformance.exe
2548	parenttperformance.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	buildcreate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 2252	1996	parentperformance.exe	31

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1996	parentperformance.exe
1996	parentperformance.exe
1996	parentperformance.exe
2548	parenttperformance.exe
2548	parenttperformance.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2252	AddInProcess32.exe
2548	parenttperformance.exe
2308	certreq.exe
2308	certreq.exe
2308	certreq.exe
2308	certreq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	parentperformance.exe
Token: SeDebugPrivilege	2548	parenttperformance.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	28
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	28
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	28
PID 1412 wrote to memory of 1996	1412	buildcreate.exe	28
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1996 wrote to memory of 2252	1996	parentperformance.exe	31
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	32
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	32
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	32
PID 1412 wrote to memory of 2548	1412	buildcreate.exe	32
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34
PID 2252 wrote to memory of 2308	2252	AddInProcess32.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\buildcreate.exe
  "C:\Users\Admin\AppData\Local\Temp\buildcreate.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2252
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe

Filesize
1.1MB

MD5
6fd4cb22557a5c357736ef38187d83d5

SHA1
4d84f6b8f36667a699ce0cb2b182b9b511139208

SHA256
465f0d56c2b9e1d615baaba0e31b0d640652d59e4dbcf669b27dbe1b8927da86

SHA512
fb54aed47cba7fd28b49ba66e6295af24566a4647abe1bd4c4a2666deb18aa20886c4ccc7b4a8ea86d55b6b45645cedc2fc540f75097fca76d63963db37be2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parentperformance.exe

Filesize
1.1MB

MD5
6fd4cb22557a5c357736ef38187d83d5

SHA1
4d84f6b8f36667a699ce0cb2b182b9b511139208

SHA256
465f0d56c2b9e1d615baaba0e31b0d640652d59e4dbcf669b27dbe1b8927da86

SHA512
fb54aed47cba7fd28b49ba66e6295af24566a4647abe1bd4c4a2666deb18aa20886c4ccc7b4a8ea86d55b6b45645cedc2fc540f75097fca76d63963db37be2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe

Filesize
1.1MB

MD5
95175fc43f1512a931adca0c84e13e29

SHA1
07ec892d9aeba678db91f28f17c433f0ceca0461

SHA256
ad3231047c5c02a86fe56261fb087b58adfe25dc77bd57f3698e676500191295

SHA512
5d7e79e90127ae88ae9c09d910c0cfe5779753d3def9f8a1dc4ed234e1513796cb6e28d9599250f968993a5131de49827aa9e704ef9b2639a72b03a40acf489c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parenttperformance.exe

Filesize
1.1MB

MD5
95175fc43f1512a931adca0c84e13e29

SHA1
07ec892d9aeba678db91f28f17c433f0ceca0461

SHA256
ad3231047c5c02a86fe56261fb087b58adfe25dc77bd57f3698e676500191295

SHA512
5d7e79e90127ae88ae9c09d910c0cfe5779753d3def9f8a1dc4ed234e1513796cb6e28d9599250f968993a5131de49827aa9e704ef9b2639a72b03a40acf489c

Download Submit
memory/1996-8-0x0000000000950000-0x0000000000A7A000-memory.dmp

Filesize
1.2MB

Download
memory/1996-9-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-10-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-11-0x0000000005AF0000-0x0000000005B32000-memory.dmp

Filesize
264KB

Download
memory/1996-12-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-13-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1996-14-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1996-15-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1996-16-0x0000000001F80000-0x0000000001F86000-memory.dmp

Filesize
24KB

Download
memory/1996-29-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-47-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/2252-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-38-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2252-39-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-42-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-41-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-58-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2252-17-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2252-54-0x0000000000560000-0x0000000000596000-memory.dmp

Filesize
216KB

Download
memory/2252-56-0x0000000002260000-0x0000000002660000-memory.dmp

Filesize
4.0MB

Download
memory/2308-65-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-73-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-79-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2308-78-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/2308-77-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-76-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-45-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2308-43-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2308-60-0x00000000004B0000-0x00000000004B7000-memory.dmp

Filesize
28KB

Download
memory/2308-61-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-62-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-63-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-64-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-75-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-67-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-69-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-70-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-71-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2308-72-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/2308-74-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2548-46-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-35-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-36-0x0000000000190000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-37-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2548-55-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2548-53-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download