rhadamanthys | 16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe
Size

1.2MB
MD5

1b728c6e8f10313d7367c82e48d022da
SHA1

192a6598214c1a9d19717f18e271a4360eb38b44
SHA256

16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1
SHA512

3bf139a04d28a6858ec8c697f3387c613844d0628ad42725d21274a3574937482da2bc921944d34b4b7e1d91f4821e328cf2668ad768a52cb2c63c15b136d258
SSDEEP

24576:1D3s67Twbc8NIdi9SePHdvwtlTWlTnF6hcz5+ntmgTUji:RX7Tdosepwr4TnF6hYEtp

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detects DLL dropped by Raspberry Robin. 2 IoCs

Raspberry Robin.

resource	yara_rule
behavioral1/memory/900-54-0x0000000077540000-0x000000007765F000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral1/memory/944-63-0x0000000077540000-0x000000007765F000-memory.dmp	Raspberry_Robin_DLL_MAY_2022

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 592 created 1260	592	Far.pif	17
PID 900 created 1260	900	Far.pif	17

Executes dropped EXE 2 IoCs

pid	Process
592	Far.pif
900	Far.pif

Loads dropped DLL 2 IoCs

pid	Process
1204	cmd.exe
592	Far.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 900	592	Far.pif	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2736	tasklist.exe
2520	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
592	Far.pif
592	Far.pif
592	Far.pif
592	Far.pif
592	Far.pif
900	Far.pif
900	Far.pif
944	dialer.exe
944	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	2520	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
592	Far.pif
592	Far.pif
592	Far.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
592	Far.pif
592	Far.pif
592	Far.pif

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2928	2448	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	29
PID 2448 wrote to memory of 2928	2448	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	29
PID 2448 wrote to memory of 2928	2448	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	29
PID 2448 wrote to memory of 2928	2448	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	29
PID 2928 wrote to memory of 1204	2928	cmd.exe	31
PID 2928 wrote to memory of 1204	2928	cmd.exe	31
PID 2928 wrote to memory of 1204	2928	cmd.exe	31
PID 2928 wrote to memory of 1204	2928	cmd.exe	31
PID 1204 wrote to memory of 2736	1204	cmd.exe	32
PID 1204 wrote to memory of 2736	1204	cmd.exe	32
PID 1204 wrote to memory of 2736	1204	cmd.exe	32
PID 1204 wrote to memory of 2736	1204	cmd.exe	32
PID 1204 wrote to memory of 2796	1204	cmd.exe	33
PID 1204 wrote to memory of 2796	1204	cmd.exe	33
PID 1204 wrote to memory of 2796	1204	cmd.exe	33
PID 1204 wrote to memory of 2796	1204	cmd.exe	33
PID 1204 wrote to memory of 2520	1204	cmd.exe	35
PID 1204 wrote to memory of 2520	1204	cmd.exe	35
PID 1204 wrote to memory of 2520	1204	cmd.exe	35
PID 1204 wrote to memory of 2520	1204	cmd.exe	35
PID 1204 wrote to memory of 2540	1204	cmd.exe	36
PID 1204 wrote to memory of 2540	1204	cmd.exe	36
PID 1204 wrote to memory of 2540	1204	cmd.exe	36
PID 1204 wrote to memory of 2540	1204	cmd.exe	36
PID 1204 wrote to memory of 2644	1204	cmd.exe	37
PID 1204 wrote to memory of 2644	1204	cmd.exe	37
PID 1204 wrote to memory of 2644	1204	cmd.exe	37
PID 1204 wrote to memory of 2644	1204	cmd.exe	37
PID 1204 wrote to memory of 3000	1204	cmd.exe	38
PID 1204 wrote to memory of 3000	1204	cmd.exe	38
PID 1204 wrote to memory of 3000	1204	cmd.exe	38
PID 1204 wrote to memory of 3000	1204	cmd.exe	38
PID 1204 wrote to memory of 3020	1204	cmd.exe	39
PID 1204 wrote to memory of 3020	1204	cmd.exe	39
PID 1204 wrote to memory of 3020	1204	cmd.exe	39
PID 1204 wrote to memory of 3020	1204	cmd.exe	39
PID 1204 wrote to memory of 592	1204	cmd.exe	40
PID 1204 wrote to memory of 592	1204	cmd.exe	40
PID 1204 wrote to memory of 592	1204	cmd.exe	40
PID 1204 wrote to memory of 592	1204	cmd.exe	40
PID 1204 wrote to memory of 960	1204	cmd.exe	41
PID 1204 wrote to memory of 960	1204	cmd.exe	41
PID 1204 wrote to memory of 960	1204	cmd.exe	41
PID 1204 wrote to memory of 960	1204	cmd.exe	41
PID 592 wrote to memory of 900	592	Far.pif	42
PID 592 wrote to memory of 900	592	Far.pif	42
PID 592 wrote to memory of 900	592	Far.pif	42
PID 592 wrote to memory of 900	592	Far.pif	42
PID 592 wrote to memory of 900	592	Far.pif	42
PID 900 wrote to memory of 944	900	Far.pif	45
PID 900 wrote to memory of 944	900	Far.pif	45
PID 900 wrote to memory of 944	900	Far.pif	45
PID 900 wrote to memory of 944	900	Far.pif	45
PID 900 wrote to memory of 944	900	Far.pif	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe
  "C:\Users\Admin\AppData\Local\Temp\16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Advancement & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 6303
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Zoo + Viewers + Bow + Contractors + Protection + Desk + Kinds 6303\Far.pif
        5⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Payday + Corporate + Spain 6303\i
        5⤵
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6303\Far.pif
        
        6303\Far.pif 6303\i
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:592
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:960
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6303\Far.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6303\Far.pif
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:900
- C:\Windows\system32\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6303\i

Filesize
1.2MB

MD5
60969e04b275ef5736bcfdbc9bb8956e

SHA1
f83aebf03595e292b4fa442268a04adb9237d1b2

SHA256
ffe11903cb1d486498ae4d4bc4b877e042e9d5bb534bd83a885062ce9e7d3ea5

SHA512
0d1fd501e26924b98c30571a6778d571a81d758101ac9cdebd7fe52650a6d31d504b3579b5bf9e9321b1f07c58d9737760c2efc8aa2948670ac33d1ce61c6c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Advancement

Filesize
13KB

MD5
505f790e3cc3f421285b34b305cae9af

SHA1
21670a4c7fed0276b21dca2a3c99f6d3a0df8bd0

SHA256
eedf0f94e30907d8c55a5f6dc6312e52943d3268f1f4bc72270ce6debae53d34

SHA512
1499095e2dcc66be8593d6bf418be378ca6bed7454fca57fe4220b06f1f4a4b20ce9242aa9b75b237fec4a9996a2f3e946d2d6b01b1557cabe2e19d0dcb5bf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bow

Filesize
151KB

MD5
efd8b81929d7c38b49e8daad7a20c138

SHA1
ef55c3f3e31eb93389b639112ed97cf5fc41b1bf

SHA256
7ba2c0e7bf1e5ece9a84dbab13b90708a6b7cab1ce4d410dbfc293cdcfbf8565

SHA512
5a4e3ec6f49c42548132edc544cdc713759a42b9006f3fae76d5dd9708319e33b8d758059f8ed82efe62ad14381631863c3a31bc70e53b5ecb18c9804fc4402f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Contractors

Filesize
171KB

MD5
35ac7a5b2a591749c8a33f19dab5cdbc

SHA1
fc1ea0fe6e7e8481213e8a3434148211f71ab12a

SHA256
de04d7be8bd7b73ebfb135cbee3aafe84d3a544ace7c5dbe994610d139608175

SHA512
49a8fcd2f7a0a44bbc6bb71ea9791f23e4570b81dc4f26b0994294943cb9cd0247442a3b657fae6fefb5f3b4b74a31a4f0de43b818d6c776ea0757473a9c9a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Corporate

Filesize
435KB

MD5
8998a0723f051b5c7e91abcfbf187143

SHA1
6900fb44e2699f1897c1bfc87478ee8a44b7da06

SHA256
bb4d3575aa1136fac21d60e1f6f40190f631163f73e6554ef296d9e950b4d5ee

SHA512
3c8ea2c055bbbf4c5eb6f88f97989440ff5591797526f3779e7469adc383063e0dc47dadbfe0fb43c361f3f043eb5fa7e4cad7cf5d63c0093d9edb7900553862

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Desk

Filesize
155KB

MD5
283b60351b19b137b0ad4efb86dcbfc1

SHA1
51d61a9add9dcb749f8ddd2f7fb9a4a9cf7c46bc

SHA256
a3217c4e170b80d7c75ff38d9667ccaa66349d8e0c3fc022f4ec0982909a754a

SHA512
5417af78aa3ca8e76657ff3e89cd68d4b4925e6931620bec7d58324c839db140035f4ce11c73e74fc44da8f0cc63d2c92d37c667c7fed879b193636a60494929

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Kinds

Filesize
45KB

MD5
0c257b9edbcc7f41af6e1027bc0713ee

SHA1
2149a7bb22476f85610c842c34628b2f22d8a549

SHA256
7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c

SHA512
f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Payday

Filesize
444KB

MD5
4d83c8404f636cbb8ab0f08ed1063a14

SHA1
1bf2758f989495e5a2f13acd4c9fb2c8c176613f

SHA256
eceef58e2264d5624f0e961fc693dc07f5759b8c05e5c049dc56830ef2664000

SHA512
1d80fd78fd324ce95204557a097e0cee348d76e4de4c08cfd5b550ae4f0fee1b3fec42167ba9502574748e89518a74f1f4a20a59167334da9f2fbd575444a9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Protection

Filesize
184KB

MD5
e08866278f3a97aef93ba2a839c11f04

SHA1
a014f0417591da266a95f7590c9019b3cf6ae3bc

SHA256
21685a7876fe2ca8c890f0819a3d4e561a53a6f2c6a3212e134a87c2e1e4d39b

SHA512
679b15d6db25a5ce4f9a11474136be23876776e8b4fe4c9384cc51bea15c6d715a15df5afc1283a08a19083afd2a4a99ce6347d2ece95eb1702354a57d3bc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spain

Filesize
370KB

MD5
bf8235618cb869e00161cb6318689e46

SHA1
4b0e0ee156dfd1f1686d37772d24ce67393e58ac

SHA256
55f26cc8c2d64a7174b1fde106eb1b65cebbf7f32c6585c0737f6fafef6d4b3f

SHA512
6af2346ccb99a11bf2031362bf442044275bc38ee441e946d21d22118b5d7d39406a31e5cfb7051c4f6c3c4ac87fc13b70116e697a74d8b25e2b5218a0832bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viewers

Filesize
140KB

MD5
f32cf54e9a67c7a652b0a63ebac897fe

SHA1
94662546b1e0b95e5fe190b268cd8370b534616b

SHA256
5b4766a612825c1640cd4bfe5e32a32ec0aa88dcc050fbe3cb821ef6f81563a7

SHA512
34af7d1e95c95e6624ea3b2ee39c9371e4fa41daeb76d4ba4e5f7f431033d0e93851aab509856c798208f5568acd23e58cf14aefbb1f7891185a386a8779a8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Zoo

Filesize
200KB

MD5
7da539acbd1604bb8c0ae5f6eb990bb8

SHA1
1271fa42479299d5f337e03abc82af7125aa423f

SHA256
0d36e743b8a12a30f0aec344ffdc0400e080af2d1a8c322930a73147703a8902

SHA512
1bb62339d6a74128cfefec47fd0f360bed6dea5ccf51d9d77cf84e3e8a920790141cccddbb6810a3f9b627af7bbb0ed9a32f6ef2e92194085feaf384b763aad5

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6303\Far.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
memory/592-41-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/900-48-0x0000000000060000-0x00000000000FB000-memory.dmp

Filesize
620KB

Download
memory/900-43-0x0000000000060000-0x00000000000FB000-memory.dmp

Filesize
620KB

Download
memory/900-44-0x0000000000060000-0x00000000000FB000-memory.dmp

Filesize
620KB

Download
memory/900-47-0x0000000000060000-0x00000000000FB000-memory.dmp

Filesize
620KB

Download
memory/900-64-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/900-49-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/900-51-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/900-50-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/900-54-0x0000000077540000-0x000000007765F000-memory.dmp

Filesize
1.1MB

Download
memory/900-53-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/900-55-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/900-56-0x000007FEFD770000-0x000007FEFD7DC000-memory.dmp

Filesize
432KB

Download
memory/900-67-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/944-59-0x0000000001AF0000-0x0000000001EF0000-memory.dmp

Filesize
4.0MB

Download
memory/944-60-0x00000000030C0000-0x00000000034C0000-memory.dmp

Filesize
4.0MB

Download
memory/944-63-0x0000000077540000-0x000000007765F000-memory.dmp

Filesize
1.1MB

Download
memory/944-62-0x0000000001AF0000-0x0000000001EF0000-memory.dmp

Filesize
4.0MB

Download
memory/944-61-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/944-57-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/944-68-0x0000000001AF0000-0x0000000001EF0000-memory.dmp

Filesize
4.0MB

Download
memory/944-70-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/944-69-0x0000000001AF0000-0x0000000001EF0000-memory.dmp

Filesize
4.0MB

Download
memory/944-66-0x0000000077760000-0x0000000077909000-memory.dmp

Filesize
1.7MB

Download
memory/944-65-0x000007FEFD770000-0x000007FEFD7DC000-memory.dmp

Filesize
432KB

Download
memory/2448-0-0x0000000077950000-0x0000000077A26000-memory.dmp

Filesize
856KB

Download