rhadamanthys | 16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1

Analysis

max time kernel
197s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08/01/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe
Size

1.2MB
MD5

1b728c6e8f10313d7367c82e48d022da
SHA1

192a6598214c1a9d19717f18e271a4360eb38b44
SHA256

16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1
SHA512

3bf139a04d28a6858ec8c697f3387c613844d0628ad42725d21274a3574937482da2bc921944d34b4b7e1d91f4821e328cf2668ad768a52cb2c63c15b136d258
SSDEEP

24576:1D3s67Twbc8NIdi9SePHdvwtlTWlTnF6hcz5+ntmgTUji:RX7Tdosepwr4TnF6hYEtp

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4512 created 3372	4512	Far.pif	31
PID 768 created 2992	768	Far.pif	34

Executes dropped EXE 2 IoCs

pid	Process
4512	Far.pif
768	Far.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 768	4512	Far.pif	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3412	tasklist.exe
3484	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2292	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
4512	Far.pif
768	Far.pif
768	Far.pif
3884	dialer.exe
3884	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeDebugPrivilege	3484	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4512	Far.pif
4512	Far.pif
4512	Far.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4512	Far.pif
4512	Far.pif
4512	Far.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4676	1932	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	76
PID 1932 wrote to memory of 4676	1932	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	76
PID 1932 wrote to memory of 4676	1932	16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe	76
PID 4676 wrote to memory of 3584	4676	cmd.exe	74
PID 4676 wrote to memory of 3584	4676	cmd.exe	74
PID 4676 wrote to memory of 3584	4676	cmd.exe	74
PID 3584 wrote to memory of 3412	3584	cmd.exe	78
PID 3584 wrote to memory of 3412	3584	cmd.exe	78
PID 3584 wrote to memory of 3412	3584	cmd.exe	78
PID 3584 wrote to memory of 1400	3584	cmd.exe	77
PID 3584 wrote to memory of 1400	3584	cmd.exe	77
PID 3584 wrote to memory of 1400	3584	cmd.exe	77
PID 3584 wrote to memory of 3484	3584	cmd.exe	81
PID 3584 wrote to memory of 3484	3584	cmd.exe	81
PID 3584 wrote to memory of 3484	3584	cmd.exe	81
PID 3584 wrote to memory of 3888	3584	cmd.exe	80
PID 3584 wrote to memory of 3888	3584	cmd.exe	80
PID 3584 wrote to memory of 3888	3584	cmd.exe	80
PID 3584 wrote to memory of 4052	3584	cmd.exe	86
PID 3584 wrote to memory of 4052	3584	cmd.exe	86
PID 3584 wrote to memory of 4052	3584	cmd.exe	86
PID 3584 wrote to memory of 4724	3584	cmd.exe	85
PID 3584 wrote to memory of 4724	3584	cmd.exe	85
PID 3584 wrote to memory of 4724	3584	cmd.exe	85
PID 3584 wrote to memory of 4488	3584	cmd.exe	82
PID 3584 wrote to memory of 4488	3584	cmd.exe	82
PID 3584 wrote to memory of 4488	3584	cmd.exe	82
PID 3584 wrote to memory of 4512	3584	cmd.exe	84
PID 3584 wrote to memory of 4512	3584	cmd.exe	84
PID 3584 wrote to memory of 2292	3584	cmd.exe	83
PID 3584 wrote to memory of 2292	3584	cmd.exe	83
PID 3584 wrote to memory of 2292	3584	cmd.exe	83
PID 4512 wrote to memory of 768	4512	Far.pif	87
PID 4512 wrote to memory of 768	4512	Far.pif	87
PID 4512 wrote to memory of 768	4512	Far.pif	87
PID 4512 wrote to memory of 768	4512	Far.pif	87
PID 768 wrote to memory of 3884	768	Far.pif	88
PID 768 wrote to memory of 3884	768	Far.pif	88
PID 768 wrote to memory of 3884	768	Far.pif	88
PID 768 wrote to memory of 3884	768	Far.pif	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe
  "C:\Users\Admin\AppData\Local\Temp\16748566fc9e297fa08b4433fadeafdd63c1527fad4cac0cf8df287df56088d1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Advancement & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4676
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\Far.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\Far.pif
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:768

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2992
- C:\Windows\system32\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  2⤵
  PID:1400
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "wrsa.exe"
  2⤵
  PID:3888
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Payday + Corporate + Spain 6293\i
  2⤵
  PID:4488
- C:\Windows\SysWOW64\PING.EXE
  ping -n 5 localhost
  2⤵
  - Runs ping.exe
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\Far.pif
  6293\Far.pif 6293\i
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Zoo + Viewers + Bow + Contractors + Protection + Desk + Kinds 6293\Far.pif
  2⤵
  PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c mkdir 6293
  2⤵
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\Far.pif

Filesize
827KB

MD5
2ae1f13722decd0594ca044ae0d15dfd

SHA1
32029490a94c8eff2c23e24deb2882c59bbe1fd5

SHA256
959a6c6b778e5c1bc8e7b20697d2a9f1575fa340ec6c532470d03ddfbecf2f47

SHA512
b27acb048c8dadabd201a4f9577aeed463a3563e244381353fbc7486e15643e010deefb02f4d6c8100161ae6ed071fe0b5fb1bd03dbdbede9261433dc5125788

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\Far.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6293\i

Filesize
630KB

MD5
4c96fd2b7c0ea38176b31fda162a7146

SHA1
b06c2ebf201618f43920bf13b1abcd3b8d49a6c4

SHA256
5acbededf9a6b000c248fc863492f4adfeded5adcf0da4dc072d1bebe9217c9f

SHA512
4531dc4c95116bacc5883562c5db2bbcf27001d27215fd24317c838bbd5ba90117054fa7a4df22ad456c363bd3beeff780866639e24cd10a6827d7b4677606c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Advancement

Filesize
13KB

MD5
505f790e3cc3f421285b34b305cae9af

SHA1
21670a4c7fed0276b21dca2a3c99f6d3a0df8bd0

SHA256
eedf0f94e30907d8c55a5f6dc6312e52943d3268f1f4bc72270ce6debae53d34

SHA512
1499095e2dcc66be8593d6bf418be378ca6bed7454fca57fe4220b06f1f4a4b20ce9242aa9b75b237fec4a9996a2f3e946d2d6b01b1557cabe2e19d0dcb5bf26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bow

Filesize
151KB

MD5
efd8b81929d7c38b49e8daad7a20c138

SHA1
ef55c3f3e31eb93389b639112ed97cf5fc41b1bf

SHA256
7ba2c0e7bf1e5ece9a84dbab13b90708a6b7cab1ce4d410dbfc293cdcfbf8565

SHA512
5a4e3ec6f49c42548132edc544cdc713759a42b9006f3fae76d5dd9708319e33b8d758059f8ed82efe62ad14381631863c3a31bc70e53b5ecb18c9804fc4402f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Contractors

Filesize
171KB

MD5
35ac7a5b2a591749c8a33f19dab5cdbc

SHA1
fc1ea0fe6e7e8481213e8a3434148211f71ab12a

SHA256
de04d7be8bd7b73ebfb135cbee3aafe84d3a544ace7c5dbe994610d139608175

SHA512
49a8fcd2f7a0a44bbc6bb71ea9791f23e4570b81dc4f26b0994294943cb9cd0247442a3b657fae6fefb5f3b4b74a31a4f0de43b818d6c776ea0757473a9c9a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Corporate

Filesize
435KB

MD5
8998a0723f051b5c7e91abcfbf187143

SHA1
6900fb44e2699f1897c1bfc87478ee8a44b7da06

SHA256
bb4d3575aa1136fac21d60e1f6f40190f631163f73e6554ef296d9e950b4d5ee

SHA512
3c8ea2c055bbbf4c5eb6f88f97989440ff5591797526f3779e7469adc383063e0dc47dadbfe0fb43c361f3f043eb5fa7e4cad7cf5d63c0093d9edb7900553862

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Desk

Filesize
155KB

MD5
283b60351b19b137b0ad4efb86dcbfc1

SHA1
51d61a9add9dcb749f8ddd2f7fb9a4a9cf7c46bc

SHA256
a3217c4e170b80d7c75ff38d9667ccaa66349d8e0c3fc022f4ec0982909a754a

SHA512
5417af78aa3ca8e76657ff3e89cd68d4b4925e6931620bec7d58324c839db140035f4ce11c73e74fc44da8f0cc63d2c92d37c667c7fed879b193636a60494929

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Kinds

Filesize
45KB

MD5
0c257b9edbcc7f41af6e1027bc0713ee

SHA1
2149a7bb22476f85610c842c34628b2f22d8a549

SHA256
7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c

SHA512
f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Payday

Filesize
444KB

MD5
4d83c8404f636cbb8ab0f08ed1063a14

SHA1
1bf2758f989495e5a2f13acd4c9fb2c8c176613f

SHA256
eceef58e2264d5624f0e961fc693dc07f5759b8c05e5c049dc56830ef2664000

SHA512
1d80fd78fd324ce95204557a097e0cee348d76e4de4c08cfd5b550ae4f0fee1b3fec42167ba9502574748e89518a74f1f4a20a59167334da9f2fbd575444a9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Protection

Filesize
184KB

MD5
e08866278f3a97aef93ba2a839c11f04

SHA1
a014f0417591da266a95f7590c9019b3cf6ae3bc

SHA256
21685a7876fe2ca8c890f0819a3d4e561a53a6f2c6a3212e134a87c2e1e4d39b

SHA512
679b15d6db25a5ce4f9a11474136be23876776e8b4fe4c9384cc51bea15c6d715a15df5afc1283a08a19083afd2a4a99ce6347d2ece95eb1702354a57d3bc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Spain

Filesize
370KB

MD5
bf8235618cb869e00161cb6318689e46

SHA1
4b0e0ee156dfd1f1686d37772d24ce67393e58ac

SHA256
55f26cc8c2d64a7174b1fde106eb1b65cebbf7f32c6585c0737f6fafef6d4b3f

SHA512
6af2346ccb99a11bf2031362bf442044275bc38ee441e946d21d22118b5d7d39406a31e5cfb7051c4f6c3c4ac87fc13b70116e697a74d8b25e2b5218a0832bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viewers

Filesize
140KB

MD5
f32cf54e9a67c7a652b0a63ebac897fe

SHA1
94662546b1e0b95e5fe190b268cd8370b534616b

SHA256
5b4766a612825c1640cd4bfe5e32a32ec0aa88dcc050fbe3cb821ef6f81563a7

SHA512
34af7d1e95c95e6624ea3b2ee39c9371e4fa41daeb76d4ba4e5f7f431033d0e93851aab509856c798208f5568acd23e58cf14aefbb1f7891185a386a8779a8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Zoo

Filesize
200KB

MD5
7da539acbd1604bb8c0ae5f6eb990bb8

SHA1
1271fa42479299d5f337e03abc82af7125aa423f

SHA256
0d36e743b8a12a30f0aec344ffdc0400e080af2d1a8c322930a73147703a8902

SHA512
1bb62339d6a74128cfefec47fd0f360bed6dea5ccf51d9d77cf84e3e8a920790141cccddbb6810a3f9b627af7bbb0ed9a32f6ef2e92194085feaf384b763aad5

Download Submit
memory/768-44-0x000001F9E6120000-0x000001F9E61BB000-memory.dmp

Filesize
620KB

Download
memory/768-51-0x00007FF849200000-0x00007FF849449000-memory.dmp

Filesize
2.3MB

Download
memory/768-41-0x000001F9E6120000-0x000001F9E61BB000-memory.dmp

Filesize
620KB

Download
memory/768-42-0x000001F9E6120000-0x000001F9E61BB000-memory.dmp

Filesize
620KB

Download
memory/768-45-0x000001F980010000-0x000001F980410000-memory.dmp

Filesize
4.0MB

Download
memory/768-46-0x000001F980010000-0x000001F980410000-memory.dmp

Filesize
4.0MB

Download
memory/768-49-0x00007FF84C8E0000-0x00007FF84C98E000-memory.dmp

Filesize
696KB

Download
memory/768-48-0x00007FF84CCE0000-0x00007FF84CEBB000-memory.dmp

Filesize
1.9MB

Download
memory/768-50-0x000001F980010000-0x000001F980410000-memory.dmp

Filesize
4.0MB

Download
memory/768-47-0x000001F980010000-0x000001F980410000-memory.dmp

Filesize
4.0MB

Download
memory/768-65-0x00007FF84CCE0000-0x00007FF84CEBB000-memory.dmp

Filesize
1.9MB

Download
memory/1932-0-0x0000000077281000-0x0000000077394000-memory.dmp

Filesize
1.1MB

Download
memory/3884-52-0x000001D5BF350000-0x000001D5BF359000-memory.dmp

Filesize
36KB

Download
memory/3884-57-0x000001D5C0F70000-0x000001D5C1370000-memory.dmp

Filesize
4.0MB

Download
memory/3884-59-0x00007FF84C8E0000-0x00007FF84C98E000-memory.dmp

Filesize
696KB

Download
memory/3884-61-0x00007FF849200000-0x00007FF849449000-memory.dmp

Filesize
2.3MB

Download
memory/3884-60-0x000001D5C0F70000-0x000001D5C1370000-memory.dmp

Filesize
4.0MB

Download
memory/3884-58-0x00007FF84CCE0000-0x00007FF84CEBB000-memory.dmp

Filesize
1.9MB

Download
memory/3884-62-0x00007FF84CCE0000-0x00007FF84CEBB000-memory.dmp

Filesize
1.9MB

Download
memory/3884-55-0x000001D5C0F70000-0x000001D5C1370000-memory.dmp

Filesize
4.0MB

Download
memory/3884-66-0x000001D5C0F70000-0x000001D5C1370000-memory.dmp

Filesize
4.0MB

Download
memory/3884-67-0x00007FF84CCE0000-0x00007FF84CEBB000-memory.dmp

Filesize
1.9MB

Download
memory/4512-40-0x0000019634480000-0x0000019634481000-memory.dmp

Filesize
4KB

Download