rhadamanthys | 0e31baeb3b4d0108735c3d0ad0cf1c7a0f7f1c40e8b36fd003312e60d4fc116f

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solaris.exe
Size

2.4MB
MD5

ff652d08cf029b5c2ad320ecfd0bab76
SHA1

2c445cd6682cb2a3138fcf54433b61d31671547c
SHA256

0e31baeb3b4d0108735c3d0ad0cf1c7a0f7f1c40e8b36fd003312e60d4fc116f
SHA512

5bd29a3779669c2a55795d900180909d8cb0260e03d51eb98edf673ffdedc886fa79363b7c09b4979e1e8b11d0f51c2d7b141849c8e67f8f7099caae21db084d
SSDEEP

49152:nLRyUcCmKGyogT/ssZ5H2fUmVPMcR+WNGTDz:nLRxcCjsmPZluj+6Gvz

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Blog.pifRegAsm.exe

description	pid	process	target process
PID 4412 created 3448	4412	Blog.pif	Explorer.EXE
PID 4412 created 3448	4412	Blog.pif	Explorer.EXE
PID 756 created 2948	756	RegAsm.exe	sihost.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

Blog.pifRegAsm.exe

pid process

4412 Blog.pif
756 RegAsm.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2208 tasklist.exe
2528 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4932 PING.EXE

pid	process
2208	tasklist.exe
2528	tasklist.exe

pid	process
4932	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Blog.pifRegAsm.exedialer.exe

pid	process
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
4412	Blog.pif
756	RegAsm.exe
756	RegAsm.exe
1604	dialer.exe
1604	dialer.exe
1604	dialer.exe
1604	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2208 tasklist.exe
Token: SeDebugPrivilege 2528 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Blog.pif

pid process

4412 Blog.pif
4412 Blog.pif
4412 Blog.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Blog.pif

pid process

4412 Blog.pif
4412 Blog.pif
4412 Blog.pif

description	pid	process
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

solaris.execmd.exeBlog.pifRegAsm.exe

description	pid	process	target process
PID 2044 wrote to memory of 2160	2044	solaris.exe	cmd.exe
PID 2044 wrote to memory of 2160	2044	solaris.exe	cmd.exe
PID 2044 wrote to memory of 2160	2044	solaris.exe	cmd.exe
PID 2160 wrote to memory of 2208	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 2208	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 2208	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 3956	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 3956	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 3956	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 2528	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 2528	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 2528	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4524	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 4524	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 4524	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 832	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 832	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 832	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 528	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 528	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 528	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4904	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4904	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4904	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4412	2160	cmd.exe	Blog.pif
PID 2160 wrote to memory of 4412	2160	cmd.exe	Blog.pif
PID 2160 wrote to memory of 4412	2160	cmd.exe	Blog.pif
PID 2160 wrote to memory of 4932	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 4932	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 4932	2160	cmd.exe	PING.EXE
PID 4412 wrote to memory of 4520	4412	Blog.pif	cmd.exe
PID 4412 wrote to memory of 4520	4412	Blog.pif	cmd.exe
PID 4412 wrote to memory of 4520	4412	Blog.pif	cmd.exe
PID 4412 wrote to memory of 756	4412	Blog.pif	RegAsm.exe
PID 4412 wrote to memory of 756	4412	Blog.pif	RegAsm.exe
PID 4412 wrote to memory of 756	4412	Blog.pif	RegAsm.exe
PID 4412 wrote to memory of 756	4412	Blog.pif	RegAsm.exe
PID 4412 wrote to memory of 756	4412	Blog.pif	RegAsm.exe
PID 756 wrote to memory of 1604	756	RegAsm.exe	dialer.exe
PID 756 wrote to memory of 1604	756	RegAsm.exe	dialer.exe
PID 756 wrote to memory of 1604	756	RegAsm.exe	dialer.exe
PID 756 wrote to memory of 1604	756	RegAsm.exe	dialer.exe
PID 756 wrote to memory of 1604	756	RegAsm.exe	dialer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\solaris.exe
"C:\Users\Admin\AppData\Local\Temp\solaris.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /k move Classics Classics.bat & Classics.bat & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:3956

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
cmd /c md 2019
4⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Directly + Fingers + Tx + Pdf + Pattern + Avenue 2019\Blog.pif
4⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Mentioned + Basketball + Charitable 2019\T
4⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\23328\2019\Blog.pif
2019\Blog.pif 2019\T
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:4932

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\ByteHarbor Technologies\DataHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataHarbor.url" & exit
2⤵
- Drops startup file
PID:4520

C:\Users\Admin\AppData\Local\Temp\23328\2019\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\23328\2019\RegAsm.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2948

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23328\2019\Blog.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\2019\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\2019\T

Filesize
1.1MB

MD5
792fd93be2e9d6400bfefce7cbcc3826

SHA1
a2387896de18a59a82921ea16124e68370ce5c5f

SHA256
27c8c0e9213039ccf70984927172acd31dc929f56967d626e7433675d6f56623

SHA512
22bc9c81cdeede2e3a1043a42b81e0a8dc1013886c93d74550d35a90b80c3461afc6bc3741cc0e549937351a70e3f495b8434b56fc41bebbb6c8c5e521a10923

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Avenue

Filesize
4KB

MD5
2069eaca0c1d1c2d240b2d3b77a91455

SHA1
22e8a0b6f132332a46d30e628d0134195612d114

SHA256
c3bc63097615903a384066ac7a7618e02de868abc9c8a8feea2403b9a8ae4322

SHA512
ef453c6ab8315776ab91ec9f904551d0ee878933f5e9c6565876e7566b07d44324c2f214533ed7471c3982a29a73a6a801732c3796c2874315ef52e219433da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Basketball

Filesize
476KB

MD5
844c2b03ed2b11b358484ea65f798e76

SHA1
238d7f9b6545db39b2e542e3561a4bde06085c3b

SHA256
e625d9213c2b7cd35eaa4994b0dd304a14cd1ffb4a4839574d0a250a388ee30c

SHA512
d4ec17b6133c08d9bd966049513b399cdd0f7f1c2415ee4e4b11ddca48689a63958457602ec1cc2b6dabc5c59c2896fa9d0534c5ead9ff0d0513f69675a4f343

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Charitable

Filesize
265KB

MD5
d3e8861483ea654d69e2fdc92726e48a

SHA1
1e4b3dddb7b130961ac75831117578997377f2ab

SHA256
fdba963c0b76fc75e1da7549d97e21eed56f24b1955c2f760dceca1b39216291

SHA512
b2ada80b8889e5af6ce0dab98ea1846997195e26c7f5fc78c2310acc89dd5c24591ab645ad5488d60f03a7de9f012e273e97081b74ff36cac9ad58ccccb89250

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Classics

Filesize
11KB

MD5
f88b098d7e06201186101c6b920388c7

SHA1
fa7af2010280629ac978b0de72c8f42d109ee3f0

SHA256
dbc682be139069ba97823402d917244174bd35c0b69841b99d1cd3a5865529dc

SHA512
e4745194a21f4fe59acbfc6764971cee83a16e8451ff10a32d48ce20d6f0bfa84307dc819c8645a1191d48cebde6519a9ba4e0cbaf561d23f5b39bb55cfb7048

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Directly

Filesize
256KB

MD5
40573224ccacb0aa66b031a46a38b3a6

SHA1
b4801575615f1576941896edaa81b84b7b8124a9

SHA256
f6bb00459a40530999a6b031550fa3981f2c8b7223193f523cb97b54a8d23339

SHA512
fe60b13e9070e364007241acf94546ce02d383c33e124cb0b9c2a14faa930956a92c0cac1117848cd6e8b0976eaf3cb3da88c6cd0a1b1262964ff64aec884a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Fingers

Filesize
230KB

MD5
88258658a598bf06dff02ad9d69c871a

SHA1
a89aa8f0cc2537074e3963f2cfbb9f866f22584d

SHA256
e452f72364d521f921aa36df8947cc66620eae4376a3520d90b1a0f81e27e547

SHA512
72c0632d6611b102713ac2df74d4b1dd44ef9ea9fb2b88e073d533c13080ccd7af1c0d994d59e9e975e0a999102d6e2c06e0bad39e08fcada9c5811f4d1800f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Mentioned

Filesize
429KB

MD5
73e923577c3b5e9a3f492198198b34c3

SHA1
2e857abf355fafc6f9f13ed676fe9482084a4405

SHA256
3d093c7f529bf4d0314f01b866310658f96fd3c2f64d625d23dbad1f709f8e3d

SHA512
16e9c714dab59e09a495ff6bf6a8d5edb8611558caf328b7e53b6ced2d075de6c8b1e64f0a3b192aae8dd4ae464faf2ec258061ce3fc056b09b26b92eda46e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Pattern

Filesize
200KB

MD5
6c160f6ee90ec3a3b97a8c69e3e0e1b8

SHA1
ecf68690478a785df3b08cfc6b9aaf8d36c345df

SHA256
9434f8010736e971745756e04d2a8b4e5e746a7a0044c2b5b35eadba2e23afb7

SHA512
35c03a54b28cc174f6b2ff6954ec47e7fa1eb6b7a8c9c787a36f642a7c60decbca4ef1bd47fcfd333160a6097198567f9ec65bae39f160e24f0967fe7bf822fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Pdf

Filesize
127KB

MD5
c3776fd0b0dde6ae8e53c264106e2780

SHA1
2eb2350514aa2a58cdf8bb73306dc52384863dd3

SHA256
f5cc892b062fdc65a73397fc8f7bc6998ee37b9e206fbcc02e157e7fbce6f9d6

SHA512
3c37aa86aa590ab0e20130ab81fbfb67f743ff2d54e71915efb0a0ffc4b4f3a67165a066c5b5e229568274295252233ed41161d751403a9d06d1b6ce2a4444c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\23328\Tx

Filesize
107KB

MD5
4caced05a0d5725cc85c1dbe44666d5f

SHA1
e5986f3c3f336adf4577ed490a791da158785657

SHA256
d07219c1214d1347a2d5b01c4abffe0ea7c67fc12f534788022da5240a993739

SHA512
c22ab9bf4b1eb9b2f8bf20bb0628d4ae46a8861d4d6f1e64cce98d7a65c41fa47f3ef297dc3596247927e9db4a4fd40b8db7ab21145663311a96ef79fd5f8410

Download Submit
memory/756-56-0x00000000754D0000-0x00000000756E5000-memory.dmp

Filesize
2.1MB

Download
memory/756-61-0x00000000053B0000-0x00000000057B0000-memory.dmp

Filesize
4.0MB

Download
memory/756-54-0x00007FFE45A90000-0x00007FFE45C85000-memory.dmp

Filesize
2.0MB

Download
memory/756-53-0x00000000053B0000-0x00000000057B0000-memory.dmp

Filesize
4.0MB

Download
memory/756-44-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download
memory/756-60-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/756-47-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/756-48-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/756-49-0x00000000053B0000-0x00000000057B0000-memory.dmp

Filesize
4.0MB

Download
memory/756-50-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/756-52-0x00000000053B0000-0x00000000057B0000-memory.dmp

Filesize
4.0MB

Download
memory/756-51-0x00000000053B0000-0x00000000057B0000-memory.dmp

Filesize
4.0MB

Download
memory/1604-62-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1604-57-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/1604-63-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1604-65-0x00007FFE45A90000-0x00007FFE45C85000-memory.dmp

Filesize
2.0MB

Download
memory/1604-64-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/1604-67-0x00000000754D0000-0x00000000756E5000-memory.dmp

Filesize
2.1MB

Download
memory/1604-68-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/2044-40-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2044-39-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2044-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4412-42-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/4412-26-0x0000000077611000-0x0000000077731000-memory.dmp

Filesize
1.1MB

Download