rhadamanthys | fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3

General

Target

BACONWARE V3.0.exe
Size

4.8MB
MD5

f3b1dd838a59c419431c5aa86c1a4feb
SHA1

85ac1eb8a03bedcfbc3d44cedeb802f5cae2ea0a
SHA256

fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3
SHA512

dbaac6b3c531cd84eac6a9440534d18cbc599826357b1efe36cdd16be163bd68c6ddd4d3211efca0d5e8c2ca6868cfb0fb3c3e0584c515b89e1ab1cac8ef6889
SSDEEP

98304:1vW7Ru1fkpfVmr/V9JfzD+p05u9qgo67Smy9BHbCMMjgml7/lg+QXcAz:JibHmTJfzAyQRoRmA1H8eFsA

Score

10^/10

rhadamanthys pyinstaller stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2884 created 1188	2884	svchost.exe	21

Executes dropped EXE 3 IoCs

pid	Process
2884	svchost.exe
2560	explorer.exe
2072	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
1540	BACONWARE V3.0.exe
1540	BACONWARE V3.0.exe
1540	BACONWARE V3.0.exe
2560	explorer.exe
2072	explorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001874c-33.dat	upx
behavioral1/memory/2072-37-0x000007FEF6090000-0x000007FEF64F6000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0010000000014dae-13.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1664	powershell.exe
2884	svchost.exe
2884	svchost.exe
2396	dialer.exe
2396	dialer.exe
2396	dialer.exe
2396	dialer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1664	1540	BACONWARE V3.0.exe	28
PID 1540 wrote to memory of 1664	1540	BACONWARE V3.0.exe	28
PID 1540 wrote to memory of 1664	1540	BACONWARE V3.0.exe	28
PID 1540 wrote to memory of 1664	1540	BACONWARE V3.0.exe	28
PID 1540 wrote to memory of 2884	1540	BACONWARE V3.0.exe	30
PID 1540 wrote to memory of 2884	1540	BACONWARE V3.0.exe	30
PID 1540 wrote to memory of 2884	1540	BACONWARE V3.0.exe	30
PID 1540 wrote to memory of 2884	1540	BACONWARE V3.0.exe	30
PID 1540 wrote to memory of 2560	1540	BACONWARE V3.0.exe	31
PID 1540 wrote to memory of 2560	1540	BACONWARE V3.0.exe	31
PID 1540 wrote to memory of 2560	1540	BACONWARE V3.0.exe	31
PID 1540 wrote to memory of 2560	1540	BACONWARE V3.0.exe	31
PID 2560 wrote to memory of 2072	2560	explorer.exe	32
PID 2560 wrote to memory of 2072	2560	explorer.exe	32
PID 2560 wrote to memory of 2072	2560	explorer.exe	32
PID 2884 wrote to memory of 2396	2884	svchost.exe	33
PID 2884 wrote to memory of 2396	2884	svchost.exe	33
PID 2884 wrote to memory of 2396	2884	svchost.exe	33
PID 2884 wrote to memory of 2396	2884	svchost.exe	33
PID 2884 wrote to memory of 2396	2884	svchost.exe	33
PID 2884 wrote to memory of 2396	2884	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\BACONWARE V3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\BACONWARE V3.0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
- - C:\Users\Admin\AppData\Local\explorer.exe
    "C:\Users\Admin\AppData\Local\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\explorer.exe
      "C:\Users\Admin\AppData\Local\explorer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2072
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25602\python310.dll

Filesize
1.4MB

MD5
3f782cf7874b03c1d20ed90d370f4329

SHA1
08a2b4a21092321de1dcad1bb2afb660b0fa7749

SHA256
2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6

SHA512
950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

Download Submit
\Users\Admin\AppData\Local\explorer.exe

Filesize
4.4MB

MD5
ce453607540a4b0e0c88476042d31791

SHA1
9fe09b42424e044a7c11aea2f214a3d86de8f5a1

SHA256
9a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c

SHA512
f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
355KB

MD5
2ef91bf37b3da8cad6751b665bd4e6af

SHA1
5c15bbc721f91855388861d378cf9d26a140cead

SHA256
5263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7

SHA512
16f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3

Download Submit
memory/1540-11-0x00000000024C0000-0x000000000252D000-memory.dmp

Filesize
436KB

Download
memory/1540-12-0x00000000024C0000-0x000000000252D000-memory.dmp

Filesize
436KB

Download
memory/1664-39-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-38-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-40-0x0000000002DC0000-0x0000000002E00000-memory.dmp

Filesize
256KB

Download
memory/1664-41-0x0000000002DC0000-0x0000000002E00000-memory.dmp

Filesize
256KB

Download
memory/1664-42-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2072-37-0x000007FEF6090000-0x000007FEF64F6000-memory.dmp

Filesize
4.4MB

Download
memory/2396-53-0x0000000001CB0000-0x00000000020B0000-memory.dmp

Filesize
4.0MB

Download
memory/2396-59-0x0000000001CB0000-0x00000000020B0000-memory.dmp

Filesize
4.0MB

Download
memory/2396-57-0x0000000076370000-0x00000000763B7000-memory.dmp

Filesize
284KB

Download
memory/2396-58-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2396-56-0x0000000001CB0000-0x00000000020B0000-memory.dmp

Filesize
4.0MB

Download
memory/2396-54-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2396-50-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2884-43-0x0000000000A00000-0x0000000000E00000-memory.dmp

Filesize
4.0MB

Download
memory/2884-51-0x0000000001320000-0x000000000138D000-memory.dmp

Filesize
436KB

Download
memory/2884-49-0x0000000076370000-0x00000000763B7000-memory.dmp

Filesize
284KB

Download
memory/2884-47-0x0000000000A00000-0x0000000000E00000-memory.dmp

Filesize
4.0MB

Download
memory/2884-46-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2884-45-0x0000000000A00000-0x0000000000E00000-memory.dmp

Filesize
4.0MB

Download
memory/2884-15-0x0000000001320000-0x000000000138D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing