rhadamanthys | 66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
Size

935KB
MD5

e4fbe0286a7802d4a7cd91a3d55d9f3c
SHA1

320869f193d91388ae4c2337a91d7545ca0a201a
SHA256

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d
SHA512

36acfe26eded83721d7d35d9441342ea8e6a61da20ded05493e4cf9a88995ad52dedbd81229f3d31f670adf058b3e1696e8359af60e59dca8db847cd54daad9b
SSDEEP

24576:GbTeCswwSe/fDyBvSGy45nJtYsf8J7f7VvgWncL3f5llrINn9Ra7I7:8vdwH/LyBvg+JKsf8JzFgWcDf5m9M7m

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Ent.pif

description pid process target process

PID 2460 created 2564 2460 Ent.pif sihost.exe

description	pid	process	target process
PID 2460 created 2564	2460	Ent.pif	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe

Executes dropped EXE 1 IoCs

Processes:

Ent.pif

pid process

2460 Ent.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4548 2460 WerFault.exe Ent.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1196 tasklist.exe
692 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1532 PING.EXE

pid	pid_target	process	target process
4548	2460	WerFault.exe	Ent.pif

pid	process
1196	tasklist.exe
692	tasklist.exe

pid	process
1532	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Ent.pifdialer.exe

pid	process
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
2460	Ent.pif
4468	dialer.exe
4468	dialer.exe
4468	dialer.exe
4468	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1196 tasklist.exe
Token: SeDebugPrivilege 692 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Ent.pif

pid process

2460 Ent.pif
2460 Ent.pif
2460 Ent.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Ent.pif

pid process

2460 Ent.pif
2460 Ent.pif
2460 Ent.pif

description	pid	process
Token: SeDebugPrivilege	1196	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.execmd.exeEnt.pif

description	pid	process	target process
PID 220 wrote to memory of 3704	220	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	cmd.exe
PID 220 wrote to memory of 3704	220	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	cmd.exe
PID 220 wrote to memory of 3704	220	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	cmd.exe
PID 3704 wrote to memory of 1196	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 1196	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 1196	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 1356	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 1356	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 1356	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 692	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 692	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 692	3704	cmd.exe	tasklist.exe
PID 3704 wrote to memory of 5104	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 5104	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 5104	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 3248	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 3248	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 3248	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 1804	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 1804	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 1804	3704	cmd.exe	findstr.exe
PID 3704 wrote to memory of 3884	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 3884	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 3884	3704	cmd.exe	cmd.exe
PID 3704 wrote to memory of 2460	3704	cmd.exe	Ent.pif
PID 3704 wrote to memory of 2460	3704	cmd.exe	Ent.pif
PID 3704 wrote to memory of 2460	3704	cmd.exe	Ent.pif
PID 3704 wrote to memory of 1532	3704	cmd.exe	PING.EXE
PID 3704 wrote to memory of 1532	3704	cmd.exe	PING.EXE
PID 3704 wrote to memory of 1532	3704	cmd.exe	PING.EXE
PID 2460 wrote to memory of 4468	2460	Ent.pif	dialer.exe
PID 2460 wrote to memory of 4468	2460	Ent.pif	dialer.exe
PID 2460 wrote to memory of 4468	2460	Ent.pif	dialer.exe
PID 2460 wrote to memory of 4468	2460	Ent.pif	dialer.exe
PID 2460 wrote to memory of 4468	2460	Ent.pif	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2564

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
"C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Legislative Legislative.bat && Legislative.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:1356

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
cmd /c md 1111
3⤵
PID:3248

C:\Windows\SysWOW64\findstr.exe
findstr /V "HOPEDRETURNREVENGEDELAYED" Life
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Would + Interstate + Documentcreatetextnode + Lifestyle 1111\r
3⤵
PID:3884

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1111\Ent.pif
1111\Ent.pif 1111\r
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 904
4⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 2460
1⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1111\Ent.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1111\r
Filesize
884KB

MD5
96fb4955f0be2a74b566336d363c0cf7

SHA1
ebe07c83ee0529f2fdb1f68782c10db1c337f2d7

SHA256
88ff557c3a950ff880e44f29f90e7da3f089859564c4a1d2ef557caf834acfb1

SHA512
b0c8b639688887e1a75abd665c15f022c478c6ca7f8f0909ecaa5483da81c46b5d4e25449d4511c9cd3e6dea8d93d8d947b13247583bcb580e825d01d6b772e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Documentcreatetextnode
Filesize
227KB

MD5
d69760b152bfa02a204037910a82af49

SHA1
eeaf6fc3c34d38acaa84f2f352401a750d434358

SHA256
48c659b35aa7ca443ddebe96c1b8d5f5527b5a7fee965d9bd89d5a37e5898005

SHA512
11e5581ce53007231f04229965cf6c2b7eab159737f7a42e65684a5255e1e2dc29865a259253077b892c2fc48cc597a936404b2672cbc59e6d457ede213bcaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eminem
Filesize
18KB

MD5
596b8ecdbc8e0f011dfe85af7411dd18

SHA1
89b67e0cade851dbc83b67dccda250d80215dbf2

SHA256
8fbae4a3b2128397534b035fd010967ebe3ecb67403324e782e2781529df946d

SHA512
5d78918719d70e9699010dfb01fb5f145b9460672dc05e51414ca4b53eff42fbcf1bc642a42a2cf27cbf7b7e4eb57935418cf44ea96b9096b15f54e80b151dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fly
Filesize
246KB

MD5
fa7db9b5000c991b67a79b15fda39aba

SHA1
617cdbccc0579f79405022127506a446b9210ab2

SHA256
d6e76247b9145e33387ce0aef49a6540f74c3e86934b86df3801005bd50acec3

SHA512
5ec668d0b93922a835c90077f64939882973973088c9a6559260f233d49d2fd0e90149ec80d1e2870d3fd2dbc5d802cc5c584eb302f6f2d0460592e76bae45b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interstate
Filesize
228KB

MD5
4d12a68c93c9c812e5d773f34cc0f34c

SHA1
82c4417cdab26c51ab504a5575cb830a72cb4109

SHA256
a357856aca612a451706906b80059d4849165191f476b1e6d6cab94443a71aa7

SHA512
66df8f2b58e75587478fec5c281f04c28e0af0e0a4bd4343296131dfcce0948a863d305b9a0b0a584d102a74312a9c5c9a491a9e16c1ef7d4e4e13fb9ba09873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Invite
Filesize
62KB

MD5
85b7677a3b8f96b14664013d215b806b

SHA1
29690789d7e3a4b577809d728a7fb0a7b794b03c

SHA256
1397f24c2a9f41208024a1fd6ee11d825b780626b606fb2f32998443c7be415e

SHA512
2438ef98e33d004474f32134b921482c46e2d8f73362699c3e28a718d82c04f37abac41ef5a106b0c94167257922542d0eece0b0a264fb981148f26a35410622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Legislative
Filesize
29KB

MD5
7835e82b306158158296241ae8c9bcc8

SHA1
c833574a2b85a363088cf3a154297381ed399262

SHA256
88761cfbe7839c89939ac085f8b3b2dbf563e79e041173255130d63340be28c3

SHA512
8ab937a07ebce76e36899c1c124c09c52920fb75d59b417937545013bde256f3c108432bc594ea8e682d45aa78d041c5c0d531e975d2542c53f8256164d65cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Life
Filesize
95B

MD5
9730be7ca992763ce7e46a31bf891f9d

SHA1
7653922a59ff43a09a2df8f0d4be3e959923c7cc

SHA256
ff2e1c3901a0f928bc18302c2f138866f183e6ebea4118cd254723d2addb3bfd

SHA512
9602339d3b56019ce98224c2a03730c58b94f8f85d30b3ce05249ae45b0efb3fefa4c9cfbf5978d445cbaf01a364bd9c2beaabfff062e220dfe1efb1d1b89143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lifestyle
Filesize
216KB

MD5
d11334e857587fed4083f21f1aad0832

SHA1
5a14a3b025c4b88914a85b731503d674328ea494

SHA256
b1f1d6dec9e24797161d8159fe78b1e2664431904c7de6c39bfa3043bdc192ff

SHA512
c347d4daeb23ae3068ab0ff441483fe5ca2b6cb7abe6d0e1dc21706c35e0cc4fa94f0c89177af575dfd257ba7d59ab4586c9425202dd2eb67974204f6adfc19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit
Filesize
67KB

MD5
4b67a1dce52ac959384f18d92d4cea33

SHA1
71741326e1d30f80bc4d93df83678e8137695e8d

SHA256
f45ce9898b27b528deb4797dbc360dbd61abf0bc6706909bea1aaf7bc6ceb5b3

SHA512
fb45144ccf35ea68fd258ae14591502922e8046db12d22692a00e46c61cfe80c77e5fb63d1d1062dd9081928055797e6a98d042ae7f4367a2b832729f6346a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Protect
Filesize
16KB

MD5
2992415204f328038c186bdb7ba5ae86

SHA1
fb0dc067051315a81ec9f60a180e60c6f543cb26

SHA256
9b4e34f7125ef28f7aa04cdfb88359fbcad7b6657b88ab17d8bcf2a059c6bd4c

SHA512
d1884ea3ebade1dbfd22392c78b7ddb23b183df181e5f8383845c7ffd046f64be581a125ee8372424ca9fbf27fd36d1055fd4e0f3944b901831d14f02cb64885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Record
Filesize
164KB

MD5
2a397d51da3949fe228dbd3438233a29

SHA1
0f5e7aabffdcee7069243ae0837fe591e20b4752

SHA256
6c0efe34e2d39f7132d9771ccb264f8e04658a3be47b20884a372fe6cba0e1c0

SHA512
b33338bf8b4e9aa171987776dcd199b4420742fadd8dd4cda10f9a38a40c44166c48f1fdc21ee6dbab70f24f566eb1f12fc4604b1c96785f2fc4544dbe5f63f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rome
Filesize
53KB

MD5
bb5aaeb374f59a4203c2f6d11502978c

SHA1
07801c312468601289eb0b3c1dc2993ce910c0eb

SHA256
06fdf3480808187764fe12263003716492d7ab5d01671c290be3bdd1b56efb26

SHA512
1c0c496d59eb2c990e9320f196c5dee0c0db97409ddad3f522da0e483cd9865efe0e76f3f21419d1c3ca8d457f7c6bf1c4c2d066642029920f2cd8108b8b6891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Southampton
Filesize
246KB

MD5
f87c8703ee712dc6ef0aaa968ea2eaae

SHA1
a4aef7e9f12e96e475cdad4c0e23e77e30fe7c60

SHA256
f1c45d16156c7ee2db1082b1c0f4a092ba23dcf6a021ebe3ccea7d9e9494358a

SHA512
d4eee768fe4e89f23b023d487fb522f0ed85e23970615e7169b88fce1c93670f6b3cac0f08dad9d15e6604858c4d25fd211b0eb96f002f73c064fee830455cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Would
Filesize
213KB

MD5
c0a4f917f959c0099ff4341a6f9178e4

SHA1
50b15915c04f02ad905d7fc3faefad4899e3eb74

SHA256
0915f627a18a4bf6b142829d81d1d013a98ccd27f9b16b33967bb0a5b0cc39b8

SHA512
575d03749b42ea2deeff55d5c383696b69a1b6280e3e62e08ed41be130446b052a4daa0a3f4b1e2f2bb751e58a3f82d75d61d89b10165c7b540c5a60855f4d72

Download Submit
memory/2460-37-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-48-0x00007FFF889B0000-0x00007FFF88BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2460-35-0x0000000077191000-0x00000000772B1000-memory.dmp

Filesize
1.1MB

Download
memory/2460-38-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-39-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-41-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-42-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-43-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-44-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-45-0x00000000066E0000-0x0000000006AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-47-0x00000000054B0000-0x000000000551D000-memory.dmp

Filesize
436KB

Download
memory/2460-36-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2460-46-0x00000000066E0000-0x0000000006AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-49-0x00000000066E0000-0x0000000006AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-51-0x00000000066E0000-0x0000000006AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-58-0x00000000066E0000-0x0000000006AE0000-memory.dmp

Filesize
4.0MB

Download
memory/2460-52-0x0000000076900000-0x0000000076B15000-memory.dmp

Filesize
2.1MB

Download
memory/4468-56-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/4468-53-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

Filesize
36KB

Download
memory/4468-60-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/4468-59-0x00007FFF889B0000-0x00007FFF88BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4468-62-0x0000000076900000-0x0000000076B15000-memory.dmp

Filesize
2.1MB

Download
memory/4468-63-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download