rhadamanthys | 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14

Analysis

max time kernel
196s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
Size

938KB
MD5

9e64b65535e29ec152642d8bdcb22974
SHA1

5431aa7526ba193c0a92afffe2537bc54f51a0ba
SHA256

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
SHA512

f895c62431502fa92d36b5e0cb929b4957ca41f9253dadecd6a06153dc566e12a5d835a162f6aeb0e8ea1eb1fb9c65ab716f7c43faca0672aff37900c56b156e
SSDEEP

24576:cbSLx7bBqTC9oA414OYDsSyMZblh50gjuQk47blB7uFujRVeYr4c:GS79qK4cDs6q7QX7bl1u6LzMc

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Detects DLL dropped by Raspberry Robin. 2 IoCs

Raspberry Robin.

Processes:

resource	yara_rule
behavioral2/memory/372-54-0x0000000075000000-0x00000000751C2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/2772-64-0x0000000075000000-0x00000000751C2000-memory.dmp	Raspberry_Robin_DLL_MAY_2022

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Pleasure.pif

description pid process target process

PID 372 created 2588 372 Pleasure.pif sihost.exe
Executes dropped EXE 1 IoCs

Processes:

Pleasure.pif

pid process

372 Pleasure.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

528 372 WerFault.exe Pleasure.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3940 tasklist.exe
32 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2748 PING.EXE

description	pid	process	target process
PID 372 created 2588	372	Pleasure.pif	sihost.exe

pid	pid_target	process	target process
528	372	WerFault.exe	Pleasure.pif

pid	process
3940	tasklist.exe
32	tasklist.exe

pid	process
2748	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Pleasure.pifdialer.exe

pid	process
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
372	Pleasure.pif
2772	dialer.exe
2772	dialer.exe
2772	dialer.exe
2772	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 3940 tasklist.exe
Token: SeDebugPrivilege 32 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Pleasure.pif

pid process

372 Pleasure.pif
372 Pleasure.pif
372 Pleasure.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Pleasure.pif

pid process

372 Pleasure.pif
372 Pleasure.pif
372 Pleasure.pif

description	pid	process
Token: SeDebugPrivilege	3940	tasklist.exe
Token: SeDebugPrivilege	32	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.execmd.exePleasure.pif

description	pid	process	target process
PID 4588 wrote to memory of 2716	4588	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	cmd.exe
PID 4588 wrote to memory of 2716	4588	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	cmd.exe
PID 4588 wrote to memory of 2716	4588	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	cmd.exe
PID 2716 wrote to memory of 3940	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 3940	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 3940	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 1284	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 1284	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 1284	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 32	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 32	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 32	2716	cmd.exe	tasklist.exe
PID 2716 wrote to memory of 208	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 208	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 208	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 5084	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 5084	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 5084	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 4624	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 4624	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 4624	2716	cmd.exe	findstr.exe
PID 2716 wrote to memory of 4540	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 4540	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 4540	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 372	2716	cmd.exe	Pleasure.pif
PID 2716 wrote to memory of 372	2716	cmd.exe	Pleasure.pif
PID 2716 wrote to memory of 372	2716	cmd.exe	Pleasure.pif
PID 2716 wrote to memory of 2748	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2748	2716	cmd.exe	PING.EXE
PID 2716 wrote to memory of 2748	2716	cmd.exe	PING.EXE
PID 372 wrote to memory of 2772	372	Pleasure.pif	dialer.exe
PID 372 wrote to memory of 2772	372	Pleasure.pif	dialer.exe
PID 372 wrote to memory of 2772	372	Pleasure.pif	dialer.exe
PID 372 wrote to memory of 2772	372	Pleasure.pif	dialer.exe
PID 372 wrote to memory of 2772	372	Pleasure.pif	dialer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2588

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Users\Admin\AppData\Local\Temp\6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
"C:\Users\Admin\AppData\Local\Temp\6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:1284

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
cmd /c md 337843
3⤵
PID:5084

C:\Windows\SysWOW64\findstr.exe
findstr /V "AdditionUnitKoreanLn" Remembered
3⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 337843\Q
3⤵
PID:4540

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\337843\Pleasure.pif
337843\Pleasure.pif 337843\Q
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 828
4⤵
- Program crash
PID:528

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\337843\Pleasure.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\337843\Q
Filesize
914KB

MD5
7535dacd1db48aaecbd143ac2e4383ff

SHA1
500d36d481a7fae9df2532f24df79266751cde93

SHA256
083f1026f00a8c883ba95759500774ed25ec8340a02073afdf80dd9bd2e544e4

SHA512
1afb6df2c3946aa021020c7a032d231631030952f0361dfad549d774857c33894361f4587686d995eebdd5d95619777e1c0cc7a044b942c23699d48fe58722e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Auckland
Filesize
74KB

MD5
9b4ad010dc092a4d7b7699e577390958

SHA1
d1b8c396b8e49c79ab605529b5fec82b6a506b79

SHA256
119a9c99de92ff7120d13728d4072621c9bdfb85d36facab811cf83e80b74fab

SHA512
8fd40e237b8b03abf309c78919dce5897a212b224a92b844226361d9e1ca5009028c0109375ac6290bc46f21840c7ab114234a9adb1cf0434fd40d90bc2d0290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cocks
Filesize
122KB

MD5
b9714867bc6e583009230599df277c2b

SHA1
504267f0b3b51522ee71ba300ce0370d59505b19

SHA256
ac07f0dfa71fa1b1026c7f0e2a3046414b98d07e2479ecf7078c575217ff456b

SHA512
575174fe8fbc0abc84b04b7957224dfbe974e22472a8e58eadcfd4dcd39989f43aa00aca3a3397d2dac78dc06786bbcc4b1db9fa6a9d9a3a2771b00bd5494f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Conditions
Filesize
215KB

MD5
9dd0467128c91617e43502cbc8b0c1e6

SHA1
113d0ad7a1941d8786625b1197b7e8f4bd401206

SHA256
957d74674e855e80e0cdaf147e27b52a02fd9fc4c52321aa5d99140ea54c22fc

SHA512
74f2f5e7b271145996df6ab791e8c336eed73ec9d2afc1cca72005e40ee47898e4d41774568fd2f62950555b41de57814262db21b4bab3e33fa5ca61100c5971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Japanese
Filesize
169KB

MD5
8447b70981dcb2bb39d095e9985d954a

SHA1
d01c0108e80a6c0e798903e87a53b2e1ef254620

SHA256
14eb95df77e971931661ebca90d3195e43648d27a7aff882409fe5bd47a515e4

SHA512
30a1a18c8b73e3277518493aa10eb247e56ba5b684d2349d625688d0a75e435e7d7dfa8e6c31fa4198c8c11c8a8ebfb570d1cf31db20e2850b96b3d0a5ec5c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lessons
Filesize
100KB

MD5
84ace9f7f9a3493073e3fab9cb9b90fb

SHA1
aac5be0f9a1ebd056e553251041e6e7466b187b1

SHA256
8c199bb3752164de1f809e533f9b55228ee64b55b4c838aa246cfc8989f873bc

SHA512
256038ac9b67b33787e394cd787be297d32692043184ea88ed95676e9096d3bb6161fe721e369bff3f732d1dafeed3eca5448195088f26bcb2479228da2469a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Master
Filesize
71KB

MD5
535e0993b8a71b832b27c39097da8b31

SHA1
d5c0c8a37622e6fe455b6f6654dbedc019f10389

SHA256
5dc66e813e39aaa932674af4b40aae95d9ef80fc00de939d7acb4ca9e0a9a945

SHA512
d0234cbeb6df861eb378006e8df22164ae1d6b891a26ea3b4d47a8144f8e04e67da66fbedbefd6135da9b732d2d72307a80f16d726fbea60647b928512be8167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pitch
Filesize
236KB

MD5
fabfb469e08a6a1e74285f668454d1a6

SHA1
d425707f875b08f148078d4f61701dc1864c4f43

SHA256
f9a73b798f5dd9133b44dab7dafd3a307fc28502a9d909cfa430cd90f19665e8

SHA512
efda2843221df36c7d523245283ff88356de7280054d95a9641d69735636ea5b8a0718d6c044f1666172eb1eb11d2e692cba62d78b5679b7655b2eb518708bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Publication
Filesize
94KB

MD5
906432d9dda34454d048883e0865c632

SHA1
8ff107a856f221e0900608b835dcbb69de5fdecc

SHA256
8a9e8d8720e27de614c0ffc3fd4207761cd5e07df11441d0357de45a9f3b396e

SHA512
7e50fc5bb6765a231d48366fde33a2ffe465b3677e11fd6a960c99ada7ecdf5dc74ecff124df18d272e840859b3186a4e442daed5134a12caf32770f329ac2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pushing
Filesize
50KB

MD5
471e80e5a83a78b2207ca980db84fb35

SHA1
10f508f334cd8dffd0b97d972b9061179ddb42f8

SHA256
affb25dd0fbd0516ea94f7a242b4457458af3385d57eabc53b75a4d1aa7bb828

SHA512
87edbaebf44066ffbb0cffe45dd0532d48254e25022b79894ff702408adc718314f3c20edfb197b880781ff06c4f678b991b97f309b7778a9b75e133b9c8a559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Remembered
Filesize
218B

MD5
a9161cabc486b999896b60a235427f7f

SHA1
40927b07b516314eb46745e0cd843bf7d8abeaf2

SHA256
d9645c520b048bdb1a7774c4d376149966eee672e0218fe28c76c76a903b4e58

SHA512
e669609a5d170b1f5d6f397e1828f3980a003c901b46c3385a21a1438f20df812066f722aa9c4eef010bc41571f26315fe95bc3719d34bddc89d72b215cda48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scenes
Filesize
15KB

MD5
e968549e1590f4d87f026f40231c0503

SHA1
64bb1b1df57209efdb29489024ab65c0f205895c

SHA256
37b4c4e81a6c7176e630fb0cf1a80f5935c405030c02e184a51d6c07f490956e

SHA512
f997a3c09196b38422c2142eb5ffadaa7575d44ba6ac498f99796be4866ddf7b73a6948fb5a501bb14d8346517ee2aa3830351ef0c32dd14c7c1405e1695f894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Speak
Filesize
161KB

MD5
7017f4ece055f6d7321764437f911b23

SHA1
33db2eb3a3d1daba3d1216c31ddacb45460bba78

SHA256
2850a0cf772db3e80e2714b3951e05db7eb181d4c5cfa2682d515738e06f6b72

SHA512
5d97fce71b28170325ad0257165418897fc163904ac25d324e81fd2be8e08a93701d56ebfab21f43e6e94086f94514b80fcb902c8f3d93430dad0f28e09e53cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spectrum
Filesize
81KB

MD5
738da057ae796ca14e8506e15e5cc603

SHA1
823f5ad7957bc0d0dec36610ce695d8f5e641e54

SHA256
da17ae9e33f991657a53ff8425efa8f451069d2293c315ca7c93cb780e52c831

SHA512
d9859856a69626c510b06a7602b8b727cfd0a1f96d85d1c863d212f757ed1926dae1e7625f9ffac13289cc3abb80ad6ce7dda829ead4333b4e237ea1e25e689d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Twelve
Filesize
213KB

MD5
a20592f9c9f363a59627c5315675cd9b

SHA1
1018ab78595abfe0e82a498b74f1ad4cfe0dbb43

SHA256
e9a08f7197db7a358b3a30afa725229a4ed195f8212ec6d740425506afa03095

SHA512
0bad8356c2d7f54f1302587f5267d95e7d4951690514378f88b4c7e0c376a7d73a9ddcf1cdee29ee6ccf0c4c0f9e325535f31ae68a11895926daae736f4fac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Venture
Filesize
200KB

MD5
d0e6b3afaed008a391e30f3298d492dc

SHA1
3998ac9108de444c285f154ea068a9b2eab15732

SHA256
173cfdaeaa9117971a23720b31c84a3a97e9652c310b47a7418dbf0816c99493

SHA512
1f4d3dce84ea40d65bf96f9d6d2a76c9ca33d596f7bddf175250e921532de92d2aca6e1c63a83e1f5cb570bd82b86890e0812ac7a4a90b0a1c170700a2078408

Download Submit
memory/372-40-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-50-0x00000000058C0000-0x0000000005CC0000-memory.dmp

Filesize
4.0MB

Download
memory/372-39-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-37-0x0000000077741000-0x0000000077854000-memory.dmp

Filesize
1.1MB

Download
memory/372-41-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-43-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-44-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-45-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-46-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-47-0x00000000058C0000-0x0000000005CC0000-memory.dmp

Filesize
4.0MB

Download
memory/372-48-0x00000000046B0000-0x000000000471D000-memory.dmp

Filesize
436KB

Download
memory/372-38-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/372-51-0x00007FFE41E90000-0x00007FFE4206B000-memory.dmp

Filesize
1.9MB

Download
memory/372-53-0x00000000058C0000-0x0000000005CC0000-memory.dmp

Filesize
4.0MB

Download
memory/372-54-0x0000000075000000-0x00000000751C2000-memory.dmp

Filesize
1.8MB

Download
memory/372-65-0x00000000058C0000-0x0000000005CC0000-memory.dmp

Filesize
4.0MB

Download
memory/2772-57-0x00007FFE41E90000-0x00007FFE4206B000-memory.dmp

Filesize
1.9MB

Download
memory/2772-60-0x0000000004790000-0x0000000004B90000-memory.dmp

Filesize
4.0MB

Download
memory/2772-63-0x0000000004790000-0x0000000004B90000-memory.dmp

Filesize
4.0MB

Download
memory/2772-64-0x0000000075000000-0x00000000751C2000-memory.dmp

Filesize
1.8MB

Download
memory/2772-55-0x0000000000860000-0x0000000000869000-memory.dmp

Filesize
36KB

Download
memory/2772-66-0x00007FFE41E90000-0x00007FFE4206B000-memory.dmp

Filesize
1.9MB

Download
memory/2772-67-0x0000000004790000-0x0000000004B90000-memory.dmp

Filesize
4.0MB

Download