rhadamanthys | 5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
Size

3.7MB
MD5

2aab0f3bbdd8818453e227105c4a7acd
SHA1

83fbd5e73c322ee2bcf28dc8bf8b0a38d0994683
SHA256

5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96
SHA512

8772952f5a19c658c863fed8f72b61f755cc4a9b45a861464f8605f165081140bca232520fa0dac10c49cc581123a4abec94b930fb93b1296b1fb45a6929e641
SSDEEP

98304:KfUbmJehf++JJFSP/h3GhBYr1pgAWQc6lbfRIhRItWPt26ma:KfUSJsjfSP/hGjGBNDfChCtWPc6ma

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 3996 created 2728 3996 explorer.exe sihost.exe
Executes dropped EXE 3 IoCs

Processes:

5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exeptSrv.exeptSrv.exe

pid process

220 5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
4332 ptSrv.exe
3628 ptSrv.exe

description	pid	process	target process
PID 3996 created 2728	3996	explorer.exe	sihost.exe

Loads dropped DLL 8 IoCs

Processes:

5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exeptSrv.exeptSrv.exe

pid	process
220	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
4332	ptSrv.exe
4332	ptSrv.exe
4332	ptSrv.exe
3628	ptSrv.exe
3628	ptSrv.exe
3628	ptSrv.exe
3628	ptSrv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ptSrv.exe

description pid process target process

PID 3628 set thread context of 2012 3628 ptSrv.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3628 set thread context of 2012	3628	ptSrv.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ptSrv.exeptSrv.execmd.exeexplorer.exedialer.exe

pid	process
4332	ptSrv.exe
3628	ptSrv.exe
3628	ptSrv.exe
2012	cmd.exe
2012	cmd.exe
3996	explorer.exe
3996	explorer.exe
5096	dialer.exe
5096	dialer.exe
5096	dialer.exe
5096	dialer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ptSrv.execmd.exe

pid process

3628 ptSrv.exe
2012 cmd.exe

pid	process
3628	ptSrv.exe
2012	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exeptSrv.exeptSrv.execmd.exeexplorer.exe

description	pid	process	target process
PID 3276 wrote to memory of 220	3276	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
PID 3276 wrote to memory of 220	3276	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
PID 3276 wrote to memory of 220	3276	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
PID 220 wrote to memory of 4332	220	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	ptSrv.exe
PID 220 wrote to memory of 4332	220	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	ptSrv.exe
PID 220 wrote to memory of 4332	220	5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe	ptSrv.exe
PID 4332 wrote to memory of 3628	4332	ptSrv.exe	ptSrv.exe
PID 4332 wrote to memory of 3628	4332	ptSrv.exe	ptSrv.exe
PID 4332 wrote to memory of 3628	4332	ptSrv.exe	ptSrv.exe
PID 3628 wrote to memory of 2012	3628	ptSrv.exe	cmd.exe
PID 3628 wrote to memory of 2012	3628	ptSrv.exe	cmd.exe
PID 3628 wrote to memory of 2012	3628	ptSrv.exe	cmd.exe
PID 3628 wrote to memory of 2012	3628	ptSrv.exe	cmd.exe
PID 2012 wrote to memory of 3996	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 3996	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 3996	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 3996	2012	cmd.exe	explorer.exe
PID 3996 wrote to memory of 5096	3996	explorer.exe	dialer.exe
PID 3996 wrote to memory of 5096	3996	explorer.exe	dialer.exe
PID 3996 wrote to memory of 5096	3996	explorer.exe	dialer.exe
PID 3996 wrote to memory of 5096	3996	explorer.exe	dialer.exe
PID 3996 wrote to memory of 5096	3996	explorer.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2728

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Users\Admin\AppData\Local\Temp\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
"C:\Users\Admin\AppData\Local\Temp\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\Temp\{5D94142F-AED1-4814-A61F-A903CB0C5137}\.cr\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
"C:\Windows\Temp\{5D94142F-AED1-4814-A61F-A903CB0C5137}\.cr\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\ptSrv.exe
"C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\ptSrv.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Roaming\Rn_Load\ptSrv.exe
"C:\Users\Admin\AppData\Roaming\Rn_Load\ptSrv.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4496738a
Filesize
1.0MB

MD5
8d67dfb0d92af56cf1f56b435905cd6a

SHA1
c40a1fd6610059044ba46f37bad6006527dade7c

SHA256
a6176d35f6de83da6368f0faefb98a22d3ae5dc71989b9b7231aeb5f0dd73e90

SHA512
e4b2bbf684c9eb227e124841003f92e17c4e6ea4a13038138c4ae540efc50ccee69bd9061ca188409d9de8495394babb3780f2effa70bad9b57ad979f0416208

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\MSVCP140.dll
Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\Mutch.dll
Filesize
1.1MB

MD5
f9007f7cf89ced9d00e9005f3369e7d8

SHA1
d9e5bd666c1f8da84103ce9d826cd6693c65076f

SHA256
b9fd3fef63a43ff6dbac6860b6c5fbfb7951a65a37e9520ec583883e39c4f44a

SHA512
fe5a06d59c54fe6343e5d8fb39093bb2783a553e8e5b6be93bbbff83e1c65524f32aa419f372fb2f28a78b1ed669ffdc2eae53f592c9cc07cd560c8598451a31

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\WCLDll.dll
Filesize
590KB

MD5
9005812bebfcc98db95def5b1c9b96f0

SHA1
d85f085c59fe8cca75352399ebc8510e2799bf68

SHA256
8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c

SHA512
c25c4eaef2d40d5294fcd2b15f3065cb3c6cad19cc5c32da4a81b20d99023dbfcccfa5fbc2d79f45892f7d858c04d956f1734d0359054fae9e609a5d604ab0b1

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\aftermath.docx
Filesize
809KB

MD5
f4de6a8f243d0a5060b89519e7210331

SHA1
236f55745ea2fc6a4326f3cced7e1c175c33c8ce

SHA256
d4efba786694d7a7ee2652d05546c334e0b61ba90772bf0360727e93e8858ccb

SHA512
de8c32da4dc2fcb112f13780e42dbeb32e3fcfcf01dff0e461ea0d25a8baaf77959332043a6c2870432296500fb0790aa9d08e71a243ba0e85eb4ec1717945a4

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\catalogue.dbf
Filesize
78KB

MD5
4e830ee77ce676cd0ffba0f25f4a5295

SHA1
4d394eba9c216ec65c92b58c6f775251d25f24c2

SHA256
67c15da093afe087a986749b3815e4ae48d2fafe43e67d7c449b86810793ee9b

SHA512
49514fb8eef57f556abf16bbffd2dfb7a2bccabbe749646a4415604d48aa9a42c2c738df598b35833c908ee9abdb9056d34d3b90c8e4515e8fc96b9c7cb94f95

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\ptMgr.dll
Filesize
2.5MB

MD5
2087eb2d3fb639933ebe0a0614fd5218

SHA1
c1a1b75c8e76e000b7045092bd11100904a72840

SHA256
725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

SHA512
3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\ptSrv.exe
Filesize
202KB

MD5
64179e64675e822559cac6652298bdfc

SHA1
cceed3b2441146762512918af7bf7f89fb055583

SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\ptusredt.dll
Filesize
165KB

MD5
3c3e960d59cb413791fee1e944b6df72

SHA1
4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

SHA256
88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

SHA512
85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\vcruntime140.dll
Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Windows\Temp\{0025F44D-4AC1-47F3-9361-F6E86C9411E0}\.ba\wbxtrace.dll
Filesize
103KB

MD5
c23abe2f3b38ac335f8ad738f0a0fe81

SHA1
3c1d6f794e1e24937d363b1b64efec6f66c70a58

SHA256
65c84d766a0d0c2d13db919c4af78da6f35db236158966f27d9634174a7081b4

SHA512
ec888dbaa7f42b66305a77f129ca5678cebb1b2d267bdcd5e2ec6f091e33f7cebba5f5e76541b1fde209d7c9921e31ed34645b07ea3d22bdc05edd3fcbb13a98

Download Submit
C:\Windows\Temp\{5D94142F-AED1-4814-A61F-A903CB0C5137}\.cr\5644d8033adcae58aa3e53ca7756ade4fd238807da435e8703b1b8dcc80b2b96.exe
Filesize
3.6MB

MD5
b802c1014cb0ab929d99eea4c2f47e00

SHA1
d67cc81b85546751cf2097b72ca3a517f8e46af1

SHA256
d623a8b1f6527454caa37eea2ddd90b75fbcec5b17c7d534c5c0b0c7dd48af6c

SHA512
f962d97fd54ea8d1a32403ddb465109e236b67d53b50f57d989e867348050695b607775c01db2c28ab0164857b3ae969cbaa7c50dedeb566a1facc7035698072

Download Submit
memory/2012-63-0x00000000751B0000-0x000000007532B000-memory.dmp

Filesize
1.5MB

Download
memory/2012-60-0x00007FFDA0BB0000-0x00007FFDA0DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3628-53-0x00000000751B0000-0x000000007532B000-memory.dmp

Filesize
1.5MB

Download
memory/3628-54-0x00007FFDA0BB0000-0x00007FFDA0DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3628-55-0x00000000751C2000-0x00000000751C3000-memory.dmp

Filesize
4KB

Download
memory/3628-56-0x00000000751B0000-0x000000007532B000-memory.dmp

Filesize
1.5MB

Download
memory/3628-57-0x00000000751B0000-0x000000007532B000-memory.dmp

Filesize
1.5MB

Download
memory/3996-69-0x0000000004340000-0x0000000004740000-memory.dmp

Filesize
4.0MB

Download
memory/3996-65-0x0000000000CC0000-0x0000000000D2E000-memory.dmp

Filesize
440KB

Download
memory/3996-66-0x00007FFDA0BB0000-0x00007FFDA0DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3996-67-0x0000000000CC0000-0x0000000000D2E000-memory.dmp

Filesize
440KB

Download
memory/3996-70-0x0000000004340000-0x0000000004740000-memory.dmp

Filesize
4.0MB

Download
memory/3996-73-0x0000000076B50000-0x0000000076D65000-memory.dmp

Filesize
2.1MB

Download
memory/3996-77-0x0000000000CC0000-0x0000000000D2E000-memory.dmp

Filesize
440KB

Download
memory/4332-28-0x00007FFDA0BB0000-0x00007FFDA0DA5000-memory.dmp

Filesize
2.0MB

Download
memory/4332-27-0x0000000073B10000-0x0000000073C8B000-memory.dmp

Filesize
1.5MB

Download
memory/5096-74-0x0000000000380000-0x0000000000389000-memory.dmp

Filesize
36KB

Download
memory/5096-78-0x00000000022E0000-0x00000000026E0000-memory.dmp

Filesize
4.0MB

Download
memory/5096-81-0x0000000076B50000-0x0000000076D65000-memory.dmp

Filesize
2.1MB

Download
memory/5096-79-0x00007FFDA0BB0000-0x00007FFDA0DA5000-memory.dmp

Filesize
2.0MB

Download