rhadamanthys | fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

4.8MB
MD5

f3b1dd838a59c419431c5aa86c1a4feb
SHA1

85ac1eb8a03bedcfbc3d44cedeb802f5cae2ea0a
SHA256

fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3
SHA512

dbaac6b3c531cd84eac6a9440534d18cbc599826357b1efe36cdd16be163bd68c6ddd4d3211efca0d5e8c2ca6868cfb0fb3c3e0584c515b89e1ab1cac8ef6889
SSDEEP

98304:1vW7Ru1fkpfVmr/V9JfzD+p05u9qgo67Smy9BHbCMMjgml7/lg+QXcAz:JibHmTJfzAyQRoRmA1H8eFsA

Score

10^/10

rhadamanthys execution pyinstaller stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2756 created 1196	2756	svchost.exe	21

Executes dropped EXE 3 IoCs

pid	Process
2756	svchost.exe
2568	explorer.exe
2556	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	Launcher.exe
3056	Launcher.exe
3056	Launcher.exe
2568	explorer.exe
2556	explorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d5e-33.dat	upx
behavioral1/memory/2556-35-0x000007FEF67B0000-0x000007FEF6C16000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x003400000001471d-17.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2756	svchost.exe
2756	svchost.exe
1284	powershell.exe
1576	dialer.exe
1576	dialer.exe
1576	dialer.exe
1576	dialer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 1284	3056	Launcher.exe	28
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2756	3056	Launcher.exe	30
PID 3056 wrote to memory of 2568	3056	Launcher.exe	31
PID 3056 wrote to memory of 2568	3056	Launcher.exe	31
PID 3056 wrote to memory of 2568	3056	Launcher.exe	31
PID 3056 wrote to memory of 2568	3056	Launcher.exe	31
PID 2568 wrote to memory of 2556	2568	explorer.exe	32
PID 2568 wrote to memory of 2556	2568	explorer.exe	32
PID 2568 wrote to memory of 2556	2568	explorer.exe	32
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33
PID 2756 wrote to memory of 1576	2756	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2756
- - C:\Users\Admin\AppData\Local\explorer.exe
    "C:\Users\Admin\AppData\Local\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\explorer.exe
      "C:\Users\Admin\AppData\Local\explorer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2556
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI25682\python310.dll

Filesize
1.4MB

MD5
3f782cf7874b03c1d20ed90d370f4329

SHA1
08a2b4a21092321de1dcad1bb2afb660b0fa7749

SHA256
2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6

SHA512
950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

Download Submit
C:\Users\Admin\AppData\Local\explorer.exe

Filesize
4.4MB

MD5
ce453607540a4b0e0c88476042d31791

SHA1
9fe09b42424e044a7c11aea2f214a3d86de8f5a1

SHA256
9a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c

SHA512
f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
355KB

MD5
2ef91bf37b3da8cad6751b665bd4e6af

SHA1
5c15bbc721f91855388861d378cf9d26a140cead

SHA256
5263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7

SHA512
16f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3

Download Submit
memory/1576-43-0x00000000000D0000-0x00000000000D9000-memory.dmp

Filesize
36KB

Download
memory/1576-49-0x0000000075E90000-0x0000000075ED7000-memory.dmp

Filesize
284KB

Download
memory/1576-47-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/1576-46-0x0000000001D60000-0x0000000002160000-memory.dmp

Filesize
4.0MB

Download
memory/2556-35-0x000007FEF67B0000-0x000007FEF6C16000-memory.dmp

Filesize
4.4MB

Download
memory/2756-44-0x0000000000830000-0x000000000089D000-memory.dmp

Filesize
436KB

Download
memory/2756-40-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2756-42-0x0000000075E90000-0x0000000075ED7000-memory.dmp

Filesize
284KB

Download
memory/2756-39-0x0000000002EA0000-0x00000000032A0000-memory.dmp

Filesize
4.0MB

Download
memory/2756-38-0x0000000002EA0000-0x00000000032A0000-memory.dmp

Filesize
4.0MB

Download
memory/2756-12-0x0000000000830000-0x000000000089D000-memory.dmp

Filesize
436KB

Download
memory/3056-10-0x0000000002220000-0x000000000228D000-memory.dmp

Filesize
436KB

Download
memory/3056-11-0x0000000002220000-0x000000000228D000-memory.dmp

Filesize
436KB

Download