rhadamanthys | 2f1caea4b57ec875eeabcf3d25c32a559564be15147b1b5ce85522b1fb6c78f0

General

Target

vivo Договор на оказание рекламных услуг.scr
Size

55.0MB
MD5

70eac30776d13a02e4b6a5e6963c52b9
SHA1

b7deafce3ff7d7252ed29d6f508a49a6d1b63504
SHA256

b563a0d625aa148c992413947b2d3ceae678c27fd6d1eadf8e9eb3e10d5206f5
SHA512

fab91b7ba11ff12d2bfa2f2d2c260fa15a8b1543c108c3d81337a74d3933b7c9dc73b866ce3f294414aab031d646c52ea86251fe020501c11ff50ae2cc78a391
SSDEEP

196608:8xGxCrar4+WnAL3fljyBTEbAdoaU7wtq9oaqN:VxCGUnAL3OEEdou20N

Score

10^/10

rhadamanthys persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2532 created 2540	2532	vivo Договор на оказание рекламных услуг.scr	42

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTITITII = "C:\\Users\\Admin\\Documents\\OOO20\\MFDJFDJ.exeЀ"	vivo Договор на оказание рекламных услуг.scr

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	2532	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2532	vivo Договор на оказание рекламных услуг.scr
2532	vivo Договор на оказание рекламных услуг.scr
1900	dialer.exe
1900	dialer.exe
1900	dialer.exe
1900	dialer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2532	4848	vivo Договор на оказание рекламных услуг.scr	88
PID 4848 wrote to memory of 2532	4848	vivo Договор на оказание рекламных услуг.scr	88
PID 4848 wrote to memory of 2532	4848	vivo Договор на оказание рекламных услуг.scr	88
PID 4848 wrote to memory of 2532	4848	vivo Договор на оказание рекламных услуг.scr	88
PID 4848 wrote to memory of 2532	4848	vivo Договор на оказание рекламных услуг.scr	88
PID 2532 wrote to memory of 1900	2532	vivo Договор на оказание рекламных услуг.scr	89
PID 2532 wrote to memory of 1900	2532	vivo Договор на оказание рекламных услуг.scr	89
PID 2532 wrote to memory of 1900	2532	vivo Договор на оказание рекламных услуг.scr	89
PID 2532 wrote to memory of 1900	2532	vivo Договор на оказание рекламных услуг.scr	89
PID 2532 wrote to memory of 1900	2532	vivo Договор на оказание рекламных услуг.scr	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900

C:\Users\Admin\AppData\Local\Temp\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\AppData\Local\Temp\vivo Договор на оказание рекламных услуг.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\vivo Договор на оказание рекламных услуг.scr
  "C:\Users\Admin\AppData\Local\Temp\vivo Договор на оказание рекламных услуг.scr"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 444
    3⤵
    - Program crash
    PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2532 -ip 2532
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-13-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/1900-20-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1900-17-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

Filesize
2.0MB

Download
memory/1900-19-0x00000000750A0000-0x00000000752B5000-memory.dmp

Filesize
2.1MB

Download
memory/1900-15-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1900-16-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/2532-6-0x00000000000D0000-0x000000000015B000-memory.dmp

Filesize
556KB

Download
memory/2532-8-0x00000000042A0000-0x00000000046A0000-memory.dmp

Filesize
4.0MB

Download
memory/2532-9-0x00000000042A0000-0x00000000046A0000-memory.dmp

Filesize
4.0MB

Download
memory/2532-10-0x00007FFC84B70000-0x00007FFC84D65000-memory.dmp

Filesize
2.0MB

Download
memory/2532-7-0x0000000010900000-0x0000000011E71000-memory.dmp

Filesize
21.4MB

Download
memory/2532-12-0x00000000750A0000-0x00000000752B5000-memory.dmp

Filesize
2.1MB

Download
memory/2532-3-0x00000000000D0000-0x000000000015B000-memory.dmp

Filesize
556KB

Download
memory/4848-4-0x0000000010900000-0x0000000011E71000-memory.dmp

Filesize
21.4MB

Download
memory/4848-1-0x000000001090A000-0x0000000010924000-memory.dmp

Filesize
104KB

Download
memory/4848-2-0x0000000010900000-0x0000000011E71000-memory.dmp

Filesize
21.4MB

Download
memory/4848-0-0x0000000010900000-0x0000000011E71000-memory.dmp

Filesize
21.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads