rhadamanthys | 8d782d769de826212ae7519aae41877acf2a4f35d97067cc996b06c148cc218e

General

Target

IMAGE COPYRIGHTED.exe
Size

1.7MB
MD5

baed25327435936f235a3bb732090e3a
SHA1

b4ee26136d12288f873fea5e93e2dff2e2be8f0b
SHA256

8d782d769de826212ae7519aae41877acf2a4f35d97067cc996b06c148cc218e
SHA512

08f24157e613351ffdedf25520792ed66ec2e159c00ca5693d76ab04aba1d066b4f1392c2e976e627e930c48fc6de8c132aa9fc076063e33ed22fb9d447d7525
SSDEEP

24576:ADxSsqA4BP85DgJrivY05+QaHLOZRykgezVRQdr6WDi3jzyD1qf:ADxSsuBQ6Qe2pgrdel

Score

10^/10

rhadamanthys persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2004 created 1144	2004	IMAGE COPYRIGHTED.exe	20

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\sausageLoop = "C:\\Users\\Admin\\Documents\\lumuiUpdater\\ffUpdaar.exe"	IMAGE COPYRIGHTED.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2004	IMAGE COPYRIGHTED.exe
2004	IMAGE COPYRIGHTED.exe
2988	dialer.exe
2988	dialer.exe
2988	dialer.exe
2988	dialer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 1960 wrote to memory of 2004	1960	IMAGE COPYRIGHTED.exe	28
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29
PID 2004 wrote to memory of 2988	2004	IMAGE COPYRIGHTED.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\IMAGE COPYRIGHTED.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE COPYRIGHTED.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\IMAGE COPYRIGHTED.exe
    "C:\Users\Admin\AppData\Local\Temp\IMAGE COPYRIGHTED.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2004
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-12-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1960-4-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1960-3-0x000000000040A000-0x0000000000424000-memory.dmp

Filesize
104KB

Download
memory/1960-5-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1960-0-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2004-16-0x0000000003F40000-0x0000000004340000-memory.dmp

Filesize
4.0MB

Download
memory/2004-19-0x0000000076A60000-0x0000000076AA7000-memory.dmp

Filesize
284KB

Download
memory/2004-6-0x00000000000D0000-0x000000000014E000-memory.dmp

Filesize
504KB

Download
memory/2004-14-0x00000000000D0000-0x000000000014E000-memory.dmp

Filesize
504KB

Download
memory/2004-15-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2004-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2004-17-0x0000000003F40000-0x0000000004340000-memory.dmp

Filesize
4.0MB

Download
memory/2004-10-0x00000000000D0000-0x000000000014E000-memory.dmp

Filesize
504KB

Download
memory/2988-20-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2988-23-0x00000000008B0000-0x0000000000CB0000-memory.dmp

Filesize
4.0MB

Download
memory/2988-22-0x00000000008B0000-0x0000000000CB0000-memory.dmp

Filesize
4.0MB

Download
memory/2988-27-0x00000000008B0000-0x0000000000CB0000-memory.dmp

Filesize
4.0MB

Download
memory/2988-26-0x0000000076A60000-0x0000000076AA7000-memory.dmp

Filesize
284KB

Download
memory/2988-24-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/2988-28-0x0000000076D51000-0x0000000076E52000-memory.dmp

Filesize
1.0MB

Download
memory/2988-29-0x00000000008B0000-0x0000000000CB0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads