rhadamanthys | b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186

General

Target

b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe
Size

2.5MB
MD5

135a429806034bd99cf913a3d6c19aa5
SHA1

3d801912d0d61535764506962e0e8f248319a3cd
SHA256

b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186
SHA512

fdebb8556baa1bb273fc04532e6594005a7c1c972e501b1f5e95046c2252363f2b81c0948d42c535fd1cc4e42ae6ef176a8d5bbe9b792de38babab6eedf37cd3
SSDEEP

49152:XOO2EZtuoHjBw65ivfPxFY/WcuMjy+4vDI:XOO7nGRMWnMjE8

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://77.221.154.49/68c8ee7d3c216cd1fa3c/en3cccbn.s7sw2

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4856 created 3024	4856	katA5A6.tmp	50

Executes dropped EXE 1 IoCs

pid	Process
4856	katA5A6.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	katA5A6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4856	katA5A6.tmp
4856	katA5A6.tmp
1948	dialer.exe
1948	dialer.exe
1948	dialer.exe
1948	dialer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 1584 wrote to memory of 4856	1584	b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe	91
PID 4856 wrote to memory of 1948	4856	katA5A6.tmp	93
PID 4856 wrote to memory of 1948	4856	katA5A6.tmp	93
PID 4856 wrote to memory of 1948	4856	katA5A6.tmp	93
PID 4856 wrote to memory of 1948	4856	katA5A6.tmp	93
PID 4856 wrote to memory of 1948	4856	katA5A6.tmp	93

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3024
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

C:\Users\Admin\AppData\Local\Temp\b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe
"C:\Users\Admin\AppData\Local\Temp\b423e08d83060bea5f6a75a8cbfe6d7084db89ef9deb8602c264293601873186.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\katA5A6.tmp
  C:\Users\Admin\AppData\Local\Temp\katA5A6.tmp
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\katA5A6.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
memory/1584-2-0x0000000002CD0000-0x0000000002EE3000-memory.dmp

Filesize
2.1MB

Download
memory/1584-8-0x0000000000400000-0x0000000000689000-memory.dmp

Filesize
2.5MB

Download
memory/1584-0-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1948-20-0x0000000000820000-0x0000000000829000-memory.dmp

Filesize
36KB

Download
memory/1948-31-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/1948-26-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/1948-30-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/1948-27-0x00007FF8EF130000-0x00007FF8EF325000-memory.dmp

Filesize
2.0MB

Download
memory/1948-29-0x0000000076340000-0x0000000076555000-memory.dmp

Filesize
2.1MB

Download
memory/1948-25-0x0000000002470000-0x0000000002870000-memory.dmp

Filesize
4.0MB

Download
memory/4856-15-0x0000000003290000-0x0000000003690000-memory.dmp

Filesize
4.0MB

Download
memory/4856-18-0x0000000003290000-0x0000000003690000-memory.dmp

Filesize
4.0MB

Download
memory/4856-19-0x0000000076340000-0x0000000076555000-memory.dmp

Filesize
2.1MB

Download
memory/4856-16-0x00007FF8EF130000-0x00007FF8EF325000-memory.dmp

Filesize
2.0MB

Download
memory/4856-23-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-21-0x0000000000490000-0x0000000000559000-memory.dmp

Filesize
804KB

Download
memory/4856-14-0x0000000003290000-0x0000000003690000-memory.dmp

Filesize
4.0MB

Download
memory/4856-13-0x0000000003290000-0x0000000003690000-memory.dmp

Filesize
4.0MB

Download
memory/4856-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-12-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4856-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing