rhadamanthys | de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b

General

Target

de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
Size

7.1MB
MD5

945799bf0c3ea84b4fbe73c02ebe45d3
SHA1

4aaba52d3cb179d390d427576b02b9f8fca038ef
SHA256

de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b
SHA512

ec6ecfc7fa46ac82680b8b5bf67581f8f0578e202b22909af15efc2d1b94eec2c43a630413b94f7e1c47c3848d2512750b2abd417d48e24cf6442dfb1c17b4dd
SSDEEP

196608:cfU9Zc6BLCAuwqj4FGUY7R7dd5HTK32N5mh:sGhC3+FGUY1J3Pmh

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2668 created 2676	2668	explorer.exe	45

Executes dropped EXE 3 IoCs

pid	Process
5028	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
4364	Mp3tag.exe
4920	Mp3tag.exe

Loads dropped DLL 5 IoCs

pid	Process
5028	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
4364	Mp3tag.exe
4364	Mp3tag.exe
4920	Mp3tag.exe
4920	Mp3tag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 4964	4920	Mp3tag.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4364	Mp3tag.exe
4920	Mp3tag.exe
4920	Mp3tag.exe
4964	cmd.exe
4964	cmd.exe
2668	explorer.exe
2668	explorer.exe
3516	openwith.exe
3516	openwith.exe
3516	openwith.exe
3516	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4920	Mp3tag.exe
4964	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 5028	4420	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe	87
PID 4420 wrote to memory of 5028	4420	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe	87
PID 4420 wrote to memory of 5028	4420	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe	87
PID 5028 wrote to memory of 4364	5028	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe	97
PID 5028 wrote to memory of 4364	5028	de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe	97
PID 4364 wrote to memory of 4920	4364	Mp3tag.exe	98
PID 4364 wrote to memory of 4920	4364	Mp3tag.exe	98
PID 4920 wrote to memory of 4964	4920	Mp3tag.exe	100
PID 4920 wrote to memory of 4964	4920	Mp3tag.exe	100
PID 4920 wrote to memory of 4964	4920	Mp3tag.exe	100
PID 4920 wrote to memory of 4964	4920	Mp3tag.exe	100
PID 4964 wrote to memory of 2668	4964	cmd.exe	102
PID 4964 wrote to memory of 2668	4964	cmd.exe	102
PID 4964 wrote to memory of 2668	4964	cmd.exe	102
PID 4964 wrote to memory of 2668	4964	cmd.exe	102
PID 2668 wrote to memory of 3516	2668	explorer.exe	104
PID 2668 wrote to memory of 3516	2668	explorer.exe	104
PID 2668 wrote to memory of 3516	2668	explorer.exe	104
PID 2668 wrote to memory of 3516	2668	explorer.exe	104
PID 2668 wrote to memory of 3516	2668	explorer.exe	104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2676
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
"C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Temp\{F4C07F57-D08D-4D8F-A179-D2A9775C5579}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe
  "C:\Windows\Temp\{F4C07F57-D08D-4D8F-A179-D2A9775C5579}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe" -burn.filehandle.attached=656 -burn.filehandle.self=684
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\Mp3tag.exe
    "C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\Mp3tag.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\ProgramData\Wr_Writer\Mp3tag.exe
      C:\ProgramData\Wr_Writer\Mp3tag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3cd46e4b

Filesize
1.1MB

MD5
23ceb655251d093dd1f8f04a22f7bac7

SHA1
3af14de002a8375f76dd1603778885383ecad93f

SHA256
ff2835c15976932bcd087ae93081144c975781b82fcacd2c5279c278c79e980f

SHA512
9a78116a8ba84f3009e27cabc355b8737d57f61a087375cfadd55eb37c8c81d1c8905464160fa5576c2ae6e8f2018eac30bc5c64605fa5356559d4d6a0fb672f

Download Submit
C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\Jurisconsult.dll

Filesize
1.1MB

MD5
48ad6bd137c6b457d46621118881603e

SHA1
b8c177db3fb75c90a6e1d8cb83e8cf6d4ad8992f

SHA256
8db2bf1945103d67a73a2d1067d2438bf7da6c40a7e8de99a8433f712a297252

SHA512
9c6923f0a35166dc7492beb05ade31eb6e5572afcfb2c006511ab780bdf1cdef1b958057d6fa954873b0228916dbdabdb6daf20a672fc755c94fefd90dff8b14

Download Submit
C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\airintake.xlsx

Filesize
74KB

MD5
946dc224bc5c624516a5a7c198e29f2b

SHA1
1e00bef81cd7cbfdfd0e1abc4395cd27838061ca

SHA256
840357d9542674dfcd1e70ee824fbdd8c0e138959761534acbbd25553c2290fe

SHA512
aaab53abca59c915e0eb109fb2b73226671662e92cde4fd554c93046893a4f0cca52f9ad6b9b829374ab557e851f7de3ba4833a4131f1fc7ee734b84701f4ca0

Download Submit
C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\precentor.jpeg

Filesize
1002KB

MD5
f753ebfcd20924254ca6ef2e450b2d4b

SHA1
111b13f7e9aa1322291852a2e4729a22c564a3d4

SHA256
72ad670c1d02f919eb49fab3a55cab53dc8fe4c6fff5c14e9f8ab305277a6cce

SHA512
48dc896bb3c21fbc70d9e0d458c859361c5cbbc4dc36e4a0c7f79687a264fe29b6d09653e2f3024508b3d3b22b9ae59fe8b7e21d357e7fc5223df2e8535ec2a5

Download Submit
C:\Windows\Temp\{9EF83D69-57CB-477B-ADF1-0F883DF678CD}\.ba\tak_deco_lib.dll

Filesize
315KB

MD5
48f5aedd31cb66eeec556eaf88962201

SHA1
5a415d07aec0d88e9e04699e0dcabc6e81805696

SHA256
8170e58e75a0389395499ae7a1e2c9fb6055f548a0ef9322ff944b96f698cbb9

SHA512
4855bdd9caa4a9946aa5c9a8033965c2dc55461da083aae1ecfadabd5639e5abbe3ef142a36afd0c79a819636824401fa1902297620dc3ae7a4401dec3888140

Download Submit
C:\Windows\Temp\{F4C07F57-D08D-4D8F-A179-D2A9775C5579}\.cr\de3fd1673c2ad1ab4b44ee5434a70240ae43722b82a86add6cac1bc22414a34b.exe

Filesize
6.9MB

MD5
8db744dd49cd575ee3a3a8d80546df82

SHA1
433684e875a350927e343c70a1159489201ed2f5

SHA256
5f4f1ae19aadbf0f17888bc869a14a6cf98fb52905d089771922674a76e121eb

SHA512
7bf08cb19e100e66bf4632cc7ce6b027c2ce6cab88d8c16c6fd404ac86407b5540a434df8004313707147ca1d3fbd6794c4552faeab33830a594b193e5a0023a

Download Submit
memory/2668-44-0x0000000000AD0000-0x0000000000B4F000-memory.dmp

Filesize
508KB

Download
memory/2668-55-0x0000000000AD0000-0x0000000000B4F000-memory.dmp

Filesize
508KB

Download
memory/2668-52-0x0000000075AE0000-0x0000000075CF5000-memory.dmp

Filesize
2.1MB

Download
memory/2668-49-0x0000000004090000-0x0000000004490000-memory.dmp

Filesize
4.0MB

Download
memory/2668-48-0x0000000004090000-0x0000000004490000-memory.dmp

Filesize
4.0MB

Download
memory/2668-46-0x0000000000AD0000-0x0000000000B4F000-memory.dmp

Filesize
508KB

Download
memory/2668-45-0x00007FFC10470000-0x00007FFC10665000-memory.dmp

Filesize
2.0MB

Download
memory/3516-53-0x0000000001210000-0x0000000001219000-memory.dmp

Filesize
36KB

Download
memory/3516-57-0x0000000002E40000-0x0000000003240000-memory.dmp

Filesize
4.0MB

Download
memory/3516-58-0x00007FFC10470000-0x00007FFC10665000-memory.dmp

Filesize
2.0MB

Download
memory/3516-60-0x0000000075AE0000-0x0000000075CF5000-memory.dmp

Filesize
2.1MB

Download
memory/4364-18-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/4364-29-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/4364-21-0x00007FFBF15C0000-0x00007FFBF1732000-memory.dmp

Filesize
1.4MB

Download
memory/4920-39-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/4920-37-0x00007FFBF15C0000-0x00007FFBF1732000-memory.dmp

Filesize
1.4MB

Download
memory/4920-36-0x00007FFBF15C0000-0x00007FFBF1732000-memory.dmp

Filesize
1.4MB

Download
memory/4964-42-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/4964-41-0x00007FFC10470000-0x00007FFC10665000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing