rhadamanthys | bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461

General

Target

bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Size

1.9MB
MD5

c607e5a15a55a85f0fd6339c75dbe769
SHA1

36e24f54dd93166a2d42ebb222d4c15eefe7239b
SHA256

bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461
SHA512

db157472ad89553b0a9578da6b5a5b07abe30741509f097f359fb1c40db3818e94f8134513d52627f0e889731dbdf4fc0bf4375ff3a0bdbb0892ca6e108391a6
SSDEEP

49152:IebOsgxw8eSymL1zO69MOpJjyTVKueFU4NXJ:P+N1K+luelXJ

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2700 created 1204	2700	2FC8.exe	21

Executes dropped EXE 1 IoCs

pid	Process
2700	2FC8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2FC8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2700	2FC8.exe
2700	2FC8.exe
2772	dialer.exe
2772	dialer.exe
2772	dialer.exe
2772	dialer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2700	2480	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	32
PID 2480 wrote to memory of 2700	2480	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	32
PID 2480 wrote to memory of 2700	2480	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	32
PID 2480 wrote to memory of 2700	2480	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	32
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33
PID 2700 wrote to memory of 2772	2700	2FC8.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
  "C:\Users\Admin\AppData\Local\Temp\bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\dat2FC7.tmp\2FC8.exe
    "C:\Users\Admin\AppData\Local\Temp\dat2FC7.tmp\2FC8.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2700
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dat2FC7.tmp\2FC8.exe

Filesize
3.5MB

MD5
9a9e54e2c0b5076ebbddd676c45a7c6e

SHA1
29969d8d71dd863088190dfcabb7713ffc8484ae

SHA256
4a802496f5171c7f9d8862a579795c346489d7ab0b0b1b0df7da6621911e6b91

SHA512
fc0d7f50c36b969bdb2af43834f947129ea1710599054100a01964b63a3541d06df6e3eeb8c782041ede182be3c9a7c16dbe498f4acac14c8a2646dc26510401

Download Submit
memory/2480-0-0x0000000000200000-0x0000000000226000-memory.dmp

Filesize
152KB

Download
memory/2480-2-0x0000000000200000-0x0000000000226000-memory.dmp

Filesize
152KB

Download
memory/2700-16-0x00000000037F0000-0x0000000003BF0000-memory.dmp

Filesize
4.0MB

Download
memory/2700-9-0x00000000037F0000-0x0000000003BF0000-memory.dmp

Filesize
4.0MB

Download
memory/2700-11-0x00000000037F0000-0x0000000003BF0000-memory.dmp

Filesize
4.0MB

Download
memory/2700-12-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download
memory/2700-14-0x0000000075780000-0x00000000757C7000-memory.dmp

Filesize
284KB

Download
memory/2700-8-0x00000000024A0000-0x000000000251E000-memory.dmp

Filesize
504KB

Download
memory/2700-18-0x00000000037F0000-0x0000000003BF0000-memory.dmp

Filesize
4.0MB

Download
memory/2700-17-0x00000000778C1000-0x00000000779C2000-memory.dmp

Filesize
1.0MB

Download
memory/2772-15-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2772-21-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download
memory/2772-20-0x0000000001CD0000-0x00000000020D0000-memory.dmp

Filesize
4.0MB

Download
memory/2772-24-0x0000000075780000-0x00000000757C7000-memory.dmp

Filesize
284KB

Download
memory/2772-25-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing