rhadamanthys | bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461

General

Target

bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Size

1.9MB
MD5

c607e5a15a55a85f0fd6339c75dbe769
SHA1

36e24f54dd93166a2d42ebb222d4c15eefe7239b
SHA256

bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461
SHA512

db157472ad89553b0a9578da6b5a5b07abe30741509f097f359fb1c40db3818e94f8134513d52627f0e889731dbdf4fc0bf4375ff3a0bdbb0892ca6e108391a6
SSDEEP

49152:IebOsgxw8eSymL1zO69MOpJjyTVKueFU4NXJ:P+N1K+luelXJ

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4684 created 2984	4684	FEC4.exe	50

Executes dropped EXE 1 IoCs

pid	Process
4684	FEC4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
228	4684	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FEC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4684	FEC4.exe
4684	FEC4.exe
5084	openwith.exe
5084	openwith.exe
5084	openwith.exe
5084	openwith.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4684	2868	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	85
PID 2868 wrote to memory of 4684	2868	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	85
PID 2868 wrote to memory of 4684	2868	bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe	85
PID 4684 wrote to memory of 5084	4684	FEC4.exe	86
PID 4684 wrote to memory of 5084	4684	FEC4.exe	86
PID 4684 wrote to memory of 5084	4684	FEC4.exe	86
PID 4684 wrote to memory of 5084	4684	FEC4.exe	86
PID 4684 wrote to memory of 5084	4684	FEC4.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2984
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

C:\Users\Admin\AppData\Local\Temp\bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe
"C:\Users\Admin\AppData\Local\Temp\bd403309f8f43fc34d64917720f55c1dbcc50f250f1210bc8dec6c704d4ed461.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\datFEB3.tmp\FEC4.exe
  "C:\Users\Admin\AppData\Local\Temp\datFEB3.tmp\FEC4.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 476
    3⤵
    - Program crash
    PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4684 -ip 4684
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\datFEB3.tmp\FEC4.exe

Filesize
3.5MB

MD5
9a9e54e2c0b5076ebbddd676c45a7c6e

SHA1
29969d8d71dd863088190dfcabb7713ffc8484ae

SHA256
4a802496f5171c7f9d8862a579795c346489d7ab0b0b1b0df7da6621911e6b91

SHA512
fc0d7f50c36b969bdb2af43834f947129ea1710599054100a01964b63a3541d06df6e3eeb8c782041ede182be3c9a7c16dbe498f4acac14c8a2646dc26510401

Download Submit
memory/2868-8-0x0000000000840000-0x0000000000866000-memory.dmp

Filesize
152KB

Download
memory/2868-0-0x0000000000840000-0x0000000000866000-memory.dmp

Filesize
152KB

Download
memory/4684-13-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/4684-24-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/4684-7-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/4684-10-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/4684-11-0x00007FFFA0CF0000-0x00007FFFA0EE5000-memory.dmp

Filesize
2.0MB

Download
memory/4684-6-0x0000000000C90000-0x0000000000D0E000-memory.dmp

Filesize
504KB

Download
memory/4684-15-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/4684-9-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/5084-20-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/5084-22-0x0000000002C50000-0x0000000003050000-memory.dmp

Filesize
4.0MB

Download
memory/5084-21-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/5084-17-0x0000000002C50000-0x0000000003050000-memory.dmp

Filesize
4.0MB

Download
memory/5084-14-0x0000000001040000-0x0000000001049000-memory.dmp

Filesize
36KB

Download
memory/5084-23-0x0000000002C50000-0x0000000003050000-memory.dmp

Filesize
4.0MB

Download
memory/5084-18-0x00007FFFA0CF0000-0x00007FFFA0EE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing