rhadamanthys | 6f120cd587ec05f82f9e114f910ccae2c8e4cf468c8a06624c611e8431dd9cbf

General

Target

c570824c19f6b18f9385b6d2dd362e30N.exe
Size

6.7MB
MD5

c570824c19f6b18f9385b6d2dd362e30
SHA1

82c8e445f4d97cbdbd3ad03240d9459d4d277c8a
SHA256

6f120cd587ec05f82f9e114f910ccae2c8e4cf468c8a06624c611e8431dd9cbf
SHA512

695d5ed9e697a50880d13a9f82dc5a170523bfb03cf52c71bb2822754471ba345bc6f7dbd9a9fee758292884ae0420f44ac6f4111e08bbd6db7e4556aa987f56
SSDEEP

196608:sfU3b+P/ugXlRRAhqlUsz7vV7LacN3PIRaE1ZVf0y5:8f/31RKVsz7Nl3P2aM/

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 560 created 2688	560	explorer.exe	44

Executes dropped EXE 3 IoCs

pid	Process
4984	c570824c19f6b18f9385b6d2dd362e30N.exe
3648	Mp3tag.exe
3748	Mp3tag.exe

Loads dropped DLL 5 IoCs

pid	Process
4984	c570824c19f6b18f9385b6d2dd362e30N.exe
3648	Mp3tag.exe
3648	Mp3tag.exe
3748	Mp3tag.exe
3748	Mp3tag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3748 set thread context of 2468	3748	Mp3tag.exe	87

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c570824c19f6b18f9385b6d2dd362e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c570824c19f6b18f9385b6d2dd362e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3648	Mp3tag.exe
3748	Mp3tag.exe
3748	Mp3tag.exe
2468	cmd.exe
2468	cmd.exe
560	explorer.exe
560	explorer.exe
3288	openwith.exe
3288	openwith.exe
3288	openwith.exe
3288	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3748	Mp3tag.exe
2468	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4984	3348	c570824c19f6b18f9385b6d2dd362e30N.exe	84
PID 3348 wrote to memory of 4984	3348	c570824c19f6b18f9385b6d2dd362e30N.exe	84
PID 3348 wrote to memory of 4984	3348	c570824c19f6b18f9385b6d2dd362e30N.exe	84
PID 4984 wrote to memory of 3648	4984	c570824c19f6b18f9385b6d2dd362e30N.exe	85
PID 4984 wrote to memory of 3648	4984	c570824c19f6b18f9385b6d2dd362e30N.exe	85
PID 3648 wrote to memory of 3748	3648	Mp3tag.exe	86
PID 3648 wrote to memory of 3748	3648	Mp3tag.exe	86
PID 3748 wrote to memory of 2468	3748	Mp3tag.exe	87
PID 3748 wrote to memory of 2468	3748	Mp3tag.exe	87
PID 3748 wrote to memory of 2468	3748	Mp3tag.exe	87
PID 3748 wrote to memory of 2468	3748	Mp3tag.exe	87
PID 2468 wrote to memory of 560	2468	cmd.exe	90
PID 2468 wrote to memory of 560	2468	cmd.exe	90
PID 2468 wrote to memory of 560	2468	cmd.exe	90
PID 2468 wrote to memory of 560	2468	cmd.exe	90
PID 560 wrote to memory of 3288	560	explorer.exe	91
PID 560 wrote to memory of 3288	560	explorer.exe	91
PID 560 wrote to memory of 3288	560	explorer.exe	91
PID 560 wrote to memory of 3288	560	explorer.exe	91
PID 560 wrote to memory of 3288	560	explorer.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2688
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3288

C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe
"C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\Temp\{72E4BBE6-96B7-45DA-A653-3F83080A62A5}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe
  "C:\Windows\Temp\{72E4BBE6-96B7-45DA-A653-3F83080A62A5}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\c570824c19f6b18f9385b6d2dd362e30N.exe" -burn.filehandle.attached=548 -burn.filehandle.self=528
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\Mp3tag.exe
    "C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\Mp3tag.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Users\Admin\AppData\Roaming\WO_Reader\Mp3tag.exe
      C:\Users\Admin\AppData\Roaming\WO_Reader\Mp3tag.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dedc70b9

Filesize
1.1MB

MD5
7972471d598cf3bc13f76219b940bcbf

SHA1
9951baa35e680c7593e8a0b9c8e505464bd976e5

SHA256
61476d1e9a63b63816bb69c3d96a19e0e5ffbc27084e8b0bd7603db737891749

SHA512
2e9c41d33f9b12088c85c17b06e81815c7ede6510168ac692107560b3444bdbe964fc4f1509c9020518c7c206899f21439d1e36f64d11198000d34aa8cf9f4e2

Download Submit
C:\Windows\Temp\{72E4BBE6-96B7-45DA-A653-3F83080A62A5}\.cr\c570824c19f6b18f9385b6d2dd362e30N.exe

Filesize
6.5MB

MD5
bd0a1910f42d180b53567a6e89315427

SHA1
e1fdc4f6b260ee2a598f71c5e083ab907ca92153

SHA256
c575afbabbf9344a79ef9710c2b393c5be176709fd39fd81788d3931bc922492

SHA512
f9407c6b8e01c375424c6108db18e394b3a3450c75414dd57e6f1fe27ecb8949f39107c3c7c2ec37f7b9a38164845b69728da1ab95cd4d565f3595e047e168b6

Download Submit
C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\Microfilm.dll

Filesize
188KB

MD5
9c79ec1722bfc75da4a054ebb2519e3f

SHA1
8b1945288873460db224923095f2939750bee7e0

SHA256
0063b354d0218fa55c4c3f0f5416f958c3e67fe822c3401883642e201bd108f4

SHA512
b083ec3d59e0662e4417a64c8e19c71fd1ac38b9e1b5b1a85f5de871588d097f5c17ada13c2ffe6352e2dc921b9df7160ec7d7e83f23d1fe7269022ce574b974

Download Submit
C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\airintake.xlsx

Filesize
74KB

MD5
946dc224bc5c624516a5a7c198e29f2b

SHA1
1e00bef81cd7cbfdfd0e1abc4395cd27838061ca

SHA256
840357d9542674dfcd1e70ee824fbdd8c0e138959761534acbbd25553c2290fe

SHA512
aaab53abca59c915e0eb109fb2b73226671662e92cde4fd554c93046893a4f0cca52f9ad6b9b829374ab557e851f7de3ba4833a4131f1fc7ee734b84701f4ca0

Download Submit
C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\precentor.jpeg

Filesize
1000KB

MD5
7a01c82029fc3456d957c42d50dcefc7

SHA1
8bd01193dbe1781071a875cd24aa0ef60176ba9c

SHA256
3b84a6c0f12e0398f3ac83e2bbee566bca2d4a0a0ab6c7bbb0affed63409cb38

SHA512
499428c641b842bf64ede98903fb576d29e735aebd59d3f8703718abfa3269627963a9453987fbd15f3e83272d891e7d7918703cfb862588b4f8dee575a850e6

Download Submit
C:\Windows\Temp\{81F03651-447D-4D4B-8090-56E94AFE425E}\.ba\tak_deco_lib.dll

Filesize
315KB

MD5
48f5aedd31cb66eeec556eaf88962201

SHA1
5a415d07aec0d88e9e04699e0dcabc6e81805696

SHA256
8170e58e75a0389395499ae7a1e2c9fb6055f548a0ef9322ff944b96f698cbb9

SHA512
4855bdd9caa4a9946aa5c9a8033965c2dc55461da083aae1ecfadabd5639e5abbe3ef142a36afd0c79a819636824401fa1902297620dc3ae7a4401dec3888140

Download Submit
memory/560-49-0x0000000003E20000-0x0000000004220000-memory.dmp

Filesize
4.0MB

Download
memory/560-44-0x00007FFA2E750000-0x00007FFA2E945000-memory.dmp

Filesize
2.0MB

Download
memory/560-56-0x0000000000980000-0x00000000009FF000-memory.dmp

Filesize
508KB

Download
memory/560-52-0x00000000762E0000-0x00000000764F5000-memory.dmp

Filesize
2.1MB

Download
memory/560-48-0x0000000003E20000-0x0000000004220000-memory.dmp

Filesize
4.0MB

Download
memory/560-47-0x0000000000980000-0x00000000009FF000-memory.dmp

Filesize
508KB

Download
memory/560-45-0x0000000000980000-0x00000000009FF000-memory.dmp

Filesize
508KB

Download
memory/560-43-0x0000000000980000-0x00000000009FF000-memory.dmp

Filesize
508KB

Download
memory/2468-40-0x00007FFA2E750000-0x00007FFA2E945000-memory.dmp

Filesize
2.0MB

Download
memory/2468-41-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/3288-53-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/3288-57-0x0000000002CB0000-0x00000000030B0000-memory.dmp

Filesize
4.0MB

Download
memory/3288-60-0x00000000762E0000-0x00000000764F5000-memory.dmp

Filesize
2.1MB

Download
memory/3288-58-0x00007FFA2E750000-0x00007FFA2E945000-memory.dmp

Filesize
2.0MB

Download
memory/3648-20-0x00007FFA11190000-0x00007FFA11302000-memory.dmp

Filesize
1.4MB

Download
memory/3648-17-0x0000000000800000-0x000000000085E000-memory.dmp

Filesize
376KB

Download
memory/3648-28-0x0000000000800000-0x000000000085E000-memory.dmp

Filesize
376KB

Download
memory/3748-38-0x0000000000700000-0x000000000075E000-memory.dmp

Filesize
376KB

Download
memory/3748-36-0x00007FFA11190000-0x00007FFA11302000-memory.dmp

Filesize
1.4MB

Download
memory/3748-35-0x00007FFA11190000-0x00007FFA11302000-memory.dmp

Filesize
1.4MB

Download
memory/3748-32-0x0000000000700000-0x000000000075E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing