rhadamanthys | e6315b24e0311758da1c25daa5f2724da4f534ed7ed644cbf43f3cc64c4676a7

General

Target

msimg32.dll
Size

4.9MB
MD5

edfe2dd4d8218d13e1e6aa5501d5163b
SHA1

d3212ebb64dce90a8c972bf3a6f1ad734bc39b08
SHA256

1a2399ecc38f3288206c75b55762d125d3d75254062a2c0d85c86e7f896736ac
SHA512

282df1a436549af672dad5e74eb0617c882ec1665c6bad112850a7666cd93d2fa5f18f2935d0ebaa8562d592adcab380c6dc5a9117ec373fbf1310caef65035f
SSDEEP

49152:JErEyCal8VnN+LwbEOCAQFhZ81wm+R9BlwxPJfkwDQby1uZLOkALP7fivHdHufrF:JElCQ8VN+TAghZbR9y6wKyskkk2HOh

Score

10^/10

rhadamanthys discovery persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4636 created 3020	4636	rundll32.exe	50

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4400	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1504	4636	WerFault.exe	85
3772	4636	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4636	rundll32.exe
4636	rundll32.exe
3464	openwith.exe
3464	openwith.exe
3464	openwith.exe
3464	openwith.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 4400	2676	rundll32.exe	84
PID 2676 wrote to memory of 4400	2676	rundll32.exe	84
PID 2676 wrote to memory of 4400	2676	rundll32.exe	84
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 4636	4400	rundll32.exe	85
PID 4400 wrote to memory of 2616	4400	rundll32.exe	86
PID 4400 wrote to memory of 2616	4400	rundll32.exe	86
PID 4400 wrote to memory of 2616	4400	rundll32.exe	86
PID 2616 wrote to memory of 4304	2616	cmd.exe	88
PID 2616 wrote to memory of 4304	2616	cmd.exe	88
PID 2616 wrote to memory of 4304	2616	cmd.exe	88
PID 4636 wrote to memory of 3464	4636	rundll32.exe	89
PID 4636 wrote to memory of 3464	4636	rundll32.exe	89
PID 4636 wrote to memory of 3464	4636	rundll32.exe	89
PID 4636 wrote to memory of 3464	4636	rundll32.exe	89
PID 4636 wrote to memory of 3464	4636	rundll32.exe	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3020
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3464

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\msimg32.dll,#1
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 536
      4⤵
      Program crash
      PID:1504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 532
      4⤵
      Program crash
      PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4636 -ip 4636
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4636 -ip 4636
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-19-0x0000000001090000-0x0000000001099000-memory.dmp

Filesize
36KB

Download
memory/3464-29-0x0000000002CE0000-0x00000000030E0000-memory.dmp

Filesize
4.0MB

Download
memory/3464-22-0x0000000002CE0000-0x00000000030E0000-memory.dmp

Filesize
4.0MB

Download
memory/3464-23-0x00007FFCECFF0000-0x00007FFCED1E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-26-0x0000000002CE0000-0x00000000030E0000-memory.dmp

Filesize
4.0MB

Download
memory/3464-25-0x0000000075E00000-0x0000000076015000-memory.dmp

Filesize
2.1MB

Download
memory/3464-21-0x0000000002CE0000-0x00000000030E0000-memory.dmp

Filesize
4.0MB

Download
memory/4400-9-0x0000000065000000-0x00000000654EA000-memory.dmp

Filesize
4.9MB

Download
memory/4400-3-0x0000000065000000-0x00000000654EA000-memory.dmp

Filesize
4.9MB

Download
memory/4400-0-0x0000000065000000-0x00000000654EA000-memory.dmp

Filesize
4.9MB

Download
memory/4400-2-0x0000000065000000-0x00000000654EA000-memory.dmp

Filesize
4.9MB

Download
memory/4400-1-0x0000000065013000-0x000000006502D000-memory.dmp

Filesize
104KB

Download
memory/4400-11-0x00000000654BD000-0x00000000654EA000-memory.dmp

Filesize
180KB

Download
memory/4636-15-0x00007FFCECFF0000-0x00007FFCED1E5000-memory.dmp

Filesize
2.0MB

Download
memory/4636-18-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4636-17-0x0000000075E00000-0x0000000076015000-memory.dmp

Filesize
2.1MB

Download
memory/4636-13-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4636-14-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4636-8-0x0000000000F70000-0x0000000000FEE000-memory.dmp

Filesize
504KB

Download
memory/4636-7-0x0000000000F70000-0x0000000000FEE000-memory.dmp

Filesize
504KB

Download
memory/4636-4-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4636-12-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4636-28-0x0000000003F00000-0x0000000004300000-memory.dmp

Filesize
4.0MB

Download
memory/4636-10-0x0000000000F70000-0x0000000000FEE000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads