rhadamanthys | 5d94282522c59df310e1355dea5e28c4085f08c8dc2738629550bbb9404bf6d3

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe
Size

934KB
MD5

7def16e0ceea0ad69d53e0e636541dd9
SHA1

92080bb5ad272cf69f69aa0588856cda4b4b1c28
SHA256

35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297
SHA512

9616fb69ed3fd6d59ae060a671c5af86f0d7e1a4e6f8436a9c7244928a2bb1f0a76ec4f1968f77180141493c16a4e1090faf8786ead929c3bd3812f2e09e596a
SSDEEP

24576:gbVB9BI+CacE07NGWx1G0MEL2XH09GIGiSUS00dpf:qVrIacF7dnMBXU9GIzSUlypf

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5016 created 2668	5016	Cheers.pif	44

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe

Executes dropped EXE 1 IoCs

pid	Process
5016	Cheers.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3252	tasklist.exe
1780	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3540	5016	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheers.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2352	cmd.exe
836	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
836	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif
3276	dialer.exe
3276	dialer.exe
3276	dialer.exe
3276	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	tasklist.exe
Token: SeDebugPrivilege	1780	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5016	Cheers.pif
5016	Cheers.pif
5016	Cheers.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4852	4660	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	85
PID 4660 wrote to memory of 4852	4660	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	85
PID 4660 wrote to memory of 4852	4660	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	85
PID 4852 wrote to memory of 3252	4852	cmd.exe	88
PID 4852 wrote to memory of 3252	4852	cmd.exe	88
PID 4852 wrote to memory of 3252	4852	cmd.exe	88
PID 4852 wrote to memory of 4668	4852	cmd.exe	89
PID 4852 wrote to memory of 4668	4852	cmd.exe	89
PID 4852 wrote to memory of 4668	4852	cmd.exe	89
PID 4852 wrote to memory of 1780	4852	cmd.exe	91
PID 4852 wrote to memory of 1780	4852	cmd.exe	91
PID 4852 wrote to memory of 1780	4852	cmd.exe	91
PID 4852 wrote to memory of 1320	4852	cmd.exe	92
PID 4852 wrote to memory of 1320	4852	cmd.exe	92
PID 4852 wrote to memory of 1320	4852	cmd.exe	92
PID 4852 wrote to memory of 2664	4852	cmd.exe	93
PID 4852 wrote to memory of 2664	4852	cmd.exe	93
PID 4852 wrote to memory of 2664	4852	cmd.exe	93
PID 4852 wrote to memory of 5080	4852	cmd.exe	94
PID 4852 wrote to memory of 5080	4852	cmd.exe	94
PID 4852 wrote to memory of 5080	4852	cmd.exe	94
PID 4852 wrote to memory of 2352	4852	cmd.exe	95
PID 4852 wrote to memory of 2352	4852	cmd.exe	95
PID 4852 wrote to memory of 2352	4852	cmd.exe	95
PID 4852 wrote to memory of 2488	4852	cmd.exe	96
PID 4852 wrote to memory of 2488	4852	cmd.exe	96
PID 4852 wrote to memory of 2488	4852	cmd.exe	96
PID 4852 wrote to memory of 5016	4852	cmd.exe	97
PID 4852 wrote to memory of 5016	4852	cmd.exe	97
PID 4852 wrote to memory of 5016	4852	cmd.exe	97
PID 4852 wrote to memory of 836	4852	cmd.exe	98
PID 4852 wrote to memory of 836	4852	cmd.exe	98
PID 4852 wrote to memory of 836	4852	cmd.exe	98
PID 5016 wrote to memory of 3276	5016	Cheers.pif	100
PID 5016 wrote to memory of 3276	5016	Cheers.pif	100
PID 5016 wrote to memory of 3276	5016	Cheers.pif	100
PID 5016 wrote to memory of 3276	5016	Cheers.pif	100
PID 5016 wrote to memory of 3276	5016	Cheers.pif	100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2668
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3276

C:\Users\Admin\AppData\Local\Temp\35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe
"C:\Users\Admin\AppData\Local\Temp\35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c move Observed Observed.bat && Observed.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 5132425
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "AndreaAccessibleOriginallyElizabeth" Ons
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 5132425\Cheers.pif + Software + Cap + Typing + Cingular + Dominican 5132425\Cheers.pif
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Customs + Placing + Anatomy + Church 5132425\M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5132425\Cheers.pif
    5132425\Cheers.pif 5132425\M
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 900
      4⤵
      Program crash
      PID:3540
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5016 -ip 5016
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5132425\Cheers.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5132425\M

Filesize
867KB

MD5
b18b385dc3c027bc4cd4362e23677edc

SHA1
65b09d44a81ca8528cf472f91e783a5199411f45

SHA256
c43b8b1a8b8ab1455009a1463c77166c87d21b5ded408a9b9d2eb91213e783de

SHA512
66889a43e26f37bd4ea756719c07e389c2292a2b971f7367c6779d63ba1de82f5509e62dbb5ab994b4d5e819614cb8a2051b21a7e7d5197e2067054314baa46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Anatomy

Filesize
268KB

MD5
3d0fe94011bfc11f960f3692773becf6

SHA1
eda278f584c80b7a5ec1a48c16c1453fd79d30fe

SHA256
f1e2acd5399b8fd82a7d3be16aba6cf70dd4f5fea82211979b89e6293b736e85

SHA512
4f15232e5966d2c024e929de468a4ff427d5ec714b15c3a19c55ce6c03342f01a4dd9784672aa3a4ec738db9c926727fc0108d36d751f2669b27837470bce0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cap

Filesize
152KB

MD5
d7b3e4a1f20444dd37b4ef305b6f8199

SHA1
bfd1d1bdff7c9d7e1ab6b46399252e94bbab8258

SHA256
b64c28e45770c23ba7b4cc1b80efd0edafaa0ad8109d3c9e340b45ae40565929

SHA512
24e83d25a23170f0d5c5f9f2afac13e72c017c98e443014e82a7b1b5a3a7aa9aafdfd795517e0a2b93bae2f742809c6a9e0627669c73dc3a8a0b57e9b2b8663a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Church

Filesize
113KB

MD5
b020ac666f105e582800755e46b87e54

SHA1
33c9afc7390f7fefe0b11ee2f9e32f8107d5ec21

SHA256
1713e9701d98f06a20391a048b2f5cb213b0ccf23f45df39df3cdbd55b23935c

SHA512
0d6c163717bef8e894cdf95b619ac1d7728bc1b88a2485606b1f2270d5c683caab7c4d693f467ec89d83a7ae34ca4e1afad1df3a7d25e8a7fc750826a89a59b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cingular

Filesize
262KB

MD5
5b18970d8c464ca95ef183c6eddf2c79

SHA1
30f9ef49ce58ded149dd60a32359052c7fda6b25

SHA256
53a87d85121c6e590a928d3fae1f72ab3c266c980cc6a89f39cd74a2127d6b1e

SHA512
2f636bb7527a194467ce15046d9bf1368fca37a9b160c22aeb022a1c15a0c6cbf978373fb6d59ac692c9e7de37310c9fcc9f26c1c1d54ecace41f94ccc5fedbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Customs

Filesize
239KB

MD5
4c4ea6968e54f5f5c4c254587fee63dc

SHA1
d21927f93dfb1626405cf09f3379d6bc7dd8a505

SHA256
3a6b764666b1675287f39a952e072fcd41332b4d0ce2b4e59a96aa5a27af8707

SHA512
8b3f479dd3accfffe0235f2a3e102c306c288788d533ae78f9b8d8bbd95f36a4a613f6c1c1f2443566e17971c6116274b8b901b83608a6189e4d4927e47e42b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dominican

Filesize
137KB

MD5
3c699f1767c677adfed1c113de6d184f

SHA1
ca15988fb3c81b6b4e0d7c5914e0bb2e07b35d1b

SHA256
740648b4a35012828dc95ef4258677d80659d820461ccfc9f98216facf0fea9a

SHA512
9ba925d63f2f9c0dbb244d6cea56d4bfd0b39de973e9c68c743ef6a1014c2a72b93072606af17bc770a837320c3cf8dc5f51976389cd599922c7b668d263c2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Observed

Filesize
25KB

MD5
ad5b9509809e2c43efd8e4e0cbb697aa

SHA1
440d24a228fd1a0b125d535e55b887713b237f37

SHA256
eb882bf341c37bcd1c625e156f33db1b338d0e435aa074fa379cc3e73d6d9dad

SHA512
553bf92ac85b4b5ce9605fd0630e9f0396f282ece3f2cd4c0741cfd2b29acdb2246c7df749b0ae6d0d7cd3327f0fd34588ab205659f7cdd91a43e92b34dcd695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ons

Filesize
140B

MD5
61bab20dd66e4690943a6165fd4ff9ca

SHA1
01237b42f749d18c2529aa6233349ecc5de29db2

SHA256
4dab1074edd81fc8d7b5c1e989b025f96ff09ae42e58934668bcc2f696a167c9

SHA512
9419cde00c25107d5ea4dd683b43d437fb508b951f5d7fbe919169724218b8bb13f2e91b3068f7a31433c3b899e9ae26e18cf94f9a9468ac5624efaa8c8f2ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Placing

Filesize
247KB

MD5
b68df1f6cc55a943bd8bd6a1ba4baeb2

SHA1
ed2f9c007bef6a9e8d52aba49704b56c9babea6d

SHA256
fdd8a7a40fdee48bd3a93b70e27c8efbb1aa860e2f7f587e1eecacbee3d6dd68

SHA512
0f622f1d33bcbe46483fa9f578eaa845e49c3617d6f0c76f46d2a32bf33e350a74bb44b4b0c43ddb25fa9f808de763d49f2af37072748b3f98010a8eb6ded273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Software

Filesize
101KB

MD5
722238ba226d0e01df25a8d6e95d609f

SHA1
2f5e912ff0660bdc3f85ccf6d61bcb10fab8edef

SHA256
00559112065d90d8ba296b46949907ea4141c19323e999670a918bd50c5ae162

SHA512
3200e2063b157198c62a69fce4435d1c139c6e7b7f00e0a8e0d05fb0bf54fc886adeea0a2a4e4e8ec055ae0c94eabb1867e6d019920aade7ccef33e91e3be042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Typing

Filesize
220KB

MD5
f0c0d7aff4f13ac8f3c247cb9fca2943

SHA1
94b642aa412319f2bfd814fefefa1b66c9fd7cc7

SHA256
2e933f3194ac2649b3f2c3f0289174b787ef71314143d63980b4d0c3ca698582

SHA512
36f1296f06acccfb3d621aaaf60ea24b354633568b0a946b2f2239e0e61f62dac2f6c418f1b9d2512572b308f176eeb657d479e1448bc330c63b9b01ae585b39

Download Submit
memory/3276-41-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/3276-45-0x00007FFC28250000-0x00007FFC28445000-memory.dmp

Filesize
2.0MB

Download
memory/3276-43-0x0000000002880000-0x0000000002C80000-memory.dmp

Filesize
4.0MB

Download
memory/3276-47-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/5016-36-0x00000000056B0000-0x0000000005AB0000-memory.dmp

Filesize
4.0MB

Download
memory/5016-34-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download
memory/5016-29-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download
memory/5016-37-0x00000000056B0000-0x0000000005AB0000-memory.dmp

Filesize
4.0MB

Download
memory/5016-38-0x00007FFC28250000-0x00007FFC28445000-memory.dmp

Filesize
2.0MB

Download
memory/5016-40-0x0000000075750000-0x0000000075965000-memory.dmp

Filesize
2.1MB

Download
memory/5016-35-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download
memory/5016-33-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download
memory/5016-31-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download
memory/5016-30-0x0000000004640000-0x00000000046AD000-memory.dmp

Filesize
436KB

Download