rhadamanthys | f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c

General

Target

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe
Size

5.9MB
MD5

cfb3626fc1ef7ad447d4c6a603d8ee93
SHA1

52c14e0953ed22f7340aa2e7a503e85a0780f1e8
SHA256

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c
SHA512

1bc502ce85a4dd74dd9e4fc0742ec2d61626535162095c4765782221fe09ac3d1f2b9b314829fcd81aa84add80616741988b5f942c93c6980beb733506d77a11
SSDEEP

98304:SIqyrlEfrYvsggIauNNFoAgrS43doVFXMxGXdnxiHO3tyuSvK0xlBKmXe4w98L+c:HEDTgg7uHFoVrT3iVFtxiHO3kuGlEKMx

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AddInProcess32.exe

description	pid	Process	procid_target
PID 3652 created 2640	3652	AddInProcess32.exe	44

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe

description	pid	Process	procid_target
PID 2168 set thread context of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3860	3652	WerFault.exe	88
5024	3652	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exeAddInProcess32.exedialer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exeAddInProcess32.exedialer.exe

pid	Process
2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe
2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe
3652	AddInProcess32.exe
3652	AddInProcess32.exe
3180	dialer.exe
3180	dialer.exe
3180	dialer.exe
3180	dialer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe

description	pid	Process
Token: SeDebugPrivilege	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exeAddInProcess32.exe

description	pid	Process	procid_target
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 2168 wrote to memory of 3652	2168	f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe	88
PID 3652 wrote to memory of 3180	3652	AddInProcess32.exe	91
PID 3652 wrote to memory of 3180	3652	AddInProcess32.exe	91
PID 3652 wrote to memory of 3180	3652	AddInProcess32.exe	91
PID 3652 wrote to memory of 3180	3652	AddInProcess32.exe	91
PID 3652 wrote to memory of 3180	3652	AddInProcess32.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3180

C:\Users\Admin\AppData\Local\Temp\f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe
"C:\Users\Admin\AppData\Local\Temp\f3cecb104527871238a34a24cd8dad012a2a435605193ed8f8d27087d2503d5c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 444
    3⤵
    - Program crash
    PID:3860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 440
    3⤵
    - Program crash
    PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3652 -ip 3652
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3652 -ip 3652
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-10-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-4-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/2168-17-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-12-0x00000000071B0000-0x00000000071B6000-memory.dmp

Filesize
24KB

Download
memory/2168-11-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/2168-5-0x0000000005AE0000-0x0000000005B24000-memory.dmp

Filesize
272KB

Download
memory/2168-6-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-7-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/2168-8-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2168-9-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/2168-1-0x0000000000310000-0x00000000008F6000-memory.dmp

Filesize
5.9MB

Download
memory/2168-3-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/2168-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/3180-34-0x0000000002080000-0x0000000002480000-memory.dmp

Filesize
4.0MB

Download
memory/3180-26-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download
memory/3180-33-0x0000000077770000-0x0000000077985000-memory.dmp

Filesize
2.1MB

Download
memory/3180-29-0x00007FF918570000-0x00007FF918765000-memory.dmp

Filesize
2.0MB

Download
memory/3180-30-0x0000000002080000-0x0000000002480000-memory.dmp

Filesize
4.0MB

Download
memory/3180-31-0x0000000002080000-0x0000000002480000-memory.dmp

Filesize
4.0MB

Download
memory/3180-28-0x0000000002080000-0x0000000002480000-memory.dmp

Filesize
4.0MB

Download
memory/3652-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3652-24-0x0000000077770000-0x0000000077985000-memory.dmp

Filesize
2.1MB

Download
memory/3652-25-0x0000000004020000-0x0000000004420000-memory.dmp

Filesize
4.0MB

Download
memory/3652-22-0x00007FF918570000-0x00007FF918765000-memory.dmp

Filesize
2.0MB

Download
memory/3652-20-0x0000000004020000-0x0000000004420000-memory.dmp

Filesize
4.0MB

Download
memory/3652-21-0x0000000004020000-0x0000000004420000-memory.dmp

Filesize
4.0MB

Download
memory/3652-19-0x0000000004020000-0x0000000004420000-memory.dmp

Filesize
4.0MB

Download
memory/3652-18-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3652-13-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3652-35-0x0000000004020000-0x0000000004420000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads