rhadamanthys | 6df25ecde5a1bb916916fbecc018fec4555316530ae9e6d21394c51642fe87f8

Resubmissions

12/08/2024, 13:45

240812-q2s5gatdll 10

12/08/2024, 13:42

240812-qzqxbsxfph 3

Analysis

max time kernel
599s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FirefoxData.dll
Size

892.3MB
MD5

df0323692da9ee346abc5b0058e33131
SHA1

f9cfb5752493c79d93aff8736dc29e4f7e437d19
SHA256

135f10abd48878e545df9f2e481ac1cf09f01e27086083b0a2820c3668103379
SHA512

3b00ed05f62ed811616ee239ebaa22c401a12ed20686337f03b08d5e8d957a4cba7c3366595b80edbd8c6d298137546a9f77001efccc6c8c7b47a1ca20364c2d
SSDEEP

49152:Tmp1wTHyQhBCMsvEqDZLOkALP7fivHBbsF:T21wTHF5svPDkkk2H

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2036 created 2536	2036	rundll32.exe	42
PID 4912 created 2536	4912	rundll32.exe	42

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3132	rundll32.exe
3864	rundll32.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4388	1876	WerFault.exe	85
2512	2036	WerFault.exe	122
2640	2036	WerFault.exe	122
2528	4912	WerFault.exe	131
5072	4912	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3980	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	taskmgr.exe
Token: SeSystemProfilePrivilege	3980	taskmgr.exe
Token: SeCreateGlobalPrivilege	3980	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1876	1780	rundll32.exe	85
PID 1780 wrote to memory of 1876	1780	rundll32.exe	85
PID 1780 wrote to memory of 1876	1780	rundll32.exe	85
PID 3540 wrote to memory of 1808	3540	cmd.exe	118
PID 3540 wrote to memory of 1808	3540	cmd.exe	118
PID 3540 wrote to memory of 2716	3540	cmd.exe	120
PID 3540 wrote to memory of 2716	3540	cmd.exe	120
PID 1808 wrote to memory of 3132	1808	rundll32.exe	121
PID 1808 wrote to memory of 3132	1808	rundll32.exe	121
PID 1808 wrote to memory of 3132	1808	rundll32.exe	121
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 3132 wrote to memory of 2036	3132	rundll32.exe	122
PID 2036 wrote to memory of 2616	2036	rundll32.exe	123
PID 2036 wrote to memory of 2616	2036	rundll32.exe	123
PID 2036 wrote to memory of 2616	2036	rundll32.exe	123
PID 2036 wrote to memory of 2616	2036	rundll32.exe	123
PID 2036 wrote to memory of 2616	2036	rundll32.exe	123
PID 3540 wrote to memory of 636	3540	cmd.exe	129
PID 3540 wrote to memory of 636	3540	cmd.exe	129
PID 2716 wrote to memory of 3864	2716	rundll32.exe	130
PID 2716 wrote to memory of 3864	2716	rundll32.exe	130
PID 2716 wrote to memory of 3864	2716	rundll32.exe	130
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 3864 wrote to memory of 4912	3864	rundll32.exe	131
PID 4912 wrote to memory of 2460	4912	rundll32.exe	132
PID 4912 wrote to memory of 2460	4912	rundll32.exe	132
PID 4912 wrote to memory of 2460	4912	rundll32.exe	132
PID 4912 wrote to memory of 2460	4912	rundll32.exe	132
PID 4912 wrote to memory of 2460	4912	rundll32.exe	132

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\FirefoxData.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\FirefoxData.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 540
    3⤵
    - Program crash
    PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876
1⤵
PID:2148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2192

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\system32\rundll32.exe
  rundll32 FirefoxData.dll,EntryPoint
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 FirefoxData.dll,EntryPoint
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 592
        5⤵
        Program crash
        
        PID:2512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 588
        5⤵
        Program crash
        
        PID:2640
- C:\Windows\system32\rundll32.exe
  rundll32 FirefoxData.dll,EntryPoint
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 FirefoxData.dll,EntryPoint
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 592
        5⤵
        Program crash
        
        PID:2528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 588
        5⤵
        Program crash
        
        PID:5072
- C:\Windows\system32\rundll32.exe
  rundll32 FirefoxData.dll,EntryPoint /f
  2⤵
  PID:636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2036 -ip 2036
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2036 -ip 2036
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4912 -ip 4912
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-1-0x0000000010026000-0x0000000010040000-memory.dmp

Filesize
104KB

Download
memory/1876-0-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/2036-24-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

Filesize
2.0MB

Download
memory/2036-23-0x00000000034E0000-0x00000000038E0000-memory.dmp

Filesize
4.0MB

Download
memory/2036-21-0x0000000000170000-0x00000000001EE000-memory.dmp

Filesize
504KB

Download
memory/2036-22-0x00000000034E0000-0x00000000038E0000-memory.dmp

Filesize
4.0MB

Download
memory/2036-26-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2036-17-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2460-50-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2460-48-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

Filesize
2.0MB

Download
memory/2460-47-0x0000000002310000-0x0000000002710000-memory.dmp

Filesize
4.0MB

Download
memory/2616-29-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/2616-27-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/2616-32-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/2616-30-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

Filesize
2.0MB

Download
memory/3132-16-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/3132-19-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/3864-34-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/3864-37-0x0000000010000000-0x00000000101F7000-memory.dmp

Filesize
2.0MB

Download
memory/3980-14-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-2-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-11-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-12-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-13-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-8-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-9-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-10-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-4-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/3980-3-0x0000027EBB330000-0x0000027EBB331000-memory.dmp

Filesize
4KB

Download
memory/4912-39-0x0000000000CC0000-0x0000000000D3E000-memory.dmp

Filesize
504KB

Download
memory/4912-44-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/4912-42-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

Filesize
2.0MB

Download
memory/4912-41-0x0000000003A60000-0x0000000003E60000-memory.dmp

Filesize
4.0MB

Download