rhadamanthys | 6135bdbcfd9f824b3da0bef2ba73018a998967e20c5d0274c6a1c0433649b017

General

Target

LWClient.exe
Size

355KB
MD5

bb84cc2853596d21a318576c4995fcce
SHA1

477a224d5b4e398b34a978ac19def1cbafb211d3
SHA256

6135bdbcfd9f824b3da0bef2ba73018a998967e20c5d0274c6a1c0433649b017
SHA512

aa32be3d91bf6e2c8fed0d0e0407723466b477ab0d27c5d3cd705ac73365ab4c56de4f16d4786ee586e750d6835eba09775dbf5a93b0da0eaea4326f2fc2bd5c
SSDEEP

6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqksb:gf2R/EEkCQFYDwRqv

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

LWClient.exeLWClient.exeLWClient.exe

description	pid	Process	procid_target
PID 5384 created 2684	5384	LWClient.exe	44
PID 5876 created 2684	5876	LWClient.exe	44
PID 4300 created 2684	4300	LWClient.exe	44

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dialer.exeLWClient.exedialer.exeLWClient.exedialer.exeLWClient.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LWClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LWClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LWClient.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
1444	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

LWClient.exedialer.exeLWClient.exedialer.exeLWClient.exedialer.exe

pid	Process
5384	LWClient.exe
5384	LWClient.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
5876	LWClient.exe
5876	LWClient.exe
1156	dialer.exe
1156	dialer.exe
1156	dialer.exe
1156	dialer.exe
4300	LWClient.exe
4300	LWClient.exe
4952	dialer.exe
4952	dialer.exe
4952	dialer.exe
4952	dialer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

LWClient.exeLWClient.exeLWClient.exe

description	pid	Process	procid_target
PID 5384 wrote to memory of 1492	5384	LWClient.exe	91
PID 5384 wrote to memory of 1492	5384	LWClient.exe	91
PID 5384 wrote to memory of 1492	5384	LWClient.exe	91
PID 5384 wrote to memory of 1492	5384	LWClient.exe	91
PID 5384 wrote to memory of 1492	5384	LWClient.exe	91
PID 5876 wrote to memory of 1156	5876	LWClient.exe	114
PID 5876 wrote to memory of 1156	5876	LWClient.exe	114
PID 5876 wrote to memory of 1156	5876	LWClient.exe	114
PID 5876 wrote to memory of 1156	5876	LWClient.exe	114
PID 5876 wrote to memory of 1156	5876	LWClient.exe	114
PID 4300 wrote to memory of 4952	4300	LWClient.exe	116
PID 4300 wrote to memory of 4952	4300	LWClient.exe	116
PID 4300 wrote to memory of 4952	4300	LWClient.exe	116
PID 4300 wrote to memory of 4952	4300	LWClient.exe	116
PID 4300 wrote to memory of 4952	4300	LWClient.exe	116

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2684
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4952

C:\Users\Admin\AppData\Local\Temp\LWClient.exe
"C:\Users\Admin\AppData\Local\Temp\LWClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2480

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SwitchTrace.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:1444

C:\Users\Admin\AppData\Local\Temp\LWClient.exe
"C:\Users\Admin\AppData\Local\Temp\LWClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5876

C:\Users\Admin\AppData\Local\Temp\LWClient.exe
"C:\Users\Admin\AppData\Local\Temp\LWClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CheckpointFormat.DVR

Filesize
769KB

MD5
e8f21b1eb793060bc8b38d4a4314d725

SHA1
8a007978dcb1197d455930bbb50e81ed44567bd6

SHA256
6458116ed528d8851f8d767077d590acb5e801661c3c5bdf8b644bade10d80f1

SHA512
8d090131af71e77eac7a4fe025c61d5128acce00922b9bfc95ba303097dcb2fce120fc71a21941a6c1defec7f624359aab846f38dae7d0defe0bb7e13c17a60d

Download Submit
C:\Users\Admin\Desktop\CloseMount.eps

Filesize
594KB

MD5
64f7b8e89f4c67d046523a2880ad9f7c

SHA1
45ad634f2bdde677fd601f78e62a3a5950233a72

SHA256
63c3a06e9dd4d460f088de66067794c3c3d0d4b22d4a2d9bcb3937f0bd554f99

SHA512
e16b989a49822bb87fdfb2fef9ab7e8f736e4d054281aa63d9ce4ce3264becfb2356e78534ce9c9dd2171d780e796facb8fe731a2fc8ee98a6367d7178b7e189

Download Submit
C:\Users\Admin\Desktop\ConvertToOptimize.css

Filesize
808KB

MD5
1c6541deb4e1a646a0807b32c9358e8e

SHA1
44326f91c754e106f1eee4e725af108fd8cbb68e

SHA256
03f7b1e21062a97d67ad900b10b34ae290ae4f358e1201208521884db4b1ea81

SHA512
0c48f7700c7b468f32178b1f54779d75d4dbfa25d38323c32672670302238a8a9591d79b4c37310e69aa31ef5e752268aebf5a73fb9853d364446728c7c2e45e

Download Submit
C:\Users\Admin\Desktop\DenyGrant.kix

Filesize
282KB

MD5
e03340c1a0528267384e8acf0fdf79ac

SHA1
067c356410bdb9e35199a3a658ba8ca328818bab

SHA256
d31e48d6df086ad95bbb6979d583676ce340369d1cc45ea50ff5082e33eab91e

SHA512
5c5cb02981c8bd747b24d988132b1fcafabe7d8109948eec38e2b2b947714d0be3335916a49e2e2e38436033d97a62f65d2f5b0236b31f0abaa926858ce4e717

Download Submit
C:\Users\Admin\Desktop\GetPublish.ico

Filesize
633KB

MD5
0fc19f275c5aecda78247df05e7db491

SHA1
a86ccfb0ac9505b04c695f720e238e1ce00415ea

SHA256
06458caff46512ac708b4d624ba9029b4c9fec255496b4e5ca453f94c7043771

SHA512
759a57fc9eca719abba7f8ad4efe95b63fbcc3339b9d9aa589bcdecc0fa1c181c921bf4fd0d04a46b684d166c51853ae844d3bedfa39aafa0605fa862342d9b1

Download Submit
C:\Users\Admin\Desktop\SwitchTrace.cmd

Filesize
672KB

MD5
3d0b5a06445f8d076ab158e660019bd2

SHA1
72c6115a79c7d0bb0f7497db8ac6bf77655c3310

SHA256
056a141c06e84fd6a6d9ad9884399068de15d109a6b997895c919570ee8aaaf7

SHA512
d3c600e795c5fb55d396176217dcc5840f5280fabc9fda950457ee252acc7c47b568eba1fc49b7d09744842994ac0b4332357919b7f18f3b91e0f36672a9be6f

Download Submit
C:\Users\Admin\Desktop\UninstallSelect.xps

Filesize
340KB

MD5
7f8411dbf3f3614b9e26ef94b7948116

SHA1
afe4d5121cdbdf99d160421bbd5783098dd6e0ce

SHA256
c5532404bfa552b30e15c532bd855b1ae8714fbcbcedf4593d4eb9c607cd389c

SHA512
76cf4820f0ff9ce0a2fd915cf5eebeb7531e1a65680e51ff9e0fb54359806e22e24d55544fe86ad4ab6dd7465547a5c282f149791cf67da8430dc4d3b78181e2

Download Submit
C:\Users\Admin\Desktop\UnlockConnect.ico

Filesize
360KB

MD5
97ffd845a250317db72740d9ca508d2c

SHA1
babc1194104c9c7b659bd46dd9bc0fe20354ae50

SHA256
0e4c47889b38f6179516799bacaf5bc84b11b95287334d549f29f91feb710802

SHA512
a634e460f8053837422ece8882ba7d217a94dab6186fd8d34971b8664b8d9169045b6d0dc6f1582496ef7f32dc86c79205a545fd2007ceb693f0ae0f533db134

Download Submit
memory/1156-34-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/1156-33-0x0000000002790000-0x0000000002B90000-memory.dmp

Filesize
4.0MB

Download
memory/1156-36-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/1492-8-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/1492-16-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/1492-14-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1492-17-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1492-13-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/1492-11-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/1492-12-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/4300-38-0x0000000003D80000-0x0000000004180000-memory.dmp

Filesize
4.0MB

Download
memory/4300-39-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/4300-41-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/4952-44-0x0000000002940000-0x0000000002D40000-memory.dmp

Filesize
4.0MB

Download
memory/4952-47-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/4952-45-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/5384-4-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/5384-0-0x0000000000030000-0x000000000009D000-memory.dmp

Filesize
436KB

Download
memory/5384-9-0x0000000000030000-0x000000000009D000-memory.dmp

Filesize
436KB

Download
memory/5384-7-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/5384-5-0x0000000003530000-0x0000000003930000-memory.dmp

Filesize
4.0MB

Download
memory/5384-3-0x0000000003530000-0x0000000003930000-memory.dmp

Filesize
4.0MB

Download
memory/5384-2-0x0000000003530000-0x0000000003930000-memory.dmp

Filesize
4.0MB

Download
memory/5384-1-0x0000000003530000-0x0000000003930000-memory.dmp

Filesize
4.0MB

Download
memory/5876-30-0x0000000076740000-0x0000000076955000-memory.dmp

Filesize
2.1MB

Download
memory/5876-28-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/5876-27-0x0000000003320000-0x0000000003720000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads