rhadamanthys | cffc1aa878acf0050880a3e71017e09e557fe8785ad57a9aab8fb2d9846f426c

Analysis

max time kernel
155s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
21-08-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_Installer_x32_x64.exe
Size

65.2MB
MD5

5a9fbc711d0d48ff0a3bcd88c85ca190
SHA1

dfdc8f4accf88a7962303c96d6db883a5b4a7df4
SHA256

cffc1aa878acf0050880a3e71017e09e557fe8785ad57a9aab8fb2d9846f426c
SHA512

ac52cf6281d954315af4170a46c62d01f3ec2996a57f1fac0c30f79fe5abce91f7ad0ef402f9284277ba5bee23110cdb97553665e265ab2020b11af0bcacc2d8
SSDEEP

24576:b8IaZblcaDxTdPGSrVSLg4p1R7i+S7vCYh:bfSbzDDgpj7iX

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://172.236.107.96/5502b8a765a7d7349/jhwj0w4u.rjdbs

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Loads dropped DLL 1 IoCs

Processes:

Setup_Installer_x32_x64.exe

pid	Process
3652	Setup_Installer_x32_x64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSBuild.exe

description	pid	Process	procid_target
PID 5116 set thread context of 4656	5116	MSBuild.exe	72

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
168	4656	WerFault.exe	72

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup_Installer_x32_x64.exeMSBuild.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_Installer_x32_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	Process
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
988	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	988	taskmgr.exe
Token: SeSystemProfilePrivilege	988	taskmgr.exe
Token: SeCreateGlobalPrivilege	988	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	Process
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Setup_Installer_x32_x64.exeMSBuild.exe

description	pid	Process	procid_target
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 3652 wrote to memory of 5116	3652	Setup_Installer_x32_x64.exe	71
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72
PID 5116 wrote to memory of 4656	5116	MSBuild.exe	72

C:\Users\Admin\AppData\Local\Temp\Setup_Installer_x32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_Installer_x32_x64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 580
      4⤵
      Program crash
      PID:168

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
639KB

MD5
dbea053f1ab66836f8224aca25f36061

SHA1
d48d18db14823eb13c234b2a5f6a982bc09b6852

SHA256
2440f312c4c24a888becc012926fe83bf19d73a8a4fe683c93a9f12c49206026

SHA512
b529eca33c49fdfded317e7e3ad8a62ce29fe77c30ee24bc11824238720e93cbe8959fb98ba1188c19a5bbc598165769ad0abd0b6622c88cad410c1fa463da59

Download Submit
memory/3652-1-0x0000000000F30000-0x00000000010FA000-memory.dmp

Filesize
1.8MB

Download
memory/3652-9-0x0000000077BD1000-0x0000000077CE4000-memory.dmp

Filesize
1.1MB

Download
memory/3652-22-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/3652-11-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/3652-0-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

Filesize
4KB

Download
memory/4656-18-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4656-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4656-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4656-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5116-12-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/5116-19-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/5116-21-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/5116-10-0x0000000000570000-0x00000000005E2000-memory.dmp

Filesize
456KB

Download