rhadamanthys | 51e95071ed43d6e2feb3fb36433dcc0a0193b7b041dddf452b1837cac7df4f11

Analysis

max time kernel
64s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solara_2.exe
Size

11.5MB
MD5

10205252ca249fa1c32b459db98d2da0
SHA1

55201ee77daf0beb89a475d4c719e90df54d0ef5
SHA256

51e95071ed43d6e2feb3fb36433dcc0a0193b7b041dddf452b1837cac7df4f11
SHA512

bdc99f8494b1b554df42f2d48dba93a6d1d1ef196543f695ad8395a239cb7aba539b7bde984f4204d2f010ed3dbc774b944fed9a255b79a16195021fa2cb2469
SSDEEP

196608:y2rX5Z1ztd1I+HqNkmZEt5gebZ2HYVf6/E6SPKpvx7Dnx9QR4ktSc5+msp8PQoiA:bTJJjICmeVbZ6Ydv6SPKphx9QRwmshob

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description	pid	Process	procid_target
PID 2696 created 680	2696	RegAsm.exe	50

Executes dropped EXE 4 IoCs

Processes:

Solara.exeSolara.exeSolara.exeSolara.exe

pid	Process
3764	Solara.exe
3952	Solara.exe
4344	Solara.exe
5088	Solara.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Solara.exeSolara.exeSolara.exeSolara.exe

description	pid	Process	procid_target
PID 3764 set thread context of 2696	3764	Solara.exe	88
PID 3952 set thread context of 2604	3952	Solara.exe	96
PID 4344 set thread context of 4848	4344	Solara.exe	105
PID 5088 set thread context of 2540	5088	Solara.exe	110

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3300	2696	WerFault.exe	88
5000	2696	WerFault.exe	88
5812	2604	WerFault.exe	96
2236	2604	WerFault.exe	96
2564	4848	WerFault.exe	105
4512	4848	WerFault.exe	105
5328	2540	WerFault.exe	110
4520	2540	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exeRegAsm.exeopenwith.exeRegAsm.exeSolara.exeSolara.exeRegAsm.exesolara_2.exeSolara.exeSolara.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	solara_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exeopenwith.exe

pid	Process
2696	RegAsm.exe
2696	RegAsm.exe
5076	openwith.exe
5076	openwith.exe
5076	openwith.exe
5076	openwith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
1332	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	1332	7zFM.exe
Token: 35	1332	7zFM.exe
Token: SeSecurityPrivilege	1332	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

solara_2.exe7zFM.exe

pid	Process
5840	solara_2.exe
1332	7zFM.exe
1332	7zFM.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

Solara.exeRegAsm.exeSolara.exeSolara.exeSolara.exe

description	pid	Process	procid_target
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 3764 wrote to memory of 2696	3764	Solara.exe	88
PID 2696 wrote to memory of 5076	2696	RegAsm.exe	89
PID 2696 wrote to memory of 5076	2696	RegAsm.exe	89
PID 2696 wrote to memory of 5076	2696	RegAsm.exe	89
PID 2696 wrote to memory of 5076	2696	RegAsm.exe	89
PID 2696 wrote to memory of 5076	2696	RegAsm.exe	89
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 3952 wrote to memory of 2604	3952	Solara.exe	96
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 4344 wrote to memory of 4848	4344	Solara.exe	105
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110
PID 5088 wrote to memory of 2540	5088	Solara.exe	110

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:680
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5076

C:\Users\Admin\AppData\Local\Temp\solara_2.exe
"C:\Users\Admin\AppData\Local\Temp\solara_2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1564

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\solara\solara.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1332

C:\Users\Admin\Desktop\solara\Solara.exe
"C:\Users\Admin\Desktop\solara\Solara.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 552
    3⤵
    - Program crash
    PID:3300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 560
    3⤵
    - Program crash
    PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2696 -ip 2696
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2696 -ip 2696
1⤵
PID:1264

C:\Users\Admin\Desktop\solara\Solara.exe
"C:\Users\Admin\Desktop\solara\Solara.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 492
    3⤵
    - Program crash
    PID:5812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 500
    3⤵
    - Program crash
    PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2604 -ip 2604
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2604 -ip 2604
1⤵
PID:5488

C:\Users\Admin\Desktop\solara\Solara.exe
"C:\Users\Admin\Desktop\solara\Solara.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 492
    3⤵
    - Program crash
    PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 504
    3⤵
    - Program crash
    PID:4512

C:\Users\Admin\Desktop\solara\Solara.exe
"C:\Users\Admin\Desktop\solara\Solara.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 492
    3⤵
    - Program crash
    PID:5328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 500
    3⤵
    - Program crash
    PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4848 -ip 4848
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2540 -ip 2540
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2540 -ip 2540
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solara.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\Desktop\solara\Solara.exe

Filesize
443KB

MD5
ca3a48c58e2e078037d6fe0432565caa

SHA1
665d5d7c26f6e37287f0ca16a72804a01e8b7169

SHA256
9bbe90d9cfa9e088d0a2c31bd1b8f93c2a9bb8a792ff99ec4bbc7ca1c44491c2

SHA512
bd95c53c7340e00f72b6b361cffa8a87d4fe2d2b2f398378862144498acb8a18d39813d8f9113ee632b55c8fbeaf549b384336a8fae7b26eeb848db9e6853e95

Download Submit
C:\Users\Admin\Desktop\solara\solara.7z

Filesize
11.3MB

MD5
b1e2544b1d4588a206c0f4b798c6f718

SHA1
68b6401a9e817ea9f88eac038aa75ce572175e6b

SHA256
55a6d7f91707e4a07ae2e521752c849695ba2454b0bcfc8f8911ec976c6f9372

SHA512
80d14441431f7c9af0cafa44f7eb472c08e04c0346b91e7c2373f2f1ad1283b6082e75534ae6e8a2f44deff53a91b52e765c2ca3340476cd5771598c601940ec

Download Submit
memory/2540-92-0x0000000003AA0000-0x0000000003EA0000-memory.dmp

Filesize
4.0MB

Download
memory/2540-86-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2540-88-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2604-76-0x0000000003980000-0x0000000003D80000-memory.dmp

Filesize
4.0MB

Download
memory/2604-74-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2604-72-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-53-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-55-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-52-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-61-0x0000000076E00000-0x0000000077052000-memory.dmp

Filesize
2.3MB

Download
memory/2696-59-0x00007FFFEB340000-0x00007FFFEB549000-memory.dmp

Filesize
2.0MB

Download
memory/2696-58-0x0000000003B60000-0x0000000003F60000-memory.dmp

Filesize
4.0MB

Download
memory/2696-57-0x0000000003B60000-0x0000000003F60000-memory.dmp

Filesize
4.0MB

Download
memory/3764-49-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/3764-50-0x00000000000A0000-0x0000000000112000-memory.dmp

Filesize
456KB

Download
memory/4848-80-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4848-82-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4848-90-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/5076-67-0x0000000076E00000-0x0000000077052000-memory.dmp

Filesize
2.3MB

Download
memory/5076-65-0x00007FFFEB340000-0x00007FFFEB549000-memory.dmp

Filesize
2.0MB

Download
memory/5076-64-0x00000000020E0000-0x00000000024E0000-memory.dmp

Filesize
4.0MB

Download
memory/5076-62-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download