rhadamanthys | 7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e

Resubmissions

22-08-2024 15:41

240822-s4zq5svdqd 10

22-08-2024 15:36

240822-s1zlzaxcqn 10

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe
Size

443KB
MD5

2b1106b098715cdfb812022093fd72d9
SHA1

a296d6de40d7b1b4ff881ad95c45d769516b49f5
SHA256

7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e
SHA512

0d9b0b690ca887115c54953fdfb546a0c395afa79dd15b7638b1d08381a439dfa9c24e914f946f8ee92cd90d8e19d30ea06715ed1c6406d8c0e2535ec5196935
SSDEEP

12288:kueVM4mtaswkUJBK1ZEU+QI2Dk+sK2bEm724Z5:kuCqaYgQrIOkW2Im72a

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/ir9791e2.fw01k

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	2488	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2436 wrote to memory of 2488	2436	7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe	31
PID 2488 wrote to memory of 2824	2488	RegAsm.exe	32
PID 2488 wrote to memory of 2824	2488	RegAsm.exe	32
PID 2488 wrote to memory of 2824	2488	RegAsm.exe	32
PID 2488 wrote to memory of 2824	2488	RegAsm.exe	32

C:\Users\Admin\AppData\Local\Temp\7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe
"C:\Users\Admin\AppData\Local\Temp\7b4a0714d5b8c42fd15f030ba1562a1e17b65330514e523ad7be50f8df1a508e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 252
    3⤵
    - Program crash
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000000B00000-0x0000000000B72000-memory.dmp

Filesize
456KB

Download
memory/2436-12-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-17-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2488-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-5-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-3-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-16-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2488-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download