rhadamanthys | 0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-08-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
Size

7.0MB
MD5

14462f8ec7a645f19b10247328c22ec7
SHA1

6f43200e64a2ce622f0aedd77375bc2354392cad
SHA256

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861
SHA512

86f1f7f57f3950923b39da1d2c2231b8ef28268b7c37a5352a2c8329636bc4ddc5013a750674f64572879496764eea8ed4fc2e650b86a72378caae4e4710b2dd
SSDEEP

196608:rHDQahBiIbZg4T4hac7p6eDcGRY9iTfh/7/Nv6Bj:rHD5h1behacQeHwibh/71vW

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://147.124.222.184:7232/2ff7fa032802244/tnvi7gis.n72p2

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegSvcs.exe

description pid process target process

PID 3552 created 2992 3552 RegSvcs.exe sihost.exe

description	pid	process	target process
PID 3552 created 2992	3552	RegSvcs.exe	sihost.exe

Loads dropped DLL 9 IoCs

Processes:

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe

pid	process
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe

description	pid	process	target process
PID 4780 set thread context of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3088 3552 WerFault.exe RegSvcs.exe
3080 3552 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
3088	3552	WerFault.exe	RegSvcs.exe
3080	3552	WerFault.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exeRegSvcs.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exeopenwith.exe

pid process

3552 RegSvcs.exe
3552 RegSvcs.exe
2020 openwith.exe
2020 openwith.exe
2020 openwith.exe
2020 openwith.exe

pid	process
3552	RegSvcs.exe
3552	RegSvcs.exe
2020	openwith.exe
2020	openwith.exe
2020	openwith.exe
2020	openwith.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exeRegSvcs.exe

description	pid	process	target process
PID 1992 wrote to memory of 4780	1992	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
PID 1992 wrote to memory of 4780	1992	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
PID 1992 wrote to memory of 4780	1992	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 4780 wrote to memory of 3552	4780	0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe	RegSvcs.exe
PID 3552 wrote to memory of 2020	3552	RegSvcs.exe	openwith.exe
PID 3552 wrote to memory of 2020	3552	RegSvcs.exe	openwith.exe
PID 3552 wrote to memory of 2020	3552	RegSvcs.exe	openwith.exe
PID 3552 wrote to memory of 2020	3552	RegSvcs.exe	openwith.exe
PID 3552 wrote to memory of 2020	3552	RegSvcs.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2992
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

C:\Users\Admin\AppData\Local\Temp\0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
"C:\Users\Admin\AppData\Local\Temp\0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe
  "C:\Users\Admin\AppData\Local\Temp\0cfd01603f092d5d793fdd11776c8e6ecb2bd1e48c4254d7efa3942879164861.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 460
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 456
      4⤵
      Program crash
      PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 3552
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3552 -ip 3552
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19922\VCRUNTIME140.dll

Filesize
74KB

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\_ctypes.pyd

Filesize
114KB

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\_hashlib.pyd

Filesize
51KB

MD5
306337b62fac65f80cdff7ecde572134

SHA1
97bdbab0792ee3f601a49a5cc8c5659cacbbd412

SHA256
b8a52b9347b2892e4309b4e7386e425a386a7ec3ab0437fa3ac9e3adf3d12d0e

SHA512
64519625158d0fa1bae8e46bc70bebebcf917a1f48ce2062c21c950c5a007ea2863d5d3c126d2b7ee0dae445b8f9a09901bf9b7564c4083cb51788a1c320c926

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\_socket.pyd

Filesize
69KB

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\_uuid.pyd

Filesize
20KB

MD5
57d1ce47beec7887052b7f483af087ad

SHA1
5700079af8e2935a15f43f83acf0c599b8d5b549

SHA256
06530260df043ed6515ffdb371f797b7c2cc5e824b848a341f40691cead64ebe

SHA512
7aa94e5b6664c767da054fbacb19a6386007d83db0659dd9c62fc17d3aadc2855e5421f9bf15b7b8a01e6bc93bd6ef1c9d425246f1431bda141e066bc20236f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\base_library.zip

Filesize
781KB

MD5
d214306a963d6db9dbe73c65d9b7c23e

SHA1
e42d3786f3ecf2cffee2ca2b7821973630431231

SHA256
5dd6afe3439d4eb8673de441ed980825919110abc2b1360c7a02a3cc365fcca8

SHA512
76601a39f1e84eaf3257a4989a45b6e2ee8492788239bb8f42729bfdbfbd3a50949295fd459ee4d9649fd16c3815740d7bf8152c4b707432a2a480ced711473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\libcrypto-1_1.dll

Filesize
2.2MB

MD5
31c2130f39942ac41f99c77273969cd7

SHA1
540edcfcfa75d0769c94877b451f5d0133b1826c

SHA256
dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad

SHA512
cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\python39.dll

Filesize
4.3MB

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\select.pyd

Filesize
24KB

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
memory/2020-63-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2020-72-0x00007FF85B680000-0x00007FF85B889000-memory.dmp

Filesize
2.0MB

Download
memory/2020-65-0x00007FF85B680000-0x00007FF85B889000-memory.dmp

Filesize
2.0MB

Download
memory/2020-68-0x00007FF85B680000-0x00007FF85B889000-memory.dmp

Filesize
2.0MB

Download
memory/2020-70-0x0000000076620000-0x0000000076872000-memory.dmp

Filesize
2.3MB

Download
memory/2020-66-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-55-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-58-0x00007FF85B680000-0x00007FF85B889000-memory.dmp

Filesize
2.0MB

Download
memory/3552-60-0x00007FF85B681000-0x00007FF85B7AA000-memory.dmp

Filesize
1.2MB

Download
memory/3552-57-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-62-0x0000000076620000-0x0000000076872000-memory.dmp

Filesize
2.3MB

Download
memory/3552-59-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-56-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-40-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3552-43-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3552-41-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3552-71-0x0000000003DD0000-0x00000000041D0000-memory.dmp

Filesize
4.0MB

Download
memory/3552-42-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download