rhadamanthys | b289ea0b20dec50003128814ed38147ec248865b098f17aa82daf0c40f7c5d21

Analysis

max time kernel
130s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fixer/Win64.exe
Size

238KB
MD5

01b8c89eb83646a038d9cb368e686bdb
SHA1

5f217b7ec06fb5b96bb9f5c9def89f368b98cc58
SHA256

40c823f1d6c00f1ea2482833d7c45773b6830cc812f5352aff102df63330aea7
SHA512

6e5d7272088391c423feafe947310c049125aea22a1857b9f732d3d323cd11ab1c838fa1e056629f0882a91ec05cd33ac6f3cf0ec4bdb0c039f5a8416c7975d4
SSDEEP

3072:3uw4AsOzMKuNIlQ/mciPffLHa1d+Dylq5YQooYJoT1jUWXYCJzVaXlZX:3N4AqKQmUmci3fO1d+/dPYajw7

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/gful07nl.rfoel

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

aspnet_regiis.exe

description	pid	Process	procid_target
PID 4396 created 2504	4396	aspnet_regiis.exe	50

Loads dropped DLL 1 IoCs

Processes:

Win64.exe

pid	Process
4304	Win64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Win64.exe

description	pid	Process	procid_target
PID 4304 set thread context of 4396	4304	Win64.exe	88

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4320	4396	WerFault.exe	88
3540	4396	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aspnet_regiis.exeopenwith.exeWin64.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

aspnet_regiis.exeopenwith.exe

pid	Process
4396	aspnet_regiis.exe
4396	aspnet_regiis.exe
3404	openwith.exe
3404	openwith.exe
3404	openwith.exe
3404	openwith.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Win64.exeaspnet_regiis.exe

description	pid	Process	procid_target
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4304 wrote to memory of 4396	4304	Win64.exe	88
PID 4396 wrote to memory of 3404	4396	aspnet_regiis.exe	91
PID 4396 wrote to memory of 3404	4396	aspnet_regiis.exe	91
PID 4396 wrote to memory of 3404	4396	aspnet_regiis.exe	91
PID 4396 wrote to memory of 3404	4396	aspnet_regiis.exe	91
PID 4396 wrote to memory of 3404	4396	aspnet_regiis.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2504
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Users\Admin\AppData\Local\Temp\fixer\Win64.exe
"C:\Users\Admin\AppData\Local\Temp\fixer\Win64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 436
    3⤵
    - Program crash
    PID:4320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 432
    3⤵
    - Program crash
    PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4396 -ip 4396
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
641KB

MD5
2d0b9013e47fdc0480ab32799cd62799

SHA1
e7fb40062b7beaa04442555ddac1401450d0805b

SHA256
bb462874407a759e97bd04d781791d1d0f44eabfc9abc9a39313e3c9cf5a9e37

SHA512
9fa06691c6e699ba9680998bfdc08830fc164a263f84285ca0ae2ec8db617761a0c99c8bc728ab61276af2549a93952f5897c09eafb53753de17473bdc79e029

Download Submit
memory/3404-29-0x0000000002940000-0x0000000002D40000-memory.dmp

Filesize
4.0MB

Download
memory/3404-22-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/3404-30-0x0000000002940000-0x0000000002D40000-memory.dmp

Filesize
4.0MB

Download
memory/3404-25-0x0000000002940000-0x0000000002D40000-memory.dmp

Filesize
4.0MB

Download
memory/3404-28-0x0000000076FF0000-0x0000000077205000-memory.dmp

Filesize
2.1MB

Download
memory/3404-26-0x00007FFE817D0000-0x00007FFE819C5000-memory.dmp

Filesize
2.0MB

Download
memory/3404-24-0x0000000002940000-0x0000000002D40000-memory.dmp

Filesize
4.0MB

Download
memory/4304-10-0x0000000077861000-0x0000000077981000-memory.dmp

Filesize
1.1MB

Download
memory/4396-15-0x0000000003690000-0x0000000003A90000-memory.dmp

Filesize
4.0MB

Download
memory/4396-31-0x0000000003690000-0x0000000003A90000-memory.dmp

Filesize
4.0MB

Download
memory/4396-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4396-20-0x0000000076FF0000-0x0000000077205000-memory.dmp

Filesize
2.1MB

Download
memory/4396-17-0x0000000003690000-0x0000000003A90000-memory.dmp

Filesize
4.0MB

Download
memory/4396-16-0x0000000003690000-0x0000000003A90000-memory.dmp

Filesize
4.0MB

Download
memory/4396-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4396-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4396-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4396-18-0x00007FFE817D0000-0x00007FFE819C5000-memory.dmp

Filesize
2.0MB

Download
memory/4396-21-0x0000000003690000-0x0000000003A90000-memory.dmp

Filesize
4.0MB

Download