rhadamanthys | 28319673d8f382142e223302ede1e0e497ccac2cd7a9814715726335e78c29c7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e064eddcda0b1a5a6d864b79d91bf26.exe
Size

1.5MB
MD5

1e064eddcda0b1a5a6d864b79d91bf26
SHA1

dd50f163bdade043b2f9845e481ae7debcceaa4d
SHA256

28319673d8f382142e223302ede1e0e497ccac2cd7a9814715726335e78c29c7
SHA512

87b0b37a13fbf79316c150f0e69525703888f28312c8efcd8ac2db8832e6385dabd04261a86d8f183a20e64dea12d4a0fb07c81536b6f2c5726847f8e654347c
SSDEEP

24576:GzZTGqTlTTuRQghvPWL5zLntgJET0uItpLkzX7kBJGypqL9HFmsFmFd:GgkTTuxpWLBnGJEgaYBJgHFxmFd

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://172.236.107.96/5502b8a765a7d7349/0d2mumm6.wcnlc

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Solomon.pif

description	pid	Process	procid_target
PID 1292 created 2848	1292	Solomon.pif	49

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e064eddcda0b1a5a6d864b79d91bf26.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	1e064eddcda0b1a5a6d864b79d91bf26.exe

Executes dropped EXE 1 IoCs

Processes:

Solomon.pif

pid	Process
1292	Solomon.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
1540	tasklist.exe
2020	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4264	1292	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

findstr.exetasklist.exefindstr.exechoice.execmd.exefindstr.exetasklist.exeSolomon.pifopenwith.exe1e064eddcda0b1a5a6d864b79d91bf26.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solomon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e064eddcda0b1a5a6d864b79d91bf26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Solomon.pifopenwith.exe

pid	Process
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif
2812	openwith.exe
2812	openwith.exe
2812	openwith.exe
2812	openwith.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	2020	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Solomon.pif

pid	Process
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Solomon.pif

pid	Process
1292	Solomon.pif
1292	Solomon.pif
1292	Solomon.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

1e064eddcda0b1a5a6d864b79d91bf26.execmd.exeSolomon.pif

description	pid	Process	procid_target
PID 1188 wrote to memory of 988	1188	1e064eddcda0b1a5a6d864b79d91bf26.exe	86
PID 1188 wrote to memory of 988	1188	1e064eddcda0b1a5a6d864b79d91bf26.exe	86
PID 1188 wrote to memory of 988	1188	1e064eddcda0b1a5a6d864b79d91bf26.exe	86
PID 988 wrote to memory of 1540	988	cmd.exe	91
PID 988 wrote to memory of 1540	988	cmd.exe	91
PID 988 wrote to memory of 1540	988	cmd.exe	91
PID 988 wrote to memory of 1372	988	cmd.exe	92
PID 988 wrote to memory of 1372	988	cmd.exe	92
PID 988 wrote to memory of 1372	988	cmd.exe	92
PID 988 wrote to memory of 2020	988	cmd.exe	94
PID 988 wrote to memory of 2020	988	cmd.exe	94
PID 988 wrote to memory of 2020	988	cmd.exe	94
PID 988 wrote to memory of 4116	988	cmd.exe	95
PID 988 wrote to memory of 4116	988	cmd.exe	95
PID 988 wrote to memory of 4116	988	cmd.exe	95
PID 988 wrote to memory of 1072	988	cmd.exe	97
PID 988 wrote to memory of 1072	988	cmd.exe	97
PID 988 wrote to memory of 1072	988	cmd.exe	97
PID 988 wrote to memory of 4712	988	cmd.exe	99
PID 988 wrote to memory of 4712	988	cmd.exe	99
PID 988 wrote to memory of 4712	988	cmd.exe	99
PID 988 wrote to memory of 1972	988	cmd.exe	101
PID 988 wrote to memory of 1972	988	cmd.exe	101
PID 988 wrote to memory of 1972	988	cmd.exe	101
PID 988 wrote to memory of 1292	988	cmd.exe	102
PID 988 wrote to memory of 1292	988	cmd.exe	102
PID 988 wrote to memory of 1292	988	cmd.exe	102
PID 988 wrote to memory of 3496	988	cmd.exe	103
PID 988 wrote to memory of 3496	988	cmd.exe	103
PID 988 wrote to memory of 3496	988	cmd.exe	103
PID 1292 wrote to memory of 2812	1292	Solomon.pif	108
PID 1292 wrote to memory of 2812	1292	Solomon.pif	108
PID 1292 wrote to memory of 2812	1292	Solomon.pif	108
PID 1292 wrote to memory of 2812	1292	Solomon.pif	108
PID 1292 wrote to memory of 2812	1292	Solomon.pif	108

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

C:\Users\Admin\AppData\Local\Temp\1e064eddcda0b1a5a6d864b79d91bf26.exe
"C:\Users\Admin\AppData\Local\Temp\1e064eddcda0b1a5a6d864b79d91bf26.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Pad Pad.cmd & Pad.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 241319
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "RosesRtEagleFiled" Arrived
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Christians + ..\Toll + ..\Farmers + ..\Ga + ..\Hole + ..\Backgrounds + ..\Beverages + ..\Interactions + ..\Receivers + ..\Dos + ..\Willow + ..\Lindsay + ..\Photographic B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\241319\Solomon.pif
    Solomon.pif B
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 896
      4⤵
      Program crash
      PID:4264
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1292 -ip 1292
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\241319\B

Filesize
881KB

MD5
391e7eccd25c6827bb347558f79f463a

SHA1
774ab388b256f6aad4ff5bf5175c7f4578ea6621

SHA256
77b091364e68e3b076e5310557be325c36c294c1e4d00a558953725409842610

SHA512
3c1505040a33534153d5316fb7c89736517463aa5d3b1278dc8e95e9f924823dd0a45570a5f4786e31af98a2cad046ca53767a576ccb5a3f339bfea190d9f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\241319\Solomon.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Arrived

Filesize
310B

MD5
0185a56db42a165ee45de3a7697cd719

SHA1
9f32533c96636b612de43b3fb2fb39b401c56eea

SHA256
930d658e77f5e2ac85a8bd77265fce46172b2479aa3531f7a3e76b224040b2da

SHA512
9565e7b139af0a5df3bed991ae7b68d38c7cec68814c3a00935b5e09cef7bc0af5c08035b56dfa00bcea413c334b4f57e8c0d78d0c8966b15e20aeeba728046b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backgrounds

Filesize
55KB

MD5
ec7c849ef51aaa808fb2e2b01167257a

SHA1
0fda701090fe3369884ee2acc0bc2f52d21ba388

SHA256
5916a7c92f9b67bf550ceeb624a156f03459abb95e01dee51977ade86ec7aa76

SHA512
cb6ad028815f0b36a0ba2004c9a5aa8c9e9848a7c0bb33dbe9b8242895bcc3e7dbbdad0206b116df63b33dd3774db7ebf5637ca5b766ad81311dfb576933e498

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beverages

Filesize
72KB

MD5
06636ebff20fd670a34f17dc0660a02f

SHA1
50842e5e33e54ce5977b700752d487c9f0d3fa76

SHA256
639b705356aa04fc87362eb38b2df7191a90cafacba651ce10ce021c2bcd3ac5

SHA512
311a39e4b0ea802c91df652717e3f81f438934eea02c1cb20aadc851617e25e86647a6585b48525f76fbf4c0878d07c884bfe0ce29c94c3900944a9a7297cb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Christians

Filesize
53KB

MD5
c39d2152ca76a49430b22fa8c3bad4a6

SHA1
a068ce67d60f03ce5610e95e18d1939bb78a8f51

SHA256
5cce3a0553e66e57f67ce2b3b8380f71b6f2753c6d04f5f271c5c149004ea87e

SHA512
c71f104c77ba719e1d7e9254f703be0ae0306257f129bb59bdd257b39b37c2f897c375e56dc9fa10653c0d5acda09e456d9d7def59a53c5cfecb28ed176a72b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dos

Filesize
91KB

MD5
17187b1c133cca101979e834227a8462

SHA1
3ca5d1aefee73a163159af4783e148cc05997f5d

SHA256
ed7fef33a92437398f347fc6c71b4fcd5984ef931a62086f0a8d8d3cdb47bf2f

SHA512
7ba6d0c9b3537e1370d8bdf3d1c7123dae0bae9695b763982cbc2d971d9b3cc880b7ba85d9482e9407794a086e9bb5272c2d1051b45653dd06aad93b6e1d8c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Farmers

Filesize
67KB

MD5
374e9f8645d8c9c84dbca3d376fa2232

SHA1
f13e58ec275492380f3d61e2815c76752b844524

SHA256
441800d470891d917c98a60509f5fb409d792f6b302b4fd680481c75e3b739a6

SHA512
2e9c2ab2deaa2745e9026f9f906f0c8267ec7334327ea5c30ec108b57145411207f4a33b20ac1763a4359cba30d261ab66a0613c798061ce118f40150047a54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ga

Filesize
89KB

MD5
8ce1b99268919ae2a322960c1389b430

SHA1
30bccec43fd9778578ba614b6ce28309ee990c65

SHA256
f5ccd2bd5a685a8d9b299205430364e1c1861b4211eda42c0a9aa1dfe46a342c

SHA512
88cadb5c905805c259c6995f2c743b5672e6d3fec85903e263f40b2232d2451f2f28fb1e597c4ffaa98947d870cb8b2191e87ad45103169e254c0d3ad99fd913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hole

Filesize
76KB

MD5
efa7870410bd5ea7354d44e92c7b003b

SHA1
8a34b6f22d3762f256e4e29f9d4545eaa77c6dbb

SHA256
215d284cc65cd710287417d71029135d06451495d6a55d4b9325702064fba5b8

SHA512
30ec41ebd13c27796aafc8600ccdb9c5a547aeaba96a00f74802b1cca4ba251fa5de311f842e398f174119862296978a3d22180eabeb2abfb58b8da8193de45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interactions

Filesize
90KB

MD5
de1bb709f102c6ae90cd5fac04443161

SHA1
d2beeed4dbcbb77b62e8b39b9ce75eb03d102d05

SHA256
1b32207d8e9edace6fb6e6dec67f3be8a2d47db06d59f25c2dd636e898b9a30d

SHA512
c1c818f068e18a179d7f5ffeadf8426bf2fa77514c572f5b5ae74dd9884569421e643bb58c5cc2448d20b28b5fd08834aed4894c0921417fcfe1d2533c5ca351

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lindsay

Filesize
88KB

MD5
10e8fb672200f58c8b9890d80f7397ac

SHA1
44ffe61d318bfba9ba9f4e0945540ea7e2ee17cc

SHA256
6f577dd0f31f69c9a8af9fb5b7fe767e45412cff5c4cc38096aa296f6bc990ab

SHA512
3739397a2e6026a807d37e31d5a901829b386151009762c1cfa5352fd7987161d02a12ed667c136d1168999f09ff9b52bfe062a764a314bd93d244446a7c4b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pad

Filesize
13KB

MD5
959f5dd61aee97cd58e990d904a7d616

SHA1
f55f89830f5cc630d03b8616d762261ca17302bb

SHA256
4e7c71ec0fbd5a49568131b48c5d56a6c34f98d5643012d5f076858c9d678d50

SHA512
909fb61e40943b10b3546ee1a54f10a07e2e45c1df2ed7b68483cd5b6fe3de8564f88fa5f3e66a0f57322e2c679baa33cffc46637b58c00a4934a60c9cef9c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Photographic

Filesize
9KB

MD5
4fcfb49cf9b7e9275aa361d66295eebb

SHA1
455f6315bfe03be71beee000f3d806c79b676aaf

SHA256
72d49c2b48d48a01eff21525e92ba32fd5024f48435e9b2e76842f431db637b6

SHA512
b0ec679e7e7f2f93c6e2d97adab7c6c2e9969ae43961150a5295e67c2e468e9a51c3bf053f40033bfe4a9c9f2113db31808c536b7796d5d2423d4fe92609e72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Receivers

Filesize
56KB

MD5
7492e93eb182c4a192a575434d44fce2

SHA1
cd1484af93b075e6ebbf0bed13d38c2a2bccd023

SHA256
a4446752a39b33c87e67c04be85daa18493b07d7e4589985b936e5f02f83b60d

SHA512
9d0a3f12d0641d3edfdf3951961c8f9300bc0280d1657a3f1389ee746b24127c588f1bcbeab12af4aa44f5b30e29c9a478b3e38fb8f829955e36896b46a4f196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stomach

Filesize
872KB

MD5
c9f4552f24606020ccce3341611d353e

SHA1
30636bf578a9a05404d50bde21088b6d6a05e111

SHA256
bc52236d68e32251d82f6529c06b158f91688d12b63d9aec65dbb493d74177a3

SHA512
2d17f3dc86740689311cd941b55fb4b75b3791324116e4d0c5ae29c2f190ef15ed31ac141523a32a0c129466e18abc163b4141cf596b64542e5c5871dcbc8d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Toll

Filesize
54KB

MD5
0b822930f43feb6a523e2b7478c943b2

SHA1
6bd39e29ab1b4e475c545ce41284b409759f8a64

SHA256
d84721ee1bf5fe6eec6e4fb42a0a96a86a3bb10d02cd57590ceb10fba3609f46

SHA512
57a96ebb9cf4f3d9d0e50512881c33fbba80f21fa593434a700a5019204803472e81d9f9cdf5ef1d3237f486afeca60c876b0bbcec2d10cd157e688c7a78658f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Willow

Filesize
81KB

MD5
b0ed4fc0800b81de64aba363cd7fda59

SHA1
a93167e4fc3bc6fe08f813d4b4d1bd5251020d6e

SHA256
b98900ce6f107703f3c6c56f9c8ff4676fa0a7260c1698b23659bf3e7d5eb2f4

SHA512
dd912543e31eb017261c8e2d47ba8587bc536e017d3a4f3f9f164ff12417a9117a6afee6aae5d587454b8972e06624f34c2f5e1f8463b3952126877028a91849

Download Submit
memory/1292-46-0x0000000005C70000-0x0000000006070000-memory.dmp

Filesize
4.0MB

Download
memory/1292-47-0x0000000005C70000-0x0000000006070000-memory.dmp

Filesize
4.0MB

Download
memory/1292-41-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-43-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-45-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-44-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-39-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-40-0x0000000004AC0000-0x0000000004B3E000-memory.dmp

Filesize
504KB

Download
memory/1292-48-0x00007FF9F2B50000-0x00007FF9F2D45000-memory.dmp

Filesize
2.0MB

Download
memory/1292-50-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/2812-51-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2812-53-0x00000000024C0000-0x00000000028C0000-memory.dmp

Filesize
4.0MB

Download
memory/2812-56-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/2812-54-0x00007FF9F2B50000-0x00007FF9F2D45000-memory.dmp

Filesize
2.0MB

Download