rhadamanthys | 9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0

General

Target

183d3258056265d85665725d1d995126.exe
Size

1.1MB
MD5

183d3258056265d85665725d1d995126
SHA1

606765ff639a2699f0e9df650ceb91b658a5521d
SHA256

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0
SHA512

8a57e8ba15f59ae1f971888b3492a04a1faf5db104743998f3ea5c41477fb36c7572547c93302e343f3aa86b6a29a615a51b904d406c11694d10915bfe0ae925
SSDEEP

24576:OoU4GxhwybZN2yb0ykH3t0P/Z63iY4Er6ySE4ppEakzEqEK/oi:OyWr2ybhkdLmPhAakzsqf

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://217.197.107.204:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4704 created 3012	4704	pipanel.exe	51

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3988	4704	WerFault.exe	98
1252	4704	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	183d3258056265d85665725d1d995126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4640	183d3258056265d85665725d1d995126.exe
4704	pipanel.exe
4704	pipanel.exe
1540	openwith.exe
1540	openwith.exe
1540	openwith.exe
1540	openwith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4640	183d3258056265d85665725d1d995126.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4640 wrote to memory of 4704	4640	183d3258056265d85665725d1d995126.exe	98
PID 4704 wrote to memory of 1540	4704	pipanel.exe	99
PID 4704 wrote to memory of 1540	4704	pipanel.exe	99
PID 4704 wrote to memory of 1540	4704	pipanel.exe	99
PID 4704 wrote to memory of 1540	4704	pipanel.exe	99
PID 4704 wrote to memory of 1540	4704	pipanel.exe	99

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3012
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Users\Admin\AppData\Local\Temp\183d3258056265d85665725d1d995126.exe
"C:\Users\Admin\AppData\Local\Temp\183d3258056265d85665725d1d995126.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\183d3258056265d85665725d1d995126.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 432
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 428
    3⤵
    - Program crash
    PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4704 -ip 4704
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4704 -ip 4704
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-27-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/1540-36-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/1540-30-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/1540-34-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/1540-31-0x00007FFCBEF30000-0x00007FFCBF125000-memory.dmp

Filesize
2.0MB

Download
memory/1540-33-0x0000000077B50000-0x0000000077D65000-memory.dmp

Filesize
2.1MB

Download
memory/1540-29-0x0000000002560000-0x0000000002960000-memory.dmp

Filesize
4.0MB

Download
memory/4640-17-0x00000000030E0000-0x0000000003160000-memory.dmp

Filesize
512KB

Download
memory/4640-11-0x0000000001660000-0x00000000016B0000-memory.dmp

Filesize
320KB

Download
memory/4640-1-0x00000000030E0000-0x0000000003160000-memory.dmp

Filesize
512KB

Download
memory/4640-2-0x0000000077DF2000-0x0000000077DF3000-memory.dmp

Filesize
4KB

Download
memory/4640-3-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/4640-0-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/4640-4-0x00000000030E0000-0x0000000003160000-memory.dmp

Filesize
512KB

Download
memory/4640-5-0x0000000000150000-0x000000000027C000-memory.dmp

Filesize
1.2MB

Download
memory/4704-22-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4704-23-0x00007FFCBEF30000-0x00007FFCBF125000-memory.dmp

Filesize
2.0MB

Download
memory/4704-12-0x0000000077DF2000-0x0000000077DF3000-memory.dmp

Filesize
4KB

Download
memory/4704-26-0x0000000077B50000-0x0000000077D65000-memory.dmp

Filesize
2.1MB

Download
memory/4704-25-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4704-13-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4704-21-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4704-20-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4704-18-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4704-19-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4704-35-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/4704-14-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing