rhadamanthys | 8d5a7124097323dc0f569a95eebc185fe456fa19bdc6186cf99ee858ab557941

General

Target

1temp694.exe
Size

1.2MB
MD5

3dee5861e10fa13a29d0ef0593b5be77
SHA1

a6cb12aeefca226adf4a1c223254171ad7a9890d
SHA256

8d5a7124097323dc0f569a95eebc185fe456fa19bdc6186cf99ee858ab557941
SHA512

26b1a59c56dbb36a584494de9096c5d3196771e985458b1ee3a4458b25f0ce5fab12ea4849f0c42afdeb42d10c2916120e5a264aadd5dd2b9d7fe89838c2be29
SSDEEP

24576:cWy4GRhwybnWS70ykL7v3N0P/Z63i44ErocTnvQRr0VMfVCzfS/GBjoe:cy2LWS7hk9LUcTyr06fVefS/MjD

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://193.188.20.191:443/e0bd9c1f4515facb49/eehcla05.c4ft8

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

pipanel.exe

description pid process target process

PID 2428 created 2664 2428 pipanel.exe sihost.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2552 2428 WerFault.exe pipanel.exe
3028 2428 WerFault.exe pipanel.exe

description	pid	process	target process
PID 2428 created 2664	2428	pipanel.exe	sihost.exe

pid	pid_target	process	target process
2552	2428	WerFault.exe	pipanel.exe
3028	2428	WerFault.exe	pipanel.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1temp694.exepipanel.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1temp694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

1temp694.exepipanel.exeopenwith.exe

pid	process
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
4568	1temp694.exe
2428	pipanel.exe
2428	pipanel.exe
1208	openwith.exe
1208	openwith.exe
1208	openwith.exe
1208	openwith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1temp694.exe

pid process

4568 1temp694.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1temp694.exepipanel.exe

description	pid	process	target process
PID 4568 wrote to memory of 4588	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 4588	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 4588	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 4568 wrote to memory of 2428	4568	1temp694.exe	pipanel.exe
PID 2428 wrote to memory of 1208	2428	pipanel.exe	openwith.exe
PID 2428 wrote to memory of 1208	2428	pipanel.exe	openwith.exe
PID 2428 wrote to memory of 1208	2428	pipanel.exe	openwith.exe
PID 2428 wrote to memory of 1208	2428	pipanel.exe	openwith.exe
PID 2428 wrote to memory of 1208	2428	pipanel.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1208

C:\Users\Admin\AppData\Local\Temp\1temp694.exe
"C:\Users\Admin\AppData\Local\Temp\1temp694.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\1temp694.exe"
  2⤵
  PID:4588
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\1temp694.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 432
    3⤵
    - Program crash
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 428
    3⤵
    - Program crash
    PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2428 -ip 2428
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2428 -ip 2428
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-17-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/1208-27-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/1208-25-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/1208-24-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/1208-22-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1208-20-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/1208-21-0x0000000002A00000-0x0000000002E00000-memory.dmp

Filesize
4.0MB

Download
memory/2428-6-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2428-4-0x0000000077762000-0x0000000077763000-memory.dmp

Filesize
4KB

Download
memory/2428-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2428-7-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2428-12-0x0000000003380000-0x0000000003780000-memory.dmp

Filesize
4.0MB

Download
memory/2428-11-0x0000000003380000-0x0000000003780000-memory.dmp

Filesize
4.0MB

Download
memory/2428-13-0x0000000003380000-0x0000000003780000-memory.dmp

Filesize
4.0MB

Download
memory/2428-14-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2428-18-0x0000000003380000-0x0000000003780000-memory.dmp

Filesize
4.0MB

Download
memory/2428-26-0x0000000003380000-0x0000000003780000-memory.dmp

Filesize
4.0MB

Download
memory/2428-16-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/2428-5-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4568-0-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4568-9-0x00000000003A0000-0x00000000004EA000-memory.dmp

Filesize
1.3MB

Download
memory/4568-3-0x0000000002900000-0x0000000002950000-memory.dmp

Filesize
320KB

Download
memory/4568-2-0x0000000077762000-0x0000000077763000-memory.dmp

Filesize
4KB

Download
memory/4568-10-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/4568-1-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads