rhadamanthys | 8d5a7124097323dc0f569a95eebc185fe456fa19bdc6186cf99ee858ab557941

General

Target

1temp694.exe
Size

1.2MB
MD5

3dee5861e10fa13a29d0ef0593b5be77
SHA1

a6cb12aeefca226adf4a1c223254171ad7a9890d
SHA256

8d5a7124097323dc0f569a95eebc185fe456fa19bdc6186cf99ee858ab557941
SHA512

26b1a59c56dbb36a584494de9096c5d3196771e985458b1ee3a4458b25f0ce5fab12ea4849f0c42afdeb42d10c2916120e5a264aadd5dd2b9d7fe89838c2be29
SSDEEP

24576:cWy4GRhwybnWS70ykL7v3N0P/Z63i44ErocTnvQRr0VMfVCzfS/GBjoe:cy2LWS7hk9LUcTyr06fVefS/MjD

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://193.188.20.191:443/e0bd9c1f4515facb49/eehcla05.c4ft8

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

pipanel.exe

description pid process target process

PID 636 created 2604 636 pipanel.exe sihost.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1448 636 WerFault.exe pipanel.exe
1252 636 WerFault.exe pipanel.exe

description	pid	process	target process
PID 636 created 2604	636	pipanel.exe	sihost.exe

pid	pid_target	process	target process
1448	636	WerFault.exe	pipanel.exe
1252	636	WerFault.exe	pipanel.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1temp694.exepipanel.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1temp694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

1temp694.exepipanel.exeopenwith.exe

pid	process
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
2932	1temp694.exe
636	pipanel.exe
636	pipanel.exe
4176	openwith.exe
4176	openwith.exe
4176	openwith.exe
4176	openwith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1temp694.exe

pid process

2932 1temp694.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1temp694.exepipanel.exe

description	pid	process	target process
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 2932 wrote to memory of 636	2932	1temp694.exe	pipanel.exe
PID 636 wrote to memory of 4176	636	pipanel.exe	openwith.exe
PID 636 wrote to memory of 4176	636	pipanel.exe	openwith.exe
PID 636 wrote to memory of 4176	636	pipanel.exe	openwith.exe
PID 636 wrote to memory of 4176	636	pipanel.exe	openwith.exe
PID 636 wrote to memory of 4176	636	pipanel.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2604
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4176

C:\Users\Admin\AppData\Local\Temp\1temp694.exe
"C:\Users\Admin\AppData\Local\Temp\1temp694.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\1temp694.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 456
    3⤵
    - Program crash
    PID:1448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 452
    3⤵
    - Program crash
    PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 636 -ip 636
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 636 -ip 636
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-11-0x0000000003CA0000-0x00000000040A0000-memory.dmp

Filesize
4.0MB

Download
memory/636-4-0x0000000077CC4000-0x0000000077CC5000-memory.dmp

Filesize
4KB

Download
memory/636-28-0x0000000003CA0000-0x00000000040A0000-memory.dmp

Filesize
4.0MB

Download
memory/636-14-0x00007FF94B440000-0x00007FF94B649000-memory.dmp

Filesize
2.0MB

Download
memory/636-13-0x0000000003CA0000-0x00000000040A0000-memory.dmp

Filesize
4.0MB

Download
memory/636-6-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/636-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/636-17-0x0000000003CA0000-0x00000000040A0000-memory.dmp

Filesize
4.0MB

Download
memory/636-16-0x0000000077900000-0x0000000077B52000-memory.dmp

Filesize
2.3MB

Download
memory/636-7-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/636-5-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/636-12-0x0000000003CA0000-0x00000000040A0000-memory.dmp

Filesize
4.0MB

Download
memory/636-19-0x00007FF94B441000-0x00007FF94B56A000-memory.dmp

Filesize
1.2MB

Download
memory/2932-1-0x0000000003060000-0x00000000030E0000-memory.dmp

Filesize
512KB

Download
memory/2932-10-0x0000000003060000-0x00000000030E0000-memory.dmp

Filesize
512KB

Download
memory/2932-2-0x0000000077CC4000-0x0000000077CC5000-memory.dmp

Filesize
4KB

Download
memory/2932-9-0x0000000000190000-0x00000000002DA000-memory.dmp

Filesize
1.3MB

Download
memory/2932-3-0x00000000034B0000-0x0000000003500000-memory.dmp

Filesize
320KB

Download
memory/2932-0-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/4176-21-0x0000000002860000-0x0000000002C60000-memory.dmp

Filesize
4.0MB

Download
memory/4176-18-0x0000000000B00000-0x0000000000B09000-memory.dmp

Filesize
36KB

Download
memory/4176-22-0x00007FF94B440000-0x00007FF94B649000-memory.dmp

Filesize
2.0MB

Download
memory/4176-25-0x00007FF94B440000-0x00007FF94B649000-memory.dmp

Filesize
2.0MB

Download
memory/4176-26-0x0000000077900000-0x0000000077B52000-memory.dmp

Filesize
2.3MB

Download
memory/4176-27-0x00007FF94B440000-0x00007FF94B649000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads