rhadamanthys | ceaed51bfaf0862e89a1790376ff6969bcc7c266e2c7b73cf67f57ad3ca7a397

Resubmissions

01-09-2024 18:16

240901-wwfj3sydra 10

01-09-2024 18:12

240901-wtngxaydkf 1

Analysis

max time kernel
140s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01-09-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.zip
Size

13.4MB
MD5

6fe0bb4598fba38e1c2dc25b084ae38e
SHA1

7514257cc85b0a2d4b218f43f9a8f4dd61c545cf
SHA256

ceaed51bfaf0862e89a1790376ff6969bcc7c266e2c7b73cf67f57ad3ca7a397
SHA512

232b90973680eadbf11851fa20dc1e0ffbcae86f14bd8b605964a593775705cdc69dcb3cd9a5ab66ce18785c2a098df75f58392b1c3d6a04f28c57541fdc632b
SSDEEP

393216:+H7gx90ywmq3gvGQ1HUPri1xktbsUjOBo+mt:u7e92v+PRUDi1QvaoTt

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 776 created 692	776	Solara.exe	50

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 776	3780	Solara.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1532	776	WerFault.exe	90
904	776	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
776	Solara.exe
776	Solara.exe
1452	openwith.exe
1452	openwith.exe
1452	openwith.exe
1452	openwith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 3780 wrote to memory of 776	3780	Solara.exe	90
PID 776 wrote to memory of 1452	776	Solara.exe	91
PID 776 wrote to memory of 1452	776	Solara.exe	91
PID 776 wrote to memory of 1452	776	Solara.exe	91
PID 776 wrote to memory of 1452	776	Solara.exe	91
PID 776 wrote to memory of 1452	776	Solara.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:692
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1452

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip
1⤵
PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Users\Admin\Desktop\Solara\Solara\Solara.exe
"C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\Desktop\Solara\Solara\Solara.exe
  "C:\Users\Admin\Desktop\Solara\Solara\Solara.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 472
    3⤵
    - Program crash
    PID:1532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 492
    3⤵
    - Program crash
    PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 776 -ip 776
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-11-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/776-23-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/776-16-0x0000000076F50000-0x00000000771A2000-memory.dmp

Filesize
2.3MB

Download
memory/776-14-0x00007FFD59EE0000-0x00007FFD5A0E9000-memory.dmp

Filesize
2.0MB

Download
memory/776-13-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/776-12-0x0000000004060000-0x0000000004460000-memory.dmp

Filesize
4.0MB

Download
memory/776-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/776-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/776-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/776-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1452-17-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/1452-19-0x0000000002A60000-0x0000000002E60000-memory.dmp

Filesize
4.0MB

Download
memory/1452-20-0x00007FFD59EE0000-0x00007FFD5A0E9000-memory.dmp

Filesize
2.0MB

Download
memory/1452-22-0x0000000076F50000-0x00000000771A2000-memory.dmp

Filesize
2.3MB

Download
memory/3780-5-0x0000000002C40000-0x0000000002C62000-memory.dmp

Filesize
136KB

Download
memory/3780-4-0x0000000005A40000-0x0000000005FE6000-memory.dmp

Filesize
5.6MB

Download
memory/3780-3-0x0000000005340000-0x0000000005460000-memory.dmp

Filesize
1.1MB

Download
memory/3780-2-0x0000000005290000-0x000000000532C000-memory.dmp

Filesize
624KB

Download
memory/3780-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/3780-1-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download