rhadamanthys | 534baf68b23474fd41c2320b64ccc61ba0a2cda9cf7539dcaac1cadfb61ddb76

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gath_Portable_Setup_29.5.3l.exe
Size

96.1MB
MD5

7f6a6ef2c51ffa3ffd4aa5cac09d74a5
SHA1

984fee23b14fa4e53d9cab8ab0aa289a9c3bb44f
SHA256

534baf68b23474fd41c2320b64ccc61ba0a2cda9cf7539dcaac1cadfb61ddb76
SHA512

12474e2b448555a48c3de61661f91cbe47372b0862684eb0d5c252c8973032c0775bac58c682c494ed6e6e3e51861389c1c904befd6b3bd6417ede87171ff66a
SSDEEP

3145728:qAH2SALB1KcYt3TIQt6syau0o1kYn6LlPNc8cGb:fWSgDYt/8syauz1hn6LMwb

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

VagrantAudioMaster.exe

description	pid	Process	procid_target
PID 3928 created 2596	3928	VagrantAudioMaster.exe	44

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HPSupportSolutionsFramework-13.0.1.131.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	HPSupportSolutionsFramework-13.0.1.131.exe

Executes dropped EXE 3 IoCs

Processes:

HPSupportSolutionsFramework-13.0.1.131.exeVagrantAudioMaster.exeVagrantVideoMaster.exe

pid	Process
2932	HPSupportSolutionsFramework-13.0.1.131.exe
3928	VagrantAudioMaster.exe
4000	VagrantVideoMaster.exe

Loads dropped DLL 9 IoCs

Processes:

Gath_Portable_Setup_29.5.3l.exeHPSupportSolutionsFramework-13.0.1.131.exe

pid	Process
4992	Gath_Portable_Setup_29.5.3l.exe
4992	Gath_Portable_Setup_29.5.3l.exe
4992	Gath_Portable_Setup_29.5.3l.exe
2932	HPSupportSolutionsFramework-13.0.1.131.exe
2932	HPSupportSolutionsFramework-13.0.1.131.exe
2932	HPSupportSolutionsFramework-13.0.1.131.exe
4992	Gath_Portable_Setup_29.5.3l.exe
4992	Gath_Portable_Setup_29.5.3l.exe
4992	Gath_Portable_Setup_29.5.3l.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
37	api.ipify.org
39	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1792	3928	WerFault.exe	96
4476	4000	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Gath_Portable_Setup_29.5.3l.exeHPSupportSolutionsFramework-13.0.1.131.exeVagrantAudioMaster.exeopenwith.exeVagrantVideoMaster.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gath_Portable_Setup_29.5.3l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HPSupportSolutionsFramework-13.0.1.131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VagrantAudioMaster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VagrantVideoMaster.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VagrantVideoMaster.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VagrantVideoMaster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VagrantVideoMaster.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HPSupportSolutionsFramework-13.0.1.131.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	HPSupportSolutionsFramework-13.0.1.131.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HPSupportSolutionsFramework-13.0.1.131.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HPSupportSolutionsFramework-13.0.1.131.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

VagrantAudioMaster.exeopenwith.exeVagrantVideoMaster.exe

pid	Process
3928	VagrantAudioMaster.exe
3928	VagrantAudioMaster.exe
3292	openwith.exe
3292	openwith.exe
3292	openwith.exe
3292	openwith.exe
4000	VagrantVideoMaster.exe
4000	VagrantVideoMaster.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Gath_Portable_Setup_29.5.3l.exeVagrantAudioMaster.exe

description	pid	Process	procid_target
PID 4992 wrote to memory of 2932	4992	Gath_Portable_Setup_29.5.3l.exe	95
PID 4992 wrote to memory of 2932	4992	Gath_Portable_Setup_29.5.3l.exe	95
PID 4992 wrote to memory of 2932	4992	Gath_Portable_Setup_29.5.3l.exe	95
PID 4992 wrote to memory of 3928	4992	Gath_Portable_Setup_29.5.3l.exe	96
PID 4992 wrote to memory of 3928	4992	Gath_Portable_Setup_29.5.3l.exe	96
PID 4992 wrote to memory of 3928	4992	Gath_Portable_Setup_29.5.3l.exe	96
PID 3928 wrote to memory of 3292	3928	VagrantAudioMaster.exe	97
PID 3928 wrote to memory of 3292	3928	VagrantAudioMaster.exe	97
PID 3928 wrote to memory of 3292	3928	VagrantAudioMaster.exe	97
PID 3928 wrote to memory of 3292	3928	VagrantAudioMaster.exe	97
PID 3928 wrote to memory of 3292	3928	VagrantAudioMaster.exe	97
PID 4992 wrote to memory of 4000	4992	Gath_Portable_Setup_29.5.3l.exe	101
PID 4992 wrote to memory of 4000	4992	Gath_Portable_Setup_29.5.3l.exe	101
PID 4992 wrote to memory of 4000	4992	Gath_Portable_Setup_29.5.3l.exe	101

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2596
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3292

C:\Users\Admin\AppData\Local\Temp\Gath_Portable_Setup_29.5.3l.exe
"C:\Users\Admin\AppData\Local\Temp\Gath_Portable_Setup_29.5.3l.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\DiskMUI\HPSupportSolutionsFramework-13.0.1.131.exe
  C:\Users\Admin\AppData\Local\DiskMUI\HPSupportSolutionsFramework-13.0.1.131.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:2932
- C:\Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe
  C:\Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 716
    3⤵
    - Program crash
    PID:1792
- C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe
  C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1324
    3⤵
    - Program crash
    PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3928 -ip 3928
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4000 -ip 4000
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DiskMUI\VagrantAudioMaster.exe

Filesize
14.7MB

MD5
71e4f9174a6070307a8ac51034a91016

SHA1
70907c62bcb849f2fbda7bbdd5aadee13aa14b24

SHA256
7009adc43f53211e3c185efc90c3673f1797d13da70384df2bcb60e6d4f89887

SHA512
e8ac84acdd1971b76c79b3cd7986416be9eed3db883e40ae0a662bb829cd062f0a757cfd1bbba98fcc6e84f2080d3d061d16f9f99e8552b720a79e277f63cc75

Download Submit
C:\Users\Admin\AppData\Local\DiskMUI\VagrantVideoMaster.exe

Filesize
14.4MB

MD5
f566847c970cb7a797c0f800f9536f77

SHA1
96c30f95944ea6c5bef6a5116671c947c9f2271b

SHA256
603c553d773f94dc2fef76a75cb004a9af4072bccd6fe10513a3a2d147df4c90

SHA512
0da9f8ee6bd0fcd53ddbe551f1e0ee8a9d053e7c9501147a097f7b8341290f605a317b7ccbcb7f21a85b08c39f313d0dd56184c8e08650223efa9824c31b5531

Download Submit
C:\Users\Admin\AppData\Local\DiskMUI\msquic.dll

Filesize
476KB

MD5
ac3a293aeea9b3c6422bdb818fecb8bd

SHA1
a7ae76487acfb08b4900a008d341351e08b3add7

SHA256
714803871932e91a6dce57597169e32f3b31507a494e7dd62d08a0a5cd78c622

SHA512
aaeb2f55958ffb8ce5cf18645f560bcc1869f70a8dd940a348fb5a9b982e33e8e87c1f90754b19962fe122a51431c5b6dcc859fed54ca2dda7bf227430203137

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\ioSpecial.ini

Filesize
1KB

MD5
0932b7eeb9f63e1d95023a0f3f398fe4

SHA1
4e424a9bafd630171a0611a3fd0eef5e9c4fe2b1

SHA256
be1c8ef800d1b6baf0030c3fb559cf5e49d2dd883e4182179f1b1a490e30a16f

SHA512
84b1bed691650a0a972637b7953fa0540d43b848eeb1cfce288ec85632cefff79dd97a5e0200a305b404ca20c36775a3fd838c17fde19a135f0421bc2ff4ac57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\ioSpecial.ini

Filesize
1KB

MD5
3f2a6cd29dad31a65eb809779ac94ec8

SHA1
7b5ee5a923f685146eddf6d65e47a5ecf010fa05

SHA256
4a00d55a6f901cea5b2590d2957277172bc0afd2b62ec38790b7a6db0113176f

SHA512
5238268ee9ed35aad68c1eb41e20af590f768ce0086d99213ba3c6c552cfd75365def4b0ead4a5bd1d4e09c906d03bca0f4a4faa9462fb708987c76a7c924b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw89B3.tmp\ioSpecial.ini

Filesize
1KB

MD5
116e8810fde8f6640f1c6897606fa244

SHA1
b6a87e4115c86f69bf0975e68d0eed666a00a589

SHA256
3c5188ea93d39c678d2e95af6376c2cfd7f9a2581ce83e857bf68334638d12e1

SHA512
6a3f06c235c697541a4ba270f267527748b08743173432a45a507e7780433c30333697d5f53ba33accbfc726494933218135e5c7261e9122026a46e72a081f4e

Download Submit
memory/3292-360-0x0000000075AF0000-0x0000000075D05000-memory.dmp

Filesize
2.1MB

Download
memory/3292-355-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/3292-357-0x00000000024E0000-0x00000000028E0000-memory.dmp

Filesize
4.0MB

Download
memory/3292-358-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

Filesize
2.0MB

Download
memory/3928-351-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/3928-354-0x0000000075AF0000-0x0000000075D05000-memory.dmp

Filesize
2.1MB

Download
memory/3928-352-0x00007FFBD42D0000-0x00007FFBD44C5000-memory.dmp

Filesize
2.0MB

Download
memory/3928-361-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/3928-350-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/3928-349-0x0000000003650000-0x0000000003A50000-memory.dmp

Filesize
4.0MB

Download
memory/3928-348-0x00000000024C0000-0x000000000253E000-memory.dmp

Filesize
504KB

Download