rhadamanthys | ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

General

Target

46cf6b1946429c912fe569ce4b5e8a10.exe
Size

3.9MB
MD5

46cf6b1946429c912fe569ce4b5e8a10
SHA1

d7e0240a1a4d021800ccc9ace9fdb310ffa63052
SHA256

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a
SHA512

29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf
SSDEEP

98304:sfUbmfIe1hxCTvblT3gbG3WfaWLUMxSZNOWfhL:sfUyzSTBgyGslhL

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://89.117.152.231:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description	pid	Process	procid_target
PID 2032 created 2656	2032	explorer.exe	44

Executes dropped EXE 3 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exepythonw.exepythonw.exe

pid	Process
4524	46cf6b1946429c912fe569ce4b5e8a10.exe
3552	pythonw.exe
4408	pythonw.exe

Loads dropped DLL 5 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exepythonw.exepythonw.exe

pid	Process
4524	46cf6b1946429c912fe569ce4b5e8a10.exe
3552	pythonw.exe
3552	pythonw.exe
4408	pythonw.exe
4408	pythonw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description	pid	Process	procid_target
PID 4408 set thread context of 1648	4408	pythonw.exe	98

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exe46cf6b1946429c912fe569ce4b5e8a10.execmd.exeexplorer.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46cf6b1946429c912fe569ce4b5e8a10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46cf6b1946429c912fe569ce4b5e8a10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

pythonw.exepythonw.execmd.exeexplorer.exeopenwith.exe

pid	Process
3552	pythonw.exe
4408	pythonw.exe
4408	pythonw.exe
1648	cmd.exe
1648	cmd.exe
2032	explorer.exe
2032	explorer.exe
3204	openwith.exe
3204	openwith.exe
3204	openwith.exe
3204	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.execmd.exe

pid	Process
4408	pythonw.exe
1648	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

46cf6b1946429c912fe569ce4b5e8a10.exe46cf6b1946429c912fe569ce4b5e8a10.exepythonw.exepythonw.execmd.exeexplorer.exe

description	pid	Process	procid_target
PID 712 wrote to memory of 4524	712	46cf6b1946429c912fe569ce4b5e8a10.exe	85
PID 712 wrote to memory of 4524	712	46cf6b1946429c912fe569ce4b5e8a10.exe	85
PID 712 wrote to memory of 4524	712	46cf6b1946429c912fe569ce4b5e8a10.exe	85
PID 4524 wrote to memory of 3552	4524	46cf6b1946429c912fe569ce4b5e8a10.exe	96
PID 4524 wrote to memory of 3552	4524	46cf6b1946429c912fe569ce4b5e8a10.exe	96
PID 3552 wrote to memory of 4408	3552	pythonw.exe	97
PID 3552 wrote to memory of 4408	3552	pythonw.exe	97
PID 4408 wrote to memory of 1648	4408	pythonw.exe	98
PID 4408 wrote to memory of 1648	4408	pythonw.exe	98
PID 4408 wrote to memory of 1648	4408	pythonw.exe	98
PID 4408 wrote to memory of 1648	4408	pythonw.exe	98
PID 1648 wrote to memory of 2032	1648	cmd.exe	101
PID 1648 wrote to memory of 2032	1648	cmd.exe	101
PID 1648 wrote to memory of 2032	1648	cmd.exe	101
PID 1648 wrote to memory of 2032	1648	cmd.exe	101
PID 2032 wrote to memory of 3204	2032	explorer.exe	102
PID 2032 wrote to memory of 3204	2032	explorer.exe	102
PID 2032 wrote to memory of 3204	2032	explorer.exe	102
PID 2032 wrote to memory of 3204	2032	explorer.exe	102
PID 2032 wrote to memory of 3204	2032	explorer.exe	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3204

C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe
"C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\Temp\{A58A7C03-C7CB-4773-8817-17BAB498C756}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe
  "C:\Windows\Temp\{A58A7C03-C7CB-4773-8817-17BAB498C756}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\46cf6b1946429c912fe569ce4b5e8a10.exe" -burn.filehandle.attached=556 -burn.filehandle.self=548
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\pythonw.exe
    "C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\pythonw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
      C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7f98e8b

Filesize
1.1MB

MD5
53113d35d687a9a6032a58fc7b686c8a

SHA1
db74dd016e1e34665f7d19392758c9a0cd689533

SHA256
c33499078a1f88b2ae02936e8b97e62082709807ce6dbba644ccfa99d95ff1fc

SHA512
0e472bd5453aff64a0ca20f04b39298fdb03adbd9a2e3cac44fa07df681bf68311b3c39a55d76395f8ccf4dcc1e7699844603e119f4035270858cd74c1dbb2b1

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\Jetsam.dll

Filesize
1.1MB

MD5
75b33115ef399463ee76b3421add1ea1

SHA1
1661b9acf1da0aca0c53fee71e5b2394c7c3320d

SHA256
97b3113d73a62755cd99fac73eadb311d1204e6ec1034a85a585955e202e1132

SHA512
fe86854113de67844fd92904ec8d9468f031ea40bbfd38df79d63ce53bc6e95a0ab5f444b4b85cd9a3c2ac264552366ef7148a8b30a09e8c1b95eb949061ddfc

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\dvanamu

Filesize
953KB

MD5
e238ccd9fd17fb0007b0b033fcfdad41

SHA1
67f3a4e518be8cc306242f584197deac8cf12534

SHA256
e6275bb0a6bb6fe4eb16d10dc91494535577689d68ff9301ef8471a4277dc552

SHA512
fa439bcbb6956bba23cd702167ea2981dc63d7da1287b64ae8fa39606c1ade752a7e04377325d93a2b76e9c7bf4804e5c739a184fef7e906bcd98f8160436d5c

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\python310.dll

Filesize
4.3MB

MD5
c67e805577c808d1b2e63bcc875a6e0c

SHA1
04405071881e4d7b9dae6a8e4f5cb94a69354ecd

SHA256
c1d822a1cd0d204d782d5d5627875608a5acb2008fbfd2346af4f63243e87a40

SHA512
c17febfe45642bb125b1a80a9e2447b25152ce32034b46d1e8dfa74396e51e3c83fb3f844a3814138b308131292884a104afbc5a2262816bd682d6beca142599

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\tdn

Filesize
83KB

MD5
8ca8f54b226bfcfa9c2c965c25247a45

SHA1
cb7950efc08e1bc279afb92a8a2173782f34deea

SHA256
a9ccf11b8f6bcedff1b7d4eea4d4b2122f7e5ecac119617d0596b92c4ed5aeeb

SHA512
d386e769d2a00b3344574e6a251c360d3ec8aa6d7747be19e34deeb57fcb440b24c4fe8b3c0fdc84c99fa4c6e32eb87f4d06ee756fc4e578ca1c9fc32a2e2dbe

Download Submit
C:\Windows\Temp\{063FACF7-CF4B-40E8-A0E5-BA0C43DE1B5F}\.ba\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Windows\Temp\{A58A7C03-C7CB-4773-8817-17BAB498C756}\.cr\46cf6b1946429c912fe569ce4b5e8a10.exe

Filesize
3.9MB

MD5
46cf6b1946429c912fe569ce4b5e8a10

SHA1
d7e0240a1a4d021800ccc9ace9fdb310ffa63052

SHA256
ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

SHA512
29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf

Download Submit
memory/1648-42-0x0000000075690000-0x000000007580B000-memory.dmp

Filesize
1.5MB

Download
memory/1648-41-0x00007FFC7B4F0000-0x00007FFC7B6E5000-memory.dmp

Filesize
2.0MB

Download
memory/2032-49-0x0000000004080000-0x0000000004480000-memory.dmp

Filesize
4.0MB

Download
memory/2032-50-0x0000000004080000-0x0000000004480000-memory.dmp

Filesize
4.0MB

Download
memory/2032-56-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/2032-44-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/2032-45-0x00007FFC7B4F0000-0x00007FFC7B6E5000-memory.dmp

Filesize
2.0MB

Download
memory/2032-46-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/2032-53-0x0000000077580000-0x0000000077795000-memory.dmp

Filesize
2.1MB

Download
memory/2032-48-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/3204-54-0x0000000000CC0000-0x0000000000CC9000-memory.dmp

Filesize
36KB

Download
memory/3204-58-0x00000000028D0000-0x0000000002CD0000-memory.dmp

Filesize
4.0MB

Download
memory/3204-59-0x00007FFC7B4F0000-0x00007FFC7B6E5000-memory.dmp

Filesize
2.0MB

Download
memory/3204-61-0x0000000077580000-0x0000000077795000-memory.dmp

Filesize
2.1MB

Download
memory/3552-22-0x00007FFC5CF90000-0x00007FFC5D102000-memory.dmp

Filesize
1.4MB

Download
memory/4408-38-0x00007FFC5CF90000-0x00007FFC5D102000-memory.dmp

Filesize
1.4MB

Download
memory/4408-37-0x00007FFC5CF90000-0x00007FFC5D102000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads