rhadamanthys | 043eac1976cb1b44d8fedd0af9b116fc82d45366cd70506b243dd1105152ffd1

General

Target

Setup_Installer.exe
Size

74.9MB
MD5

707c20a0de59fe418045e8cb90e4e8f9
SHA1

a1404eb652921a2808781cf09daecc363dbf5010
SHA256

589b622872cef5c5ca4af70a9bba031ee462e555e83213bd73c7511af550e417
SHA512

de4f99b62cd02d02cb4f4ebc65078860a6c43293f1b9f1e2e88caf7ceb8c6b690b6adcca013568e721b4986a068ac22c51a20499d6f41c1fa8ab5b3030754269
SSDEEP

1572864:Whw53fhw53fhw53fhw53fhw53fhw53fhw53:beeeeee

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.184.26.10:4928/e4eb12414c95175ccfd/Other4

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

winhlp32.exe

description pid process target process

PID 1944 created 2532 1944 winhlp32.exe sihost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 bitbucket.org
19 bitbucket.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup_Installer.exe

description pid process target process

PID 3288 set thread context of 1944 3288 Setup_Installer.exe winhlp32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4832 1944 WerFault.exe winhlp32.exe
4984 1944 WerFault.exe winhlp32.exe

description	pid	process	target process
PID 1944 created 2532	1944	winhlp32.exe	sihost.exe

flow	ioc
17	bitbucket.org
19	bitbucket.org

description	pid	process	target process
PID 3288 set thread context of 1944	3288	Setup_Installer.exe	winhlp32.exe

pid	pid_target	process	target process
4832	1944	WerFault.exe	winhlp32.exe
4984	1944	WerFault.exe	winhlp32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup_Installer.exewinhlp32.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

winhlp32.exeopenwith.exe

pid process

1944 winhlp32.exe
1944 winhlp32.exe
3912 openwith.exe
3912 openwith.exe
3912 openwith.exe
3912 openwith.exe

pid	process
1944	winhlp32.exe
1944	winhlp32.exe
3912	openwith.exe
3912	openwith.exe
3912	openwith.exe
3912	openwith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Setup_Installer.exewinhlp32.exe

description	pid	process	target process
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 3288 wrote to memory of 1944	3288	Setup_Installer.exe	winhlp32.exe
PID 1944 wrote to memory of 3912	1944	winhlp32.exe	openwith.exe
PID 1944 wrote to memory of 3912	1944	winhlp32.exe	openwith.exe
PID 1944 wrote to memory of 3912	1944	winhlp32.exe	openwith.exe
PID 1944 wrote to memory of 3912	1944	winhlp32.exe	openwith.exe
PID 1944 wrote to memory of 3912	1944	winhlp32.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2532
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3912

C:\Users\Admin\AppData\Local\Temp\Setup_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\winhlp32.exe
  "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 420
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 436
    3⤵
    - Program crash
    PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 1944
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1944 -ip 1944
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-12-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/1944-15-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/1944-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-10-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/1944-11-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/1944-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-16-0x00000000770B0000-0x00000000772C5000-memory.dmp

Filesize
2.1MB

Download
memory/1944-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1944-13-0x00007FFB35AF0000-0x00007FFB35CE5000-memory.dmp

Filesize
2.0MB

Download
memory/1944-23-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/3912-19-0x00000000021F0000-0x00000000025F0000-memory.dmp

Filesize
4.0MB

Download
memory/3912-20-0x00007FFB35AF0000-0x00007FFB35CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3912-22-0x00000000770B0000-0x00000000772C5000-memory.dmp

Filesize
2.1MB

Download
memory/3912-17-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing