rhadamanthys | ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27

General

Target

ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe
Size

2.4MB
MD5

ee0a93c22584233cc9faf75b7b49bb78
SHA1

a31b0ac14c81447b71524e2815be43d9a55ea9f1
SHA256

ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
SHA512

9fab2820bdb0a4e423f66c43105fc1f447d429b6ae525359f0977d034b562ca1a408e728324335f5aced12edd2135660711dd865b3c5fa641b57a02055ee170c
SSDEEP

49152:+pz3Cy3BkrhfRAXMSxDw7DDCDbNV2ZGomxwF2Nz2k+IsvOYIiPcT:+pey3BkrZRAXMwDuDeh4ZGXeUMSevI9

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 1620 created 2940 1620 explorer.exe sihost.exe

description	pid	process	target process
PID 1620 created 2940	1620	explorer.exe	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe

Executes dropped EXE 2 IoCs

Processes:

dpaw.exedpaw.exe

pid process

4080 dpaw.exe
4824 dpaw.exe
Loads dropped DLL 2 IoCs

Processes:

dpaw.exedpaw.exe

pid process

4080 dpaw.exe
4824 dpaw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dpaw.exe

description pid process target process

PID 4824 set thread context of 4140 4824 dpaw.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4824 set thread context of 4140	4824	dpaw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeopenwith.exead8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exedpaw.exedpaw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

dpaw.exedpaw.execmd.exeexplorer.exeopenwith.exe

pid	process
4080	dpaw.exe
4824	dpaw.exe
4824	dpaw.exe
4140	cmd.exe
4140	cmd.exe
1620	explorer.exe
1620	explorer.exe
804	openwith.exe
804	openwith.exe
804	openwith.exe
804	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dpaw.execmd.exe

pid process

4824 dpaw.exe
4140 cmd.exe

pid	process
4824	dpaw.exe
4140	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exedpaw.exedpaw.execmd.exeexplorer.exe

description	pid	process	target process
PID 4004 wrote to memory of 4080	4004	ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe	dpaw.exe
PID 4004 wrote to memory of 4080	4004	ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe	dpaw.exe
PID 4004 wrote to memory of 4080	4004	ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe	dpaw.exe
PID 4080 wrote to memory of 4824	4080	dpaw.exe	dpaw.exe
PID 4080 wrote to memory of 4824	4080	dpaw.exe	dpaw.exe
PID 4080 wrote to memory of 4824	4080	dpaw.exe	dpaw.exe
PID 4824 wrote to memory of 4140	4824	dpaw.exe	cmd.exe
PID 4824 wrote to memory of 4140	4824	dpaw.exe	cmd.exe
PID 4824 wrote to memory of 4140	4824	dpaw.exe	cmd.exe
PID 4824 wrote to memory of 4140	4824	dpaw.exe	cmd.exe
PID 4140 wrote to memory of 1620	4140	cmd.exe	explorer.exe
PID 4140 wrote to memory of 1620	4140	cmd.exe	explorer.exe
PID 4140 wrote to memory of 1620	4140	cmd.exe	explorer.exe
PID 4140 wrote to memory of 1620	4140	cmd.exe	explorer.exe
PID 1620 wrote to memory of 804	1620	explorer.exe	openwith.exe
PID 1620 wrote to memory of 804	1620	explorer.exe	openwith.exe
PID 1620 wrote to memory of 804	1620	explorer.exe	openwith.exe
PID 1620 wrote to memory of 804	1620	explorer.exe	openwith.exe
PID 1620 wrote to memory of 804	1620	explorer.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2940
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:804

C:\Users\Admin\AppData\Local\Temp\ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe
"C:\Users\Admin\AppData\Local\Temp\ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\dpaw.exe
  "C:\Users\Admin\AppData\Local\Temp\dpaw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Roaming\BackupstreamEar\dpaw.exe
    C:\Users\Admin\AppData\Roaming\BackupstreamEar\dpaw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll

Filesize
1.9MB

MD5
4e35791c97152a0c01c6638fd26413fd

SHA1
048c20b2152b4aeb390c276dbf5df3334dba45a7

SHA256
f5bd2c558b6686c8e8c701be3c56108edf5edcaf7bda69ee0407b0829ad09833

SHA512
79a47f194fe68a9da5b882c97bf70ccb0ad944c287ce034b040e1ae7c0f5f78013777731f5352033fe2e2e2026fc0be4aae433bcd980bbd4d18fb5ed3a34af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpaw.exe

Filesize
2.7MB

MD5
870feaab725b148208dd12ffabe33f9d

SHA1
9f3651ad5725848c880c24f8e749205a7e1e78c1

SHA256
bbf7154f14d736f0c8491fb9fb44d2f179cdb02d34ab54c04466fa0702ea7d55

SHA512
5bea301f85e6a55fd5730793b960442bc4dab92d0bf47e4e55c5490448a4a22ed6d0feb1dbe9d56d6b6ff8d06f163381807f83f467621f527bc6521857fc8e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e73603fb

Filesize
1.1MB

MD5
d65cb7d896828d7ac8362666ba0924ed

SHA1
fcf717e3655504d40cf0b61ddf9baf3a567d4eae

SHA256
31b3d8e895fe4427afa72ef941d3f38091c492fd4022798f3dbd07358400d108

SHA512
b06315613939f72fd162d0b6cc1a0eb7ae071c1488c03df1819bde79ed3538a26cabca47b197a599f6b9d5b4cf2b178d9f2d847e9d77ccfd7bad67be3a8033cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdxfld

Filesize
1007KB

MD5
c9a617c1948d7ea4a92cdec95eb0c2a8

SHA1
0d3bab8fae5b47475d8b6aaaf5a13f8ba2ee74d0

SHA256
303cfaaa049a750c2708f75348aa8160e5e40e6cda748f1d406a791a73ac59b7

SHA512
3a39a90238908c9aa5f9ac9fa9a3014cb61a4d9670d8dbe4967366bd594a243719d01887f67b7882e1d9ea9aceac1f1e146c8a93d057baa40c035f8c385bc1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kectdmb

Filesize
65KB

MD5
a9bd962417f5f9c7d3ee60059339d41a

SHA1
6872db237f15ce21eefc4182724397806488e8ff

SHA256
23eaeb4e7878be5897aaf9a3c7ab4ca9cb0815f6c2d5fd70c1fe60d1ed3e8dbe

SHA512
731ee69c219f93d3d687d8fc8a18aa50c5676c89ebc41cd0e737426de5780dbcf4f178c449c29d777091b25b236749c5db262116419f28d9c48f068d84941d41

Download Submit
memory/804-61-0x00000000760F0000-0x0000000076305000-memory.dmp

Filesize
2.1MB

Download
memory/804-59-0x00007FFD1D490000-0x00007FFD1D685000-memory.dmp

Filesize
2.0MB

Download
memory/804-56-0x0000000002480000-0x0000000002880000-memory.dmp

Filesize
4.0MB

Download
memory/804-54-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1620-58-0x0000000000730000-0x00000000007AF000-memory.dmp

Filesize
508KB

Download
memory/1620-46-0x00007FFD1D490000-0x00007FFD1D685000-memory.dmp

Filesize
2.0MB

Download
memory/1620-53-0x00000000760F0000-0x0000000076305000-memory.dmp

Filesize
2.1MB

Download
memory/1620-50-0x00000000043D0000-0x00000000047D0000-memory.dmp

Filesize
4.0MB

Download
memory/1620-49-0x00000000043D0000-0x00000000047D0000-memory.dmp

Filesize
4.0MB

Download
memory/1620-47-0x0000000000730000-0x00000000007AF000-memory.dmp

Filesize
508KB

Download
memory/1620-45-0x0000000000730000-0x00000000007AF000-memory.dmp

Filesize
508KB

Download
memory/4080-20-0x00007FFD1D490000-0x00007FFD1D685000-memory.dmp

Filesize
2.0MB

Download
memory/4080-19-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-41-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-44-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-42-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-40-0x00007FFD1D490000-0x00007FFD1D685000-memory.dmp

Filesize
2.0MB

Download
memory/4140-38-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4824-36-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4824-35-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download
memory/4824-34-0x0000000073203000-0x0000000073205000-memory.dmp

Filesize
8KB

Download
memory/4824-33-0x00007FFD1D490000-0x00007FFD1D685000-memory.dmp

Filesize
2.0MB

Download
memory/4824-32-0x00000000731F0000-0x000000007336B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads