rhadamanthys | ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

General

Target

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
Size

3.9MB
MD5

46cf6b1946429c912fe569ce4b5e8a10
SHA1

d7e0240a1a4d021800ccc9ace9fdb310ffa63052
SHA256

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a
SHA512

29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf
SSDEEP

98304:sfUbmfIe1hxCTvblT3gbG3WfaWLUMxSZNOWfhL:sfUyzSTBgyGslhL

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://89.117.152.231:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 4632 created 2608 4632 explorer.exe sihost.exe
Executes dropped EXE 3 IoCs

Processes:

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exepythonw.exepythonw.exe

pid process

3172 ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
5008 pythonw.exe
3612 pythonw.exe
Loads dropped DLL 5 IoCs

Processes:

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exepythonw.exepythonw.exe

pid process

3172 ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
5008 pythonw.exe
5008 pythonw.exe
3612 pythonw.exe
3612 pythonw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description pid process target process

PID 3612 set thread context of 3908 3612 pythonw.exe cmd.exe

description	pid	process	target process
PID 4632 created 2608	4632	explorer.exe	sihost.exe

pid	process
3172	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
5008	pythonw.exe
3612	pythonw.exe

pid	process
3172	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
5008	pythonw.exe
5008	pythonw.exe
3612	pythonw.exe
3612	pythonw.exe

description	pid	process	target process
PID 3612 set thread context of 3908	3612	pythonw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exeea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.execmd.exeexplorer.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

pythonw.exepythonw.execmd.exeexplorer.exeopenwith.exe

pid	process
5008	pythonw.exe
3612	pythonw.exe
3612	pythonw.exe
3908	cmd.exe
3908	cmd.exe
4632	explorer.exe
4632	explorer.exe
4964	openwith.exe
4964	openwith.exe
4964	openwith.exe
4964	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.execmd.exe

pid process

3612 pythonw.exe
3908 cmd.exe

pid	process
3612	pythonw.exe
3908	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exeea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exepythonw.exepythonw.execmd.exeexplorer.exe

description	pid	process	target process
PID 1436 wrote to memory of 3172	1436	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
PID 1436 wrote to memory of 3172	1436	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
PID 1436 wrote to memory of 3172	1436	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
PID 3172 wrote to memory of 5008	3172	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe	pythonw.exe
PID 3172 wrote to memory of 5008	3172	ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe	pythonw.exe
PID 5008 wrote to memory of 3612	5008	pythonw.exe	pythonw.exe
PID 5008 wrote to memory of 3612	5008	pythonw.exe	pythonw.exe
PID 3612 wrote to memory of 3908	3612	pythonw.exe	cmd.exe
PID 3612 wrote to memory of 3908	3612	pythonw.exe	cmd.exe
PID 3612 wrote to memory of 3908	3612	pythonw.exe	cmd.exe
PID 3612 wrote to memory of 3908	3612	pythonw.exe	cmd.exe
PID 3908 wrote to memory of 4632	3908	cmd.exe	explorer.exe
PID 3908 wrote to memory of 4632	3908	cmd.exe	explorer.exe
PID 3908 wrote to memory of 4632	3908	cmd.exe	explorer.exe
PID 3908 wrote to memory of 4632	3908	cmd.exe	explorer.exe
PID 4632 wrote to memory of 4964	4632	explorer.exe	openwith.exe
PID 4632 wrote to memory of 4964	4632	explorer.exe	openwith.exe
PID 4632 wrote to memory of 4964	4632	explorer.exe	openwith.exe
PID 4632 wrote to memory of 4964	4632	explorer.exe	openwith.exe
PID 4632 wrote to memory of 4964	4632	explorer.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2608
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4964

C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
"C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\Temp\{A88446E4-F711-4533-8646-37B8D05292D6}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe
  "C:\Windows\Temp\{A88446E4-F711-4533-8646-37B8D05292D6}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe" -burn.filehandle.attached=648 -burn.filehandle.self=536
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\pythonw.exe
    "C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\pythonw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
      C:\Users\Admin\AppData\Roaming\vkb_wordpad_v2\pythonw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b36d42d7

Filesize
1.1MB

MD5
adaf005ab537f5c197118cc50cf4e647

SHA1
ae7f1581491dcfeb10c006f1db11c2c2c245fd3b

SHA256
aaa138125c86703d3e565e25337fb9b65d5dbeeefc23c46bedfffc551461068d

SHA512
a3e3b7b0b022af5eb3390e1b3b1e35458b6da397b0cbaff06b419bedcdfbac3c4a8ed74c7bc5ca199c1d7891660e5252dc717672c37273a83e1f81cd5f0a0865

Download Submit
C:\Windows\Temp\{A88446E4-F711-4533-8646-37B8D05292D6}\.cr\ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a.exe

Filesize
3.9MB

MD5
46cf6b1946429c912fe569ce4b5e8a10

SHA1
d7e0240a1a4d021800ccc9ace9fdb310ffa63052

SHA256
ea08a3b22d711a703d4932a3f0fb693d6faadbd6ad5d87ec7938784c36fb553a

SHA512
29a1f0c35f6d8beaa3941c120d01b255933edc7b4b7c6f21267ce19d2678ee868ade3e2c1e476704a22acfc0a13b627c755ad474eb960a17cd7725665adeeacf

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\Jetsam.dll

Filesize
1.1MB

MD5
75b33115ef399463ee76b3421add1ea1

SHA1
1661b9acf1da0aca0c53fee71e5b2394c7c3320d

SHA256
97b3113d73a62755cd99fac73eadb311d1204e6ec1034a85a585955e202e1132

SHA512
fe86854113de67844fd92904ec8d9468f031ea40bbfd38df79d63ce53bc6e95a0ab5f444b4b85cd9a3c2ac264552366ef7148a8b30a09e8c1b95eb949061ddfc

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\dvanamu

Filesize
953KB

MD5
e238ccd9fd17fb0007b0b033fcfdad41

SHA1
67f3a4e518be8cc306242f584197deac8cf12534

SHA256
e6275bb0a6bb6fe4eb16d10dc91494535577689d68ff9301ef8471a4277dc552

SHA512
fa439bcbb6956bba23cd702167ea2981dc63d7da1287b64ae8fa39606c1ade752a7e04377325d93a2b76e9c7bf4804e5c739a184fef7e906bcd98f8160436d5c

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\python310.dll

Filesize
4.3MB

MD5
c67e805577c808d1b2e63bcc875a6e0c

SHA1
04405071881e4d7b9dae6a8e4f5cb94a69354ecd

SHA256
c1d822a1cd0d204d782d5d5627875608a5acb2008fbfd2346af4f63243e87a40

SHA512
c17febfe45642bb125b1a80a9e2447b25152ce32034b46d1e8dfa74396e51e3c83fb3f844a3814138b308131292884a104afbc5a2262816bd682d6beca142599

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\tdn

Filesize
83KB

MD5
8ca8f54b226bfcfa9c2c965c25247a45

SHA1
cb7950efc08e1bc279afb92a8a2173782f34deea

SHA256
a9ccf11b8f6bcedff1b7d4eea4d4b2122f7e5ecac119617d0596b92c4ed5aeeb

SHA512
d386e769d2a00b3344574e6a251c360d3ec8aa6d7747be19e34deeb57fcb440b24c4fe8b3c0fdc84c99fa4c6e32eb87f4d06ee756fc4e578ca1c9fc32a2e2dbe

Download Submit
C:\Windows\Temp\{C63AA5C2-6271-4922-9B71-E77D41CF9D47}\.ba\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
memory/3612-37-0x00007FF8DB570000-0x00007FF8DB6E2000-memory.dmp

Filesize
1.4MB

Download
memory/3612-38-0x00007FF8DB570000-0x00007FF8DB6E2000-memory.dmp

Filesize
1.4MB

Download
memory/3908-42-0x0000000075630000-0x00000000757AB000-memory.dmp

Filesize
1.5MB

Download
memory/3908-41-0x00007FF8FA130000-0x00007FF8FA325000-memory.dmp

Filesize
2.0MB

Download
memory/4632-49-0x0000000003FB0000-0x00000000043B0000-memory.dmp

Filesize
4.0MB

Download
memory/4632-44-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/4632-45-0x00007FF8FA130000-0x00007FF8FA325000-memory.dmp

Filesize
2.0MB

Download
memory/4632-46-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/4632-48-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/4632-50-0x0000000003FB0000-0x00000000043B0000-memory.dmp

Filesize
4.0MB

Download
memory/4632-53-0x0000000076550000-0x0000000076765000-memory.dmp

Filesize
2.1MB

Download
memory/4632-57-0x0000000000B60000-0x0000000000BE0000-memory.dmp

Filesize
512KB

Download
memory/4964-54-0x0000000001290000-0x0000000001299000-memory.dmp

Filesize
36KB

Download
memory/4964-58-0x0000000002F50000-0x0000000003350000-memory.dmp

Filesize
4.0MB

Download
memory/4964-59-0x00007FF8FA130000-0x00007FF8FA325000-memory.dmp

Filesize
2.0MB

Download
memory/4964-61-0x0000000076550000-0x0000000076765000-memory.dmp

Filesize
2.1MB

Download
memory/5008-22-0x00007FF8DB570000-0x00007FF8DB6E2000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads