rhadamanthys | dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5

General

Target

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe
Size

149KB
MD5

221c3bf6b4e3c355fdce087122511fe4
SHA1

975c36eb0442edd4d42996a3dd554ab36f95ff55
SHA256

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5
SHA512

edacc09d25e4c9d1d19885abe2fea72aff44e75862d9c3f1aa158edf5c40d635551abb820e89533696a4e9f3664e45c18f112a2a81e94d3badf13ed0b5acbcb4
SSDEEP

3072:sY8Ah6pPHmZbnjL9/LZHR29C6BoFQ9QQMb7d2Y+lO662kosOgl7A8lhOlAETZeiS:h8AhKvmZbjL9/lHR29vkQ9lMUSnbOgl7

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/920-2-0x0000000000500000-0x000000000051D000-memory.dmp	family_rhadamanthys
behavioral2/memory/920-6-0x0000000000500000-0x000000000051D000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe

pid	process
920	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe
920	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe
920	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

EXCEL.EXE

pid process

3124 EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3124 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe
"C:\Users\Admin\AppData\Local\Temp\dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:920

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\PingPublish.xlsx"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
376B

MD5
ca12cdb88d4a9bb1b64cef8f2134515b

SHA1
3b007433e6fa6d4b1694a4cbc40036f62458a490

SHA256
10bedd4a47f466dee668dcd167539cfa4f804b69a00080bd77d418850bcfb42c

SHA512
1972d1d9d35a76953759e9d08e8ae0f478d3b30533eccd98584cbff7f423ffbd2c1af188b53eba228fbc5825717ba5c191bf6e9d947b58a907413304a50203fb

Download Submit
memory/920-1-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/920-2-0x0000000000500000-0x000000000051D000-memory.dmp

Filesize
116KB

Download
memory/920-4-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/920-5-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/920-6-0x0000000000500000-0x000000000051D000-memory.dmp

Filesize
116KB

Download
memory/920-7-0x0000000002720000-0x0000000003720000-memory.dmp

Filesize
16.0MB

Download
memory/3124-21-0x00007FFF66C90000-0x00007FFF66CA0000-memory.dmp

Filesize
64KB

Download
memory/3124-24-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-11-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-15-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-14-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-18-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-17-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-20-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-19-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-9-0x00007FFFA960D000-0x00007FFFA960E000-memory.dmp

Filesize
4KB

Download
memory/3124-16-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-13-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-22-0x00007FFF66C90000-0x00007FFF66CA0000-memory.dmp

Filesize
64KB

Download
memory/3124-10-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-25-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-27-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-26-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-23-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download
memory/3124-12-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-8-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-64-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-65-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-66-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-63-0x00007FFF695F0000-0x00007FFF69600000-memory.dmp

Filesize
64KB

Download
memory/3124-67-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads