rhadamanthys | 84000ed58e1294bc3cdb7c26656be648081bf70d5d3ceba0cbb8717564f21899

Analysis

max time kernel
125s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe
Size

7.8MB
MD5

2bbf7b599379f1b579e8f865c808db33
SHA1

68e1b1da4ee239290b6d5ee6d0d700ef57c7112d
SHA256

84000ed58e1294bc3cdb7c26656be648081bf70d5d3ceba0cbb8717564f21899
SHA512

26dbe131b72160bf40be48a84744ed74010e2e9c1b6e752f596b87a3d4d1f2d6f336bcd9b8f9c5173047568c0c50712f911946dd22eeeb3539c06f3c77b2a0cc
SSDEEP

98304:EcBd3dhwdfiIXOZDrEfEMSFNc8HewP+zfUef0A3K6fTExWan1/:TldhwdfiIkD4fGNH+wMUs0AaIB

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Extracted

Family

rhadamanthys

https://192.30.242.19:9480/0c5934b7b50a019/9gt4x0nj.rdpco

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

timbers.exe

description pid process target process

PID 4468 created 2608 4468 timbers.exe sihost.exe

description	pid	process	target process
PID 4468 created 2608	4468	timbers.exe	sihost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4052	powershell.exe
3560	powershell.exe
1416	powershell.exe
3660	powershell.exe
548	powershell.exe
1604	powershell.exe
3952	powershell.exe
1744	powershell.exe
1416	powershell.exe
3660	powershell.exe
548	powershell.exe
1604	powershell.exe
3952	powershell.exe
1744	powershell.exe
4052	powershell.exe
3560	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

timbers.exe

pid process

4468 timbers.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
4 raw.githubusercontent.com

pid	process
4468	timbers.exe

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

timbers.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timbers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetimbers.exeopenwith.exe

pid	process
3560	powershell.exe
3560	powershell.exe
3560	powershell.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
548	powershell.exe
548	powershell.exe
548	powershell.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4468	timbers.exe
4468	timbers.exe
660	openwith.exe
660	openwith.exe
660	openwith.exe
660	openwith.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exetimbers.exe

description	pid	process	target process
PID 4692 wrote to memory of 3560	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 3560	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1416	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1416	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 3660	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 3660	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 548	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 548	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1604	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1604	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 3952	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 3952	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1744	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 1744	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 4052	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 4052	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	powershell.exe
PID 4692 wrote to memory of 4468	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	timbers.exe
PID 4692 wrote to memory of 4468	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	timbers.exe
PID 4692 wrote to memory of 4468	4692	2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe	timbers.exe
PID 4468 wrote to memory of 660	4468	timbers.exe	openwith.exe
PID 4468 wrote to memory of 660	4468	timbers.exe	openwith.exe
PID 4468 wrote to memory of 660	4468	timbers.exe	openwith.exe
PID 4468 wrote to memory of 660	4468	timbers.exe	openwith.exe
PID 4468 wrote to memory of 660	4468	timbers.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2608
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:660

C:\Users\Admin\AppData\Local\Temp\2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_2bbf7b599379f1b579e8f865c808db33_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Imbasers'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Imbasers\timbers.exe
  C:\Imbasers\timbers.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Imbasers\timbers.exe

Filesize
423KB

MD5
e0d8b7522c2dfc5866482fb61c2cab83

SHA1
bb48c6ce87abc1957a80180bae5db01f1b98a667

SHA256
aeb4171ec2a9f0400f54d5dd7a89041bc89ffa61627d26c20297fa849a37ffe9

SHA512
caeb6bbc922b5489f0a2783ad42040a913b293c6172f744ae05b263b4626dd9ef24340ea18289e521b628c2a70a2c9f5085f2bbeaab71ff059c9f83259369ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c1b0a9f26c3e1786191e94e419f1fbf9

SHA1
7f3492f4ec2d93e164f43fe2606b53edcffd8926

SHA256
796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

SHA512
fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ghc1fp1g.ukn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/660-110-0x0000000000D20000-0x0000000000D29000-memory.dmp

Filesize
36KB

Download
memory/660-113-0x0000000002BF0000-0x0000000002FF0000-memory.dmp

Filesize
4.0MB

Download
memory/660-116-0x00000000750C0000-0x00000000752D5000-memory.dmp

Filesize
2.1MB

Download
memory/660-114-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp

Filesize
2.0MB

Download
memory/1416-17-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/1416-31-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/1416-29-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/1416-28-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/3560-15-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/3560-0-0x00007FFDA3663000-0x00007FFDA3665000-memory.dmp

Filesize
8KB

Download
memory/3560-12-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/3560-11-0x00007FFDA3660000-0x00007FFDA4121000-memory.dmp

Filesize
10.8MB

Download
memory/3560-1-0x000001EE575B0000-0x000001EE575D2000-memory.dmp

Filesize
136KB

Download
memory/4468-103-0x0000000000470000-0x00000000004EE000-memory.dmp

Filesize
504KB

Download
memory/4468-105-0x0000000003D70000-0x0000000004170000-memory.dmp

Filesize
4.0MB

Download
memory/4468-106-0x0000000003D70000-0x0000000004170000-memory.dmp

Filesize
4.0MB

Download
memory/4468-107-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp

Filesize
2.0MB

Download
memory/4468-109-0x00000000750C0000-0x00000000752D5000-memory.dmp

Filesize
2.1MB

Download
memory/4468-111-0x0000000000470000-0x00000000004EE000-memory.dmp

Filesize
504KB

Download