rhadamanthys | 9b09c0bda213a1807cc1a904dce72f68089c0ae7c4b2df7ccee30ef505cf03b1

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lestvpn.exe
Size

14.5MB
MD5

acdaf35aa2e0134025ace04b6ca485f6
SHA1

724abebf2991d5abe605d011d29c3d2a7df7ee87
SHA256

9b09c0bda213a1807cc1a904dce72f68089c0ae7c4b2df7ccee30ef505cf03b1
SHA512

c7aea84e645017ea118f073d59863ed55df2e1f9c0e9340683aa2883f118b666e097b362330bd2a6beb898e7c89e127fcebb91296271b1a038b4b4677ce029c9
SSDEEP

393216:twbtBNVjdb3M6hsxujJXTZC5ztrctDlbylnfmUV:t0tZjeEssj5TEtA/byln3

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

letsvpnAnquan.exe

description	pid	Process	procid_target
PID 2644 created 1212	2644	letsvpnAnquan.exe	21

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

Processes:

letsvpn-latest.exeletsvpnAnquan.exeletsvpnAnquan.exeletsvpnAnquan.exe

pid	Process
2672	letsvpn-latest.exe
2824	letsvpnAnquan.exe
2644	letsvpnAnquan.exe
1388	letsvpnAnquan.exe

Loads dropped DLL 19 IoCs

Processes:

lestvpn.exeletsvpnAnquan.exeletsvpnAnquan.exeletsvpn-latest.exeletsvpnAnquan.exe

pid	Process
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2472	lestvpn.exe
2824	letsvpnAnquan.exe
2644	letsvpnAnquan.exe
2672	letsvpn-latest.exe
2672	letsvpn-latest.exe
2824	letsvpnAnquan.exe
2644	letsvpnAnquan.exe
1388	letsvpnAnquan.exe
1388	letsvpnAnquan.exe
2672	letsvpn-latest.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

letsvpn-latest.exeletsvpnAnquan.exeletsvpnAnquan.exepowershell.exedialer.exeletsvpnAnquan.exelestvpn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpnAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpnAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpnAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lestvpn.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

lestvpn.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lestvpn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lestvpn.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

letsvpnAnquan.exedialer.exepowershell.exe

pid	Process
2644	letsvpnAnquan.exe
2644	letsvpnAnquan.exe
1272	dialer.exe
1272	dialer.exe
2848	powershell.exe
1272	dialer.exe
1272	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

letsvpn-latest.exe

pid	Process
2672	letsvpn-latest.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

letsvpnAnquan.exepowershell.exeletsvpnAnquan.exe

description	pid	Process
Token: SeDebugPrivilege	2824	letsvpnAnquan.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1388	letsvpnAnquan.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

lestvpn.exeletsvpn-latest.exeletsvpnAnquan.exetaskeng.exe

description	pid	Process	procid_target
PID 2472 wrote to memory of 2672	2472	lestvpn.exe	32
PID 2472 wrote to memory of 2672	2472	lestvpn.exe	32
PID 2472 wrote to memory of 2672	2472	lestvpn.exe	32
PID 2472 wrote to memory of 2672	2472	lestvpn.exe	32
PID 2472 wrote to memory of 2824	2472	lestvpn.exe	33
PID 2472 wrote to memory of 2824	2472	lestvpn.exe	33
PID 2472 wrote to memory of 2824	2472	lestvpn.exe	33
PID 2472 wrote to memory of 2824	2472	lestvpn.exe	33
PID 2472 wrote to memory of 2644	2472	lestvpn.exe	34
PID 2472 wrote to memory of 2644	2472	lestvpn.exe	34
PID 2472 wrote to memory of 2644	2472	lestvpn.exe	34
PID 2472 wrote to memory of 2644	2472	lestvpn.exe	34
PID 2672 wrote to memory of 2848	2672	letsvpn-latest.exe	35
PID 2672 wrote to memory of 2848	2672	letsvpn-latest.exe	35
PID 2672 wrote to memory of 2848	2672	letsvpn-latest.exe	35
PID 2672 wrote to memory of 2848	2672	letsvpn-latest.exe	35
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 2644 wrote to memory of 1272	2644	letsvpnAnquan.exe	37
PID 1676 wrote to memory of 1388	1676	taskeng.exe	39
PID 1676 wrote to memory of 1388	1676	taskeng.exe	39
PID 1676 wrote to memory of 1388	1676	taskeng.exe	39
PID 1676 wrote to memory of 1388	1676	taskeng.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\lestvpn.exe
  "C:\Users\Admin\AppData\Local\Temp\lestvpn.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
    C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
- - C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe
    "C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe" "C:\Users\Admin\AppData\Local\Temp\config.ini"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe
    "C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe" "C:\Users\Admin\AppData\Local\Temp\let_config.ini"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2644
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1272

C:\Windows\system32\taskeng.exe
taskeng.exe {EA76224D-4AAE-4DE0-811A-604277F4968D} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe
  C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe "C:\Users\Admin\AppData\Local\Temp\config.ini"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alien\core.dll

Filesize
25KB

MD5
24b6950afd8663a46246044e6b09add8

SHA1
6444dab57d93ce987c22da66b3706d5d7fc226da

SHA256
9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071

SHA512
e1967e7e8c3d64b61451254da281415edf9946a6c8a46006f39ae091609c65666c376934b1bdcbd2a7f73adea7aa68e557694f804bf3bc3ce7854fa527e91740

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
910KB

MD5
ae2bb0a84eb09656a88e6e1d4737f25f

SHA1
cb658ac4932c196edafe21830d138a9184a02e24

SHA256
07f268e382051fe80098180d9d9464d244a5b95bc3bdd68c81b032f40aa9cf18

SHA512
1c9d495f6ba687fadd98946e5834b1536a0a7836d5d9fb71153c9ab2b8a75ada55a3ea9dee5f86e5ed7577752cc9579f2fbee6ff44cd55a5bde8423f120404d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\let_config.ini

Filesize
636KB

MD5
139f9c49094a8cb625017f49d1612929

SHA1
2acf3c680c86d0bf24daf1aa1764031aac0ecf1c

SHA256
3f45303d21300a5de7d2d84e32d3a50b161239061452442783eed1b0a34876e1

SHA512
09d224ec76eb31efdb0a53384896fd8c12a7dcc6a60bb3e01324f748c674235c6bbbc72b57b1c5235eb4da20729c45d9cfe5acc1edeebe47f7344e0f83275ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\letsvpnAnquan.exe

Filesize
14KB

MD5
426dfd5ece3b41970773031637cd5539

SHA1
d0fe14f8dab89aaddac8b1c89b1cee48396ec636

SHA256
737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8

SHA512
5c66ea3360115d6dcc71f6d624a886f3c992c5d30338880b0ba48db77dd7fa744b60a3d65fed63427ebb3a8bcf9b204e9ba1521d8c9f0e804ce0db76befa8935

Download Submit
C:\Users\Admin\AppData\Local\Temp\lua5.1.dll

Filesize
164KB

MD5
24a0d2ef5b931a2a13341a2503b1de80

SHA1
6201347d1ded92d365126a1225768e11c33ee818

SHA256
fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f

SHA512
5e06f88bb3920cef40a4941efb3b4d3012edf868cc3042f9dbc1989c76b410b4e2da12c20ae2fbcffe5525b43aeca8875e51167d0ce041864d546fdb2e1fecd2

Download Submit
\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD0F6.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy14C9.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy14C9.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy14C9.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/1272-91-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1272-93-0x0000000001D60000-0x0000000002160000-memory.dmp

Filesize
4.0MB

Download
memory/1272-97-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/1272-99-0x0000000077810000-0x0000000077857000-memory.dmp

Filesize
284KB

Download
memory/2644-82-0x0000000001E20000-0x0000000002220000-memory.dmp

Filesize
4.0MB

Download
memory/2644-90-0x0000000077810000-0x0000000077857000-memory.dmp

Filesize
284KB

Download
memory/2644-88-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2644-84-0x0000000001E20000-0x0000000002220000-memory.dmp

Filesize
4.0MB

Download
memory/2644-81-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/2824-87-0x0000000002130000-0x0000000002198000-memory.dmp

Filesize
416KB

Download
memory/2824-94-0x00000000051C0000-0x00000000051C7000-memory.dmp

Filesize
28KB

Download
memory/2824-83-0x0000000000410000-0x0000000000449000-memory.dmp

Filesize
228KB

Download