rhadamanthys | 589b622872cef5c5ca4af70a9bba031ee462e555e83213bd73c7511af550e417

General

Target

Software_Setup.exe
Size

74.9MB
MD5

707c20a0de59fe418045e8cb90e4e8f9
SHA1

a1404eb652921a2808781cf09daecc363dbf5010
SHA256

589b622872cef5c5ca4af70a9bba031ee462e555e83213bd73c7511af550e417
SHA512

de4f99b62cd02d02cb4f4ebc65078860a6c43293f1b9f1e2e88caf7ceb8c6b690b6adcca013568e721b4986a068ac22c51a20499d6f41c1fa8ab5b3030754269
SSDEEP

1572864:Whw53fhw53fhw53fhw53fhw53fhw53fhw53:beeeeee

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.184.26.10:4928/e4eb12414c95175ccfd/Other4

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

winhlp32.exe

description	pid	Process	procid_target
PID 4864 created 2860	4864	winhlp32.exe	49

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
1	bitbucket.org
2	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Software_Setup.exe

description	pid	Process	procid_target
PID 3768 set thread context of 4864	3768	Software_Setup.exe	78

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1524	4864	WerFault.exe	78
1684	4864	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Software_Setup.exewinhlp32.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Software_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

winhlp32.exeopenwith.exe

pid	Process
4864	winhlp32.exe
4864	winhlp32.exe
3752	openwith.exe
3752	openwith.exe
3752	openwith.exe
3752	openwith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Software_Setup.exewinhlp32.exe

description	pid	Process	procid_target
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 3768 wrote to memory of 4864	3768	Software_Setup.exe	78
PID 4864 wrote to memory of 3752	4864	winhlp32.exe	79
PID 4864 wrote to memory of 3752	4864	winhlp32.exe	79
PID 4864 wrote to memory of 3752	4864	winhlp32.exe	79
PID 4864 wrote to memory of 3752	4864	winhlp32.exe	79
PID 4864 wrote to memory of 3752	4864	winhlp32.exe	79

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2860
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3752

C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\winhlp32.exe
  "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 460
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 456
    3⤵
    - Program crash
    PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4864 -ip 4864
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3752-25-0x0000000075400000-0x0000000075652000-memory.dmp

Filesize
2.3MB

Download
memory/3752-20-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/3752-22-0x0000000002310000-0x0000000002710000-memory.dmp

Filesize
4.0MB

Download
memory/3752-23-0x00007FFD11860000-0x00007FFD11A69000-memory.dmp

Filesize
2.0MB

Download
memory/4864-14-0x00000000039A0000-0x0000000003DA0000-memory.dmp

Filesize
4.0MB

Download
memory/4864-13-0x00000000039A0000-0x0000000003DA0000-memory.dmp

Filesize
4.0MB

Download
memory/4864-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4864-18-0x0000000075400000-0x0000000075652000-memory.dmp

Filesize
2.3MB

Download
memory/4864-12-0x00000000039A0000-0x0000000003DA0000-memory.dmp

Filesize
4.0MB

Download
memory/4864-19-0x00007FFD11861000-0x00007FFD1198A000-memory.dmp

Filesize
1.2MB

Download
memory/4864-15-0x00007FFD11860000-0x00007FFD11A69000-memory.dmp

Filesize
2.0MB

Download
memory/4864-17-0x00000000039A0000-0x0000000003DA0000-memory.dmp

Filesize
4.0MB

Download
memory/4864-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4864-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4864-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4864-26-0x00000000039A0000-0x0000000003DA0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads