rhadamanthys | 81babd3b171b54c1591b184dc234104e5ca1ede6ba598820649c12f6c8a0e9b3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RG_Catalyst3/SetLoader.exe
Size

35.9MB
MD5

eb142f56ed73c4cce280fc3f3493429a
SHA1

e1ce2464864482703abded9cbed4aaabc638a113
SHA256

054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72
SHA512

75c97a01fe3963939233214093c419fdc3fc561e35e8884ee221e4dced3bab1baa9c4ed2fec6a95517de794728df1eef0e533357b16b719480aa7692910779c2
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfd:fMguj8Q4VfvPqFTrYC

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1316 created 2628	1316	module.exe	44

Executes dropped EXE 1 IoCs

pid	Process
1316	module.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1316	module.exe
1316	module.exe
1316	module.exe
1316	module.exe
4652	openwith.exe
4652	openwith.exe
4652	openwith.exe
4652	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4556	1736	SetLoader.exe	87
PID 1736 wrote to memory of 4556	1736	SetLoader.exe	87
PID 4556 wrote to memory of 1316	4556	cmd.exe	88
PID 4556 wrote to memory of 1316	4556	cmd.exe	88
PID 4556 wrote to memory of 1316	4556	cmd.exe	88
PID 1316 wrote to memory of 4652	1316	module.exe	89
PID 1316 wrote to memory of 4652	1316	module.exe	89
PID 1316 wrote to memory of 4652	1316	module.exe	89
PID 1316 wrote to memory of 4652	1316	module.exe	89
PID 1316 wrote to memory of 4652	1316	module.exe	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\module.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\module.exe
    C:\Users\Admin\AppData\Local\Temp\module.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
5.1MB

MD5
850903be8fe94bf6b270c2188af82cca

SHA1
e0469de46b7ced7b4de11157d0eff8719ba3dc70

SHA256
5e69b0dd5a6cea4b9d9790a0d63e9e25417c6d602f004f5540c951585b15cbec

SHA512
5d430c21dab1427400f5750f788076e76fe1d45fd5b79f792ad2cbcf916787312f37d596bc70e4d1d16f01a39275798513beaf8741bc864e113cb4a39d44ee1e

Download Submit
memory/1316-13-0x00007FFA68210000-0x00007FFA68405000-memory.dmp

Filesize
2.0MB

Download
memory/1316-7-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1316-15-0x0000000076D60000-0x0000000076F75000-memory.dmp

Filesize
2.1MB

Download
memory/1316-17-0x0000000000440000-0x0000000000963000-memory.dmp

Filesize
5.1MB

Download
memory/1316-10-0x0000000003DB0000-0x00000000041B0000-memory.dmp

Filesize
4.0MB

Download
memory/1316-11-0x0000000000440000-0x0000000000963000-memory.dmp

Filesize
5.1MB

Download
memory/1316-12-0x0000000003DB0000-0x00000000041B0000-memory.dmp

Filesize
4.0MB

Download
memory/1316-4-0x0000000000440000-0x0000000000963000-memory.dmp

Filesize
5.1MB

Download
memory/1316-19-0x00000000004BB000-0x000000000071C000-memory.dmp

Filesize
2.4MB

Download
memory/1316-6-0x00000000004BB000-0x000000000071C000-memory.dmp

Filesize
2.4MB

Download
memory/1316-9-0x0000000000440000-0x0000000000963000-memory.dmp

Filesize
5.1MB

Download
memory/4652-21-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/4652-20-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/4652-22-0x00007FFA68210000-0x00007FFA68405000-memory.dmp

Filesize
2.0MB

Download
memory/4652-25-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/4652-24-0x0000000076D60000-0x0000000076F75000-memory.dmp

Filesize
2.1MB

Download
memory/4652-26-0x0000000002150000-0x0000000002550000-memory.dmp

Filesize
4.0MB

Download
memory/4652-16-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download