rhadamanthys | 054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72.exe
Size

35.9MB
MD5

eb142f56ed73c4cce280fc3f3493429a
SHA1

e1ce2464864482703abded9cbed4aaabc638a113
SHA256

054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72
SHA512

75c97a01fe3963939233214093c419fdc3fc561e35e8884ee221e4dced3bab1baa9c4ed2fec6a95517de794728df1eef0e533357b16b719480aa7692910779c2
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfd:fMguj8Q4VfvPqFTrYC

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2228 created 2244	2228	module.exe	49

Executes dropped EXE 1 IoCs

pid	Process
2228	module.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2228	module.exe
2228	module.exe
2228	module.exe
2228	module.exe
3808	openwith.exe
3808	openwith.exe
3808	openwith.exe
3808	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 5020	2948	054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72.exe	93
PID 2948 wrote to memory of 5020	2948	054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72.exe	93
PID 5020 wrote to memory of 2228	5020	cmd.exe	94
PID 5020 wrote to memory of 2228	5020	cmd.exe	94
PID 5020 wrote to memory of 2228	5020	cmd.exe	94
PID 2228 wrote to memory of 3808	2228	module.exe	95
PID 2228 wrote to memory of 3808	2228	module.exe	95
PID 2228 wrote to memory of 3808	2228	module.exe	95
PID 2228 wrote to memory of 3808	2228	module.exe	95
PID 2228 wrote to memory of 3808	2228	module.exe	95

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2244
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Users\Admin\AppData\Local\Temp\054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72.exe
"C:\Users\Admin\AppData\Local\Temp\054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\module.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\module.exe
    C:\Users\Admin\AppData\Local\Temp\module.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
5.1MB

MD5
850903be8fe94bf6b270c2188af82cca

SHA1
e0469de46b7ced7b4de11157d0eff8719ba3dc70

SHA256
5e69b0dd5a6cea4b9d9790a0d63e9e25417c6d602f004f5540c951585b15cbec

SHA512
5d430c21dab1427400f5750f788076e76fe1d45fd5b79f792ad2cbcf916787312f37d596bc70e4d1d16f01a39275798513beaf8741bc864e113cb4a39d44ee1e

Download Submit
memory/2228-13-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/2228-7-0x00000000013B0000-0x00000000013B1000-memory.dmp

Filesize
4KB

Download
memory/2228-15-0x0000000077A60000-0x0000000077C75000-memory.dmp

Filesize
2.1MB

Download
memory/2228-18-0x0000000000D60000-0x0000000001283000-memory.dmp

Filesize
5.1MB

Download
memory/2228-10-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/2228-11-0x0000000000D60000-0x0000000001283000-memory.dmp

Filesize
5.1MB

Download
memory/2228-12-0x0000000004270000-0x0000000004670000-memory.dmp

Filesize
4.0MB

Download
memory/2228-4-0x0000000000D60000-0x0000000001283000-memory.dmp

Filesize
5.1MB

Download
memory/2228-19-0x0000000000DDB000-0x000000000103C000-memory.dmp

Filesize
2.4MB

Download
memory/2228-6-0x0000000000DDB000-0x000000000103C000-memory.dmp

Filesize
2.4MB

Download
memory/2228-9-0x0000000000D60000-0x0000000001283000-memory.dmp

Filesize
5.1MB

Download
memory/3808-20-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-25-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-24-0x0000000077A60000-0x0000000077C75000-memory.dmp

Filesize
2.1MB

Download
memory/3808-23-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-26-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-21-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

Filesize
2.0MB

Download
memory/3808-16-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download