rhadamanthys | 81babd3b171b54c1591b184dc234104e5ca1ede6ba598820649c12f6c8a0e9b3

General

Target

RG_Catalyst3/SetLoader.exe
Size

35.9MB
MD5

eb142f56ed73c4cce280fc3f3493429a
SHA1

e1ce2464864482703abded9cbed4aaabc638a113
SHA256

054364f58a17ec336ad19906082bb054b565f38de455d89f51ed02e290c75a72
SHA512

75c97a01fe3963939233214093c419fdc3fc561e35e8884ee221e4dced3bab1baa9c4ed2fec6a95517de794728df1eef0e533357b16b719480aa7692910779c2
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfd:fMguj8Q4VfvPqFTrYC

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

module.exe

description pid process target process

PID 2324 created 2636 2324 module.exe svchost.exe
Executes dropped EXE 1 IoCs

Processes:

module.exe

pid process

2324 module.exe

description	pid	process	target process
PID 2324 created 2636	2324	module.exe	svchost.exe

pid	process
2324	module.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

module.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	module.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

module.exeopenwith.exe

pid process

2324 module.exe
2324 module.exe
2324 module.exe
2324 module.exe
1868 openwith.exe
1868 openwith.exe
1868 openwith.exe
1868 openwith.exe

pid	process
2324	module.exe
2324	module.exe
2324	module.exe
2324	module.exe
1868	openwith.exe
1868	openwith.exe
1868	openwith.exe
1868	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SetLoader.execmd.exemodule.exe

description	pid	process	target process
PID 3032 wrote to memory of 3868	3032	SetLoader.exe	cmd.exe
PID 3032 wrote to memory of 3868	3032	SetLoader.exe	cmd.exe
PID 3868 wrote to memory of 2324	3868	cmd.exe	module.exe
PID 3868 wrote to memory of 2324	3868	cmd.exe	module.exe
PID 3868 wrote to memory of 2324	3868	cmd.exe	module.exe
PID 2324 wrote to memory of 1868	2324	module.exe	openwith.exe
PID 2324 wrote to memory of 1868	2324	module.exe	openwith.exe
PID 2324 wrote to memory of 1868	2324	module.exe	openwith.exe
PID 2324 wrote to memory of 1868	2324	module.exe	openwith.exe
PID 2324 wrote to memory of 1868	2324	module.exe	openwith.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2636
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1868

C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RG_Catalyst3\SetLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\module.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\module.exe
    C:\Users\Admin\AppData\Local\Temp\module.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\module.exe

Filesize
5.1MB

MD5
850903be8fe94bf6b270c2188af82cca

SHA1
e0469de46b7ced7b4de11157d0eff8719ba3dc70

SHA256
5e69b0dd5a6cea4b9d9790a0d63e9e25417c6d602f004f5540c951585b15cbec

SHA512
5d430c21dab1427400f5750f788076e76fe1d45fd5b79f792ad2cbcf916787312f37d596bc70e4d1d16f01a39275798513beaf8741bc864e113cb4a39d44ee1e

Download Submit
memory/1868-16-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/1868-26-0x0000000002220000-0x0000000002620000-memory.dmp

Filesize
4.0MB

Download
memory/1868-23-0x0000000002220000-0x0000000002620000-memory.dmp

Filesize
4.0MB

Download
memory/1868-25-0x0000000074F90000-0x00000000751A5000-memory.dmp

Filesize
2.1MB

Download
memory/1868-22-0x00007FF983830000-0x00007FF983A25000-memory.dmp

Filesize
2.0MB

Download
memory/1868-20-0x0000000002220000-0x0000000002620000-memory.dmp

Filesize
4.0MB

Download
memory/1868-21-0x0000000002220000-0x0000000002620000-memory.dmp

Filesize
4.0MB

Download
memory/2324-9-0x00000000003F0000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/2324-13-0x00007FF983830000-0x00007FF983A25000-memory.dmp

Filesize
2.0MB

Download
memory/2324-15-0x0000000074F90000-0x00000000751A5000-memory.dmp

Filesize
2.1MB

Download
memory/2324-12-0x0000000003B40000-0x0000000003F40000-memory.dmp

Filesize
4.0MB

Download
memory/2324-17-0x00000000003F0000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/2324-18-0x000000000046B000-0x00000000006CC000-memory.dmp

Filesize
2.4MB

Download
memory/2324-11-0x00000000003F0000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/2324-10-0x0000000003B40000-0x0000000003F40000-memory.dmp

Filesize
4.0MB

Download
memory/2324-8-0x00000000003F0000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/2324-7-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2324-6-0x000000000046B000-0x00000000006CC000-memory.dmp

Filesize
2.4MB

Download
memory/2324-4-0x00000000003F0000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing