rhadamanthys | 5e4c3ede27f4b698191b7d8e27c58c5e23e15acaf97fc1c18f8a94208ff8d837

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetLoader.exe
Size

5.1MB
MD5

53c7101148e18f8d51a0951367d685af
SHA1

c402d153e5aaab6f29c5b272e38947b17c30da13
SHA256

5e4c3ede27f4b698191b7d8e27c58c5e23e15acaf97fc1c18f8a94208ff8d837
SHA512

e3df50a26d593d99387cfa367ac84d651198ab3a13a299484fe5354561723f8b97a1658636990bfd68785a809722c5bd14ac32917b1669204f6621a55ad3ea86
SSDEEP

98304:bjlp/LZZcJZn+EDfx0Ew1SWuiBdOpNT4ggxwzwIPFiAOZBv15HWLZOVK73wuB0is:bjnenPf/sBfdOptexYnCZD52L+9EI1

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SetLoader.exe

description	pid	Process	procid_target
PID 3168 created 2712	3168	SetLoader.exe	49

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SetLoader.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

SetLoader.exeopenwith.exe

pid	Process
3168	SetLoader.exe
3168	SetLoader.exe
3168	SetLoader.exe
3168	SetLoader.exe
2744	openwith.exe
2744	openwith.exe
2744	openwith.exe
2744	openwith.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

SetLoader.exe

description	pid	Process	procid_target
PID 3168 wrote to memory of 2744	3168	SetLoader.exe	83
PID 3168 wrote to memory of 2744	3168	SetLoader.exe	83
PID 3168 wrote to memory of 2744	3168	SetLoader.exe	83
PID 3168 wrote to memory of 2744	3168	SetLoader.exe	83
PID 3168 wrote to memory of 2744	3168	SetLoader.exe	83

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2712
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2744

C:\Users\Admin\AppData\Local\Temp\SetLoader.exe
"C:\Users\Admin\AppData\Local\Temp\SetLoader.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-11-0x0000000000E10000-0x0000000000E19000-memory.dmp

Filesize
36KB

Download
memory/2744-21-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2744-17-0x00007FFCE57B0000-0x00007FFCE59A5000-memory.dmp

Filesize
2.0MB

Download
memory/2744-20-0x0000000075830000-0x0000000075A45000-memory.dmp

Filesize
2.1MB

Download
memory/2744-19-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2744-16-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/2744-15-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/3168-8-0x00007FFCE57B0000-0x00007FFCE59A5000-memory.dmp

Filesize
2.0MB

Download
memory/3168-0-0x0000000000620000-0x0000000000B4C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-7-0x0000000003D40000-0x0000000004140000-memory.dmp

Filesize
4.0MB

Download
memory/3168-10-0x0000000075830000-0x0000000075A45000-memory.dmp

Filesize
2.1MB

Download
memory/3168-12-0x0000000000620000-0x0000000000B4C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-13-0x000000000069B000-0x000000000090E000-memory.dmp

Filesize
2.4MB

Download
memory/3168-5-0x0000000003D40000-0x0000000004140000-memory.dmp

Filesize
4.0MB

Download
memory/3168-6-0x0000000000620000-0x0000000000B4C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-4-0x0000000000620000-0x0000000000B4C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-3-0x0000000000620000-0x0000000000B4C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-2-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3168-1-0x000000000069B000-0x000000000090E000-memory.dmp

Filesize
2.4MB

Download