rhadamanthys | 9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0

General

Target

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
Size

1.1MB
MD5

183d3258056265d85665725d1d995126
SHA1

606765ff639a2699f0e9df650ceb91b658a5521d
SHA256

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0
SHA512

8a57e8ba15f59ae1f971888b3492a04a1faf5db104743998f3ea5c41477fb36c7572547c93302e343f3aa86b6a29a615a51b904d406c11694d10915bfe0ae925
SSDEEP

24576:OoU4GxhwybZN2yb0ykH3t0P/Z63iY4Er6ySE4ppEakzEqEK/oi:OyWr2ybhkdLmPhAakzsqf

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://217.197.107.204:443/e0bd9c1f4515facb49/gj28n35o.2n73x

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pipanel.exe9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

pid	process
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

pid process

1868 9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe

description	pid	process	target process
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe
PID 1868 wrote to memory of 2760	1868	9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe	pipanel.exe

C:\Users\Admin\AppData\Local\Temp\9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe
"C:\Users\Admin\AppData\Local\Temp\9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\9096c9ab92e7832fcc34c80a121661c750af0c72b153a90a54e32452b78d73d0.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/1868-2-0x000000007724F000-0x0000000077250000-memory.dmp

Filesize
4KB

Download
memory/1868-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1868-4-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/1868-5-0x0000000000C10000-0x0000000000D3C000-memory.dmp

Filesize
1.2MB

Download
memory/1868-9-0x0000000000B90000-0x0000000000BE0000-memory.dmp

Filesize
320KB

Download
memory/1868-28-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/2760-14-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-13-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-17-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-11-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-18-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-19-0x000000007724F000-0x0000000077250000-memory.dmp

Filesize
4KB

Download
memory/2760-20-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2760-10-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-22-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2760-21-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2760-29-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads