rhadamanthys | 4bdbf8c72c59d5d804c4f3e128f1326a00c7df5822d341988737f5b74ccfefa2

General

Target

App_Installer.exe
Size

68.1MB
MD5

9ce5da2670c3f3105dccfd2a7a8b8ea8
SHA1

7ea79e80b932fb1d5bb90f8aa2177891fffd11e9
SHA256

4bdbf8c72c59d5d804c4f3e128f1326a00c7df5822d341988737f5b74ccfefa2
SHA512

42d6ad0ca02e37629983b1b8da8caa8f4c5e4c930c67148901001f5888bcd9e198b6dd1ef6682e12f640ca286378fce67707f3bbcb4c019b6edb4ff1f284cd4a
SSDEEP

786432:Ysh10dBsh10dZsh10dCsh10dgsh10dTsh10dPsh10d8sh10d+sh10dFsh10dtshp:dkEksk9k/kGkakPkdkgkwkZk/k1k+k

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.184.26.10:4928/e4eb12414c95175ccfd/Other_5

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

CasPol.exe

description	pid	Process	procid_target
PID 4648 created 2968	4648	CasPol.exe	50

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
4	bitbucket.org
6	bitbucket.org

Drops file in System32 directory 2 IoCs

Processes:

App_Installer.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\temp.000	App_Installer.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll	App_Installer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

App_Installer.exe

description	pid	Process	procid_target
PID 2836 set thread context of 4648	2836	App_Installer.exe	90

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1136	4648	WerFault.exe	90
3900	4648	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

App_Installer.exeCasPol.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CasPol.exeopenwith.exe

pid	Process
4648	CasPol.exe
4648	CasPol.exe
2420	openwith.exe
2420	openwith.exe
2420	openwith.exe
2420	openwith.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

App_Installer.exe

description	pid	Process
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe
Token: SeShutdownPrivilege	2836	App_Installer.exe
Token: SeCreatePagefilePrivilege	2836	App_Installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

App_Installer.exeCasPol.exe

description	pid	Process	procid_target
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 2836 wrote to memory of 4648	2836	App_Installer.exe	90
PID 4648 wrote to memory of 2420	4648	CasPol.exe	93
PID 4648 wrote to memory of 2420	4648	CasPol.exe	93
PID 4648 wrote to memory of 2420	4648	CasPol.exe	93
PID 4648 wrote to memory of 2420	4648	CasPol.exe	93
PID 4648 wrote to memory of 2420	4648	CasPol.exe	93

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2968
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2420

C:\Users\Admin\AppData\Local\Temp\App_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\App_Installer.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 432
    3⤵
    - Program crash
    PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 464
    3⤵
    - Program crash
    PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1028,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4648 -ip 4648
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-17-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/2420-22-0x0000000075A50000-0x0000000075C65000-memory.dmp

Filesize
2.1MB

Download
memory/2420-19-0x00000000029C0000-0x0000000002DC0000-memory.dmp

Filesize
4.0MB

Download
memory/2420-20-0x00007FFEB4890000-0x00007FFEB4A85000-memory.dmp

Filesize
2.0MB

Download
memory/4648-12-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4648-10-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4648-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4648-14-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4648-13-0x00007FFEB4890000-0x00007FFEB4A85000-memory.dmp

Filesize
2.0MB

Download
memory/4648-16-0x0000000075A50000-0x0000000075C65000-memory.dmp

Filesize
2.1MB

Download
memory/4648-11-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4648-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4648-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4648-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4648-23-0x0000000003AE0000-0x0000000003EE0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads