rhadamanthys | d98832bfc040c10d3000a9afc90ec9f8d9adcfc12ad45bc6baabfa26f760d97b

General

Target

Installer/Installer.exe
Size

227KB
MD5

b588f677ab42fdf4fb540d399e0c822d
SHA1

8a23270696d6dc4e92c3afd515ba19fe8fc4bd3e
SHA256

6c5af52675bd86c04c858774dfaecb12d67cbb492b5835ccfb6a41f7e594e3c0
SHA512

3b7ae452c5f7f203135ff382b5d6e8790221538c086934a5857b1819e1aec19d5955a916ea3fbfaa1925b58ac0584412c050c618c5f63171547d4af0c9a27bd7
SSDEEP

3072:PNGh0Mfkarr8cMvFBRqAlvdfcVfw6r4OlqJslIFdATelkIZch+5rixPZad:PN5Mf3pMvRvl0VfLtiF9lzZcU

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://135.181.4.162:2423/97e9fc994198e76/0frouaxb.8xg7f

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4364 created 2116	4364	aspnet_regiis.exe	51

Loads dropped DLL 1 IoCs

pid	Process
4868	Installer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 4364	4868	Installer.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2424	4364	WerFault.exe	85
5036	4364	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4364	aspnet_regiis.exe
4364	aspnet_regiis.exe
1760	openwith.exe
1760	openwith.exe
1760	openwith.exe
1760	openwith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4868 wrote to memory of 4364	4868	Installer.exe	85
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	86
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	86
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	86
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	86
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2116
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 424
    3⤵
    - Program crash
    PID:2424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 440
    3⤵
    - Program crash
    PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4364 -ip 4364
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
729KB

MD5
351c51206a136e8e3224579b50d5ff3c

SHA1
8683cef48ad78e150dfb290c65188f4b9a5100a8

SHA256
a14e7251adaa163f527e4f45471b4649af25856ecce2f90d2544e69773b69a8a

SHA512
53e9e6c02d0f7370ca0743783b933936825ea7a690aaf40c64a0b2b6f7983dd196053c06c94470eac11f6ede50204c80d448edf42877722936338cfc98122b5d

Download Submit
memory/1760-22-0x0000000000F20000-0x0000000000F29000-memory.dmp

Filesize
36KB

Download
memory/1760-30-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-24-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-26-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/1760-29-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-28-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

Filesize
2.1MB

Download
memory/1760-25-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/4364-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-18-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4364-21-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-20-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

Filesize
2.1MB

Download
memory/4364-17-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-15-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-16-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-31-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4868-6-0x0000000077A51000-0x0000000077B71000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing