rhadamanthys | d98832bfc040c10d3000a9afc90ec9f8d9adcfc12ad45bc6baabfa26f760d97b

General

Target

Installer/Installer.exe
Size

227KB
MD5

b588f677ab42fdf4fb540d399e0c822d
SHA1

8a23270696d6dc4e92c3afd515ba19fe8fc4bd3e
SHA256

6c5af52675bd86c04c858774dfaecb12d67cbb492b5835ccfb6a41f7e594e3c0
SHA512

3b7ae452c5f7f203135ff382b5d6e8790221538c086934a5857b1819e1aec19d5955a916ea3fbfaa1925b58ac0584412c050c618c5f63171547d4af0c9a27bd7
SSDEEP

3072:PNGh0Mfkarr8cMvFBRqAlvdfcVfw6r4OlqJslIFdATelkIZch+5rixPZad:PN5Mf3pMvRvl0VfLtiF9lzZcU

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://135.181.4.162:2423/97e9fc994198e76/0frouaxb.8xg7f

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

aspnet_regiis.exe

description pid process target process

PID 4364 created 2116 4364 aspnet_regiis.exe sihost.exe
Loads dropped DLL 1 IoCs

Processes:

Installer.exe

pid process

4868 Installer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 4868 set thread context of 4364 4868 Installer.exe aspnet_regiis.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2424 4364 WerFault.exe aspnet_regiis.exe
5036 4364 WerFault.exe aspnet_regiis.exe

description	pid	process	target process
PID 4364 created 2116	4364	aspnet_regiis.exe	sihost.exe

pid	process
4868	Installer.exe

description	pid	process	target process
PID 4868 set thread context of 4364	4868	Installer.exe	aspnet_regiis.exe

pid	pid_target	process	target process
2424	4364	WerFault.exe	aspnet_regiis.exe
5036	4364	WerFault.exe	aspnet_regiis.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Installer.exeaspnet_regiis.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

aspnet_regiis.exeopenwith.exe

pid process

4364 aspnet_regiis.exe
4364 aspnet_regiis.exe
1760 openwith.exe
1760 openwith.exe
1760 openwith.exe
1760 openwith.exe

pid	process
4364	aspnet_regiis.exe
4364	aspnet_regiis.exe
1760	openwith.exe
1760	openwith.exe
1760	openwith.exe
1760	openwith.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Installer.exeaspnet_regiis.exe

description	pid	process	target process
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4868 wrote to memory of 4364	4868	Installer.exe	aspnet_regiis.exe
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	openwith.exe
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	openwith.exe
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	openwith.exe
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	openwith.exe
PID 4364 wrote to memory of 1760	4364	aspnet_regiis.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2116
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 424
    3⤵
    - Program crash
    PID:2424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 440
    3⤵
    - Program crash
    PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4364 -ip 4364
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
729KB

MD5
351c51206a136e8e3224579b50d5ff3c

SHA1
8683cef48ad78e150dfb290c65188f4b9a5100a8

SHA256
a14e7251adaa163f527e4f45471b4649af25856ecce2f90d2544e69773b69a8a

SHA512
53e9e6c02d0f7370ca0743783b933936825ea7a690aaf40c64a0b2b6f7983dd196053c06c94470eac11f6ede50204c80d448edf42877722936338cfc98122b5d

Download Submit
memory/1760-22-0x0000000000F20000-0x0000000000F29000-memory.dmp

Filesize
36KB

Download
memory/1760-30-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-24-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-26-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/1760-29-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/1760-28-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

Filesize
2.1MB

Download
memory/1760-25-0x0000000002D10000-0x0000000003110000-memory.dmp

Filesize
4.0MB

Download
memory/4364-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-18-0x00007FFD0E550000-0x00007FFD0E745000-memory.dmp

Filesize
2.0MB

Download
memory/4364-21-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-20-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

Filesize
2.1MB

Download
memory/4364-17-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-15-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-16-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4364-31-0x0000000003BD0000-0x0000000003FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4868-6-0x0000000077A51000-0x0000000077B71000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing