rhadamanthys | 4bdbf8c72c59d5d804c4f3e128f1326a00c7df5822d341988737f5b74ccfefa2

General

Target

App_Installer.exe
Size

68.1MB
MD5

9ce5da2670c3f3105dccfd2a7a8b8ea8
SHA1

7ea79e80b932fb1d5bb90f8aa2177891fffd11e9
SHA256

4bdbf8c72c59d5d804c4f3e128f1326a00c7df5822d341988737f5b74ccfefa2
SHA512

42d6ad0ca02e37629983b1b8da8caa8f4c5e4c930c67148901001f5888bcd9e198b6dd1ef6682e12f640ca286378fce67707f3bbcb4c019b6edb4ff1f284cd4a
SSDEEP

786432:Ysh10dBsh10dZsh10dCsh10dgsh10dTsh10dPsh10d8sh10d+sh10dFsh10dtshp:dkEksk9k/kGkakPkdkgkwkZk/k1k+k

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.184.26.10:4928/e4eb12414c95175ccfd/Other_5

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegSvcs.exe

description pid process target process

PID 1724 created 2716 1724 RegSvcs.exe sihost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 bitbucket.org
7 bitbucket.org

description	pid	process	target process
PID 1724 created 2716	1724	RegSvcs.exe	sihost.exe

flow	ioc
6	bitbucket.org
7	bitbucket.org

Drops file in System32 directory 2 IoCs

Processes:

App_Installer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell32.dll	App_Installer.exe
File created	C:\Windows\SysWOW64\temp.000	App_Installer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

App_Installer.exe

description pid process target process

PID 3272 set thread context of 1724 3272 App_Installer.exe RegSvcs.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2336 1724 WerFault.exe RegSvcs.exe
2528 1724 WerFault.exe RegSvcs.exe

description	pid	process	target process
PID 3272 set thread context of 1724	3272	App_Installer.exe	RegSvcs.exe

pid	pid_target	process	target process
2336	1724	WerFault.exe	RegSvcs.exe
2528	1724	WerFault.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

App_Installer.exeRegSvcs.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App_Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exeopenwith.exe

pid process

1724 RegSvcs.exe
1724 RegSvcs.exe
5104 openwith.exe
5104 openwith.exe
5104 openwith.exe
5104 openwith.exe

pid	process
1724	RegSvcs.exe
1724	RegSvcs.exe
5104	openwith.exe
5104	openwith.exe
5104	openwith.exe
5104	openwith.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

App_Installer.exe

description	pid	process
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe
Token: SeShutdownPrivilege	3272	App_Installer.exe
Token: SeCreatePagefilePrivilege	3272	App_Installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

App_Installer.exeRegSvcs.exe

description	pid	process	target process
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 3272 wrote to memory of 1724	3272	App_Installer.exe	RegSvcs.exe
PID 1724 wrote to memory of 5104	1724	RegSvcs.exe	openwith.exe
PID 1724 wrote to memory of 5104	1724	RegSvcs.exe	openwith.exe
PID 1724 wrote to memory of 5104	1724	RegSvcs.exe	openwith.exe
PID 1724 wrote to memory of 5104	1724	RegSvcs.exe	openwith.exe
PID 1724 wrote to memory of 5104	1724	RegSvcs.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2716
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Users\Admin\AppData\Local\Temp\App_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\App_Installer.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 432
    3⤵
    - Program crash
    PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 428
    3⤵
    - Program crash
    PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1724 -ip 1724
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1724 -ip 1724
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-12-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/1724-13-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download
memory/1724-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-11-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/1724-10-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/1724-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-14-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/1724-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1724-23-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/1724-16-0x0000000076540000-0x0000000076755000-memory.dmp

Filesize
2.1MB

Download
memory/5104-19-0x0000000001FA0000-0x00000000023A0000-memory.dmp

Filesize
4.0MB

Download
memory/5104-22-0x0000000076540000-0x0000000076755000-memory.dmp

Filesize
2.1MB

Download
memory/5104-20-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download
memory/5104-17-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads