rhadamanthys | e4cd575a0afa2a039622b62aabd9aa024851ac716d3d64edf59a2d639632bcb6

Resubmissions

08-10-2024 07:24

241008-h8prmayfnh 10

08-10-2024 07:10

241008-hzqmkayble 10

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sougou_output.exe
Size

155.7MB
MD5

c9afcf7bddb28f4741a097f6a55e4cfd
SHA1

158448adeb3c2aa19b0c37005d373b3ab4e6b9a7
SHA256

321d2e668a4d45c8fb0005fc7be1df5f748567e8206c35d8a7a083f2ce80263f
SHA512

408dc7a2a066ab047b220902ebaff39efe41d23c7423b137a3213c4e0344d68ce9bc06b9bd70d5f023a5787d5dc99a8e03c2c66c92fd3d574e8d630b6cf3987b
SSDEEP

3145728:XA/kfnZZRUWXNShZNxlb3oeUFRGp/K3GgUCoQKAQ6h398AWXNOQ14BDndvdXU:znTLXwXNf4eUSJK39U8KAQ6hN8AW9H13

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

SogouAnquan.exe

description	pid	Process	procid_target
PID 3000 created 2636	3000	SogouAnquan.exe	44
PID 3000 created 2636	3000	SogouAnquan.exe	44

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sougou_output.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sougou_output.exe

Executes dropped EXE 4 IoCs

Processes:

sogou.exeSogouAnquan.exeSogouAnquan.exeSogouAnquan.exe

pid	Process
3496	sogou.exe
1892	SogouAnquan.exe
3000	SogouAnquan.exe
4524	SogouAnquan.exe

Loads dropped DLL 24 IoCs

Processes:

sougou_output.exeSogouAnquan.exeSogouAnquan.exeSogouAnquan.exesogou.exe

pid	Process
4068	sougou_output.exe
4068	sougou_output.exe
4068	sougou_output.exe
4068	sougou_output.exe
4068	sougou_output.exe
1892	SogouAnquan.exe
1892	SogouAnquan.exe
1892	SogouAnquan.exe
3000	SogouAnquan.exe
3000	SogouAnquan.exe
3000	SogouAnquan.exe
4524	SogouAnquan.exe
4524	SogouAnquan.exe
4524	SogouAnquan.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3496-47-0x0000000000400000-0x00000000006DD000-memory.dmp	upx
behavioral2/memory/3496-250-0x0000000000400000-0x00000000006DD000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

Processes:

sougou_output.exe

description	ioc	Process
File created	C:\Program Files (x86)\sogou\config.ini	sougou_output.exe
File created	C:\Program Files (x86)\sogou\sogou_log.ini	sougou_output.exe
File created	C:\Program Files (x86)\sogou\sogou.exe	sougou_output.exe
File created	C:\Program Files (x86)\sogou\lua5.1.dll	sougou_output.exe
File created	C:\Program Files (x86)\sogou\SogouAnquan.exe	sougou_output.exe
File created	C:\Program Files (x86)\sogou\alien\core.dll	sougou_output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

openwith.exeSogouAnquan.exesougou_output.exesogou.exeSogouAnquan.exeSogouAnquan.exeopenwith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SogouAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sougou_output.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SogouAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SogouAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

SogouAnquan.exeopenwith.exesogou.exe

pid	Process
3000	SogouAnquan.exe
3000	SogouAnquan.exe
3000	SogouAnquan.exe
3000	SogouAnquan.exe
1548	openwith.exe
1548	openwith.exe
1548	openwith.exe
1548	openwith.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe
3496	sogou.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SogouAnquan.exeSogouAnquan.exe

description	pid	Process
Token: SeDebugPrivilege	1892	SogouAnquan.exe
Token: SeDebugPrivilege	4524	SogouAnquan.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

sougou_output.exeSogouAnquan.exe

description	pid	Process	procid_target
PID 4068 wrote to memory of 3496	4068	sougou_output.exe	84
PID 4068 wrote to memory of 3496	4068	sougou_output.exe	84
PID 4068 wrote to memory of 3496	4068	sougou_output.exe	84
PID 4068 wrote to memory of 1892	4068	sougou_output.exe	85
PID 4068 wrote to memory of 1892	4068	sougou_output.exe	85
PID 4068 wrote to memory of 1892	4068	sougou_output.exe	85
PID 4068 wrote to memory of 3000	4068	sougou_output.exe	86
PID 4068 wrote to memory of 3000	4068	sougou_output.exe	86
PID 4068 wrote to memory of 3000	4068	sougou_output.exe	86
PID 3000 wrote to memory of 1548	3000	SogouAnquan.exe	87
PID 3000 wrote to memory of 1548	3000	SogouAnquan.exe	87
PID 3000 wrote to memory of 1548	3000	SogouAnquan.exe	87
PID 3000 wrote to memory of 1548	3000	SogouAnquan.exe	87
PID 3000 wrote to memory of 1548	3000	SogouAnquan.exe	87
PID 3000 wrote to memory of 1688	3000	SogouAnquan.exe	88
PID 3000 wrote to memory of 1688	3000	SogouAnquan.exe	88
PID 3000 wrote to memory of 1688	3000	SogouAnquan.exe	88
PID 3000 wrote to memory of 1688	3000	SogouAnquan.exe	88
PID 3000 wrote to memory of 1688	3000	SogouAnquan.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688

C:\Users\Admin\AppData\Local\Temp\sougou_output.exe
"C:\Users\Admin\AppData\Local\Temp\sougou_output.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Program Files (x86)\sogou\sogou.exe
  "C:\Program Files (x86)\sogou\sogou.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\sogou\SogouAnquan.exe
  "C:\Program Files (x86)\sogou\SogouAnquan.exe" "C:\Program Files (x86)\sogou\config.ini"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Program Files (x86)\sogou\SogouAnquan.exe
  "C:\Program Files (x86)\sogou\SogouAnquan.exe" "C:\Program Files (x86)\sogou\sogou_log.ini"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000

C:\Program Files (x86)\sogou\SogouAnquan.exe
"C:\Program Files (x86)\sogou\SogouAnquan.exe" "C:\Program Files (x86)\sogou\config.ini"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sogou\SogouAnquan.exe

Filesize
14KB

MD5
426dfd5ece3b41970773031637cd5539

SHA1
d0fe14f8dab89aaddac8b1c89b1cee48396ec636

SHA256
737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8

SHA512
5c66ea3360115d6dcc71f6d624a886f3c992c5d30338880b0ba48db77dd7fa744b60a3d65fed63427ebb3a8bcf9b204e9ba1521d8c9f0e804ce0db76befa8935

Download Submit
C:\Program Files (x86)\sogou\alien\core.dll

Filesize
25KB

MD5
24b6950afd8663a46246044e6b09add8

SHA1
6444dab57d93ce987c22da66b3706d5d7fc226da

SHA256
9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071

SHA512
e1967e7e8c3d64b61451254da281415edf9946a6c8a46006f39ae091609c65666c376934b1bdcbd2a7f73adea7aa68e557694f804bf3bc3ce7854fa527e91740

Download Submit
C:\Program Files (x86)\sogou\config.ini

Filesize
911KB

MD5
65e15f1936f9bdd97110fbe7a978fd3d

SHA1
554c4cbedeab00ffb77af80517877df7546e938f

SHA256
edd33925c88ec7e7bbff6a93c69ccea95c100497d6c3ed16f17710950ca4a3d7

SHA512
678941ab9f7f92edf6b6ea4f0e8c58f5c933c9bd6ba74e1c40ea829c1e4783cde89202faa035f109f23ea3d224283af17b371b106aa9bfb078427a51405f626b

Download Submit
C:\Program Files (x86)\sogou\lua5.1.dll

Filesize
164KB

MD5
24a0d2ef5b931a2a13341a2503b1de80

SHA1
6201347d1ded92d365126a1225768e11c33ee818

SHA256
fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f

SHA512
5e06f88bb3920cef40a4941efb3b4d3012edf868cc3042f9dbc1989c76b410b4e2da12c20ae2fbcffe5525b43aeca8875e51167d0ce041864d546fdb2e1fecd2

Download Submit
C:\Program Files (x86)\sogou\sogou_log.ini

Filesize
636KB

MD5
0fac3197c74378f81f2098af6e520819

SHA1
cefbcd54dd0946bfcda7253f8f8fed1117563654

SHA256
a13982012565f15c8358cc9f1912bc884be6bb3a8805ce7e28e7c5a0aeed2fe0

SHA512
3e836735d09250117d4c53b68fcbb2f8a04325797b4c8f97915e3e0a360293caac17d043cecb397c498b37e595f0db6838e8e6cdef8af147235e7165293d46c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SogouAnquan.exe.log

Filesize
521B

MD5
82fd1c0a56b8af6ad97d973328281509

SHA1
5b4d01cb01d2e5e62dd3026de96dcf37f5713b89

SHA256
a57a4a3a9e484a52872a0c105ac939bf91e97033f4e40c21e5fd03f0bf8bc548

SHA512
3ced1456093d84e9617e630d06128da646b41720e873822c37cb40b4698919c4c543250ab9f191d73d6aac1109206655faa179dd781a578e1f778fe92b9a4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\HWSignature.dll

Filesize
138KB

MD5
154aea6ca8875fe8023f5f0554adbe60

SHA1
54a6c770e4ab3aef95782f1bc647ab664163d42f

SHA256
e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339

SHA512
93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
745007cd039d16bbbe05e308c223c8b0

SHA1
f3fc435a325118cbb4af4219bc41755c245afe54

SHA256
b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332

SHA512
40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\SetupLib.dll

Filesize
6.0MB

MD5
b713d9c939fe455aea4be2eb94215730

SHA1
c51af6b0be8452f77056d7a4a8554c8cb21c6ddb

SHA256
7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af

SHA512
1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\SetupLibNew.dll

Filesize
3.9MB

MD5
72fb079823f0e6c80caff804cf626ca9

SHA1
464ae7293affcadd0aafec8a52635bcc92047e55

SHA256
23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e

SHA512
431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\ioSpecial.ini

Filesize
958B

MD5
0097810684a2e07e52f9db4e9e836131

SHA1
4e9cef2e5e7b30e4eaf5c1eaa445e66fed36c117

SHA256
2cfb55b12ac2d7c1bec8147872f027d99110f9497440f5c92f2ab4b01b6e876e

SHA512
d967ac6173b2b00338f5e4968f418e74974c86d23e1ef931c4a7c16ec5601ceebfc4732bfe47214df1329718fa6e7b8d93b411e28fd28acc188c051203f61bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDFA4.tmp\validate.ini

Filesize
87B

MD5
59da6b50ff42da1a3230fbca1bd90e11

SHA1
6870be998befa4bf02e8824e0a101303fe76ef4f

SHA256
5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a

SHA512
e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbC99A.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/1548-96-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/1548-88-0x0000000002210000-0x0000000002610000-memory.dmp

Filesize
4.0MB

Download
memory/1548-82-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/1548-98-0x0000000075120000-0x0000000075335000-memory.dmp

Filesize
2.1MB

Download
memory/1688-100-0x0000000002EB0000-0x00000000032B0000-memory.dmp

Filesize
4.0MB

Download
memory/1892-73-0x0000000000B00000-0x0000000000B39000-memory.dmp

Filesize
228KB

Download
memory/1892-85-0x0000000002530000-0x0000000002598000-memory.dmp

Filesize
416KB

Download
memory/1892-89-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/1892-103-0x0000000004C90000-0x0000000004C97000-memory.dmp

Filesize
28KB

Download
memory/3000-72-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/3000-81-0x0000000075120000-0x0000000075335000-memory.dmp

Filesize
2.1MB

Download
memory/3000-80-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/3000-78-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/3000-101-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/3000-75-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3000-74-0x0000000000790000-0x00000000007B8000-memory.dmp

Filesize
160KB

Download
memory/3000-76-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/3000-87-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/3000-77-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/3000-92-0x0000000075120000-0x0000000075335000-memory.dmp

Filesize
2.1MB

Download
memory/3000-71-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3496-140-0x000000006D4A0000-0x000000006D4B0000-memory.dmp

Filesize
64KB

Download
memory/3496-131-0x0000000005800000-0x0000000005BF6000-memory.dmp

Filesize
4.0MB

Download
memory/3496-124-0x000000006D4B0000-0x000000006D4C0000-memory.dmp

Filesize
64KB

Download
memory/3496-151-0x00000000056A0000-0x00000000056C5000-memory.dmp

Filesize
148KB

Download
memory/3496-47-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/3496-250-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/4524-115-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/4524-116-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download