rhadamanthys | 46298b16b10079f44ee9515920de3391bd0590c36427e15ba81841a5e686bb79

General

Target

1d1505d6acae5dfe0ad58fddd7933cfc.exe
Size

442KB
MD5

1d1505d6acae5dfe0ad58fddd7933cfc
SHA1

ec64dd991550788047d6e512b8d17a7d73e48c6a
SHA256

46298b16b10079f44ee9515920de3391bd0590c36427e15ba81841a5e686bb79
SHA512

ee14b7b6b1b9845d61786a11f1d5da757898212d634637aceb276077c803b79e614fe46a07403108c4430e82010adccc5b32a0183e85b998f38ed9f7030d70bf
SSDEEP

12288:m+RQLpoHCpa7QDoGukWV1hC8kVOYfCYfQ8O6akF19ecKPs:mtNDILn8u

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://135.181.4.162:2423/97e9fc994198e76/q4cs18w4.g9muv

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1648 created 2964	1648	aspnet_regiis.exe	50

Loads dropped DLL 1 IoCs

pid	Process
4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4068 set thread context of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1520	1648	WerFault.exe	87
3316	1648	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d1505d6acae5dfe0ad58fddd7933cfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	aspnet_regiis.exe
1648	aspnet_regiis.exe
1316	openwith.exe
1316	openwith.exe
1316	openwith.exe
1316	openwith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 4068 wrote to memory of 1648	4068	1d1505d6acae5dfe0ad58fddd7933cfc.exe	87
PID 1648 wrote to memory of 1316	1648	aspnet_regiis.exe	88
PID 1648 wrote to memory of 1316	1648	aspnet_regiis.exe	88
PID 1648 wrote to memory of 1316	1648	aspnet_regiis.exe	88
PID 1648 wrote to memory of 1316	1648	aspnet_regiis.exe	88
PID 1648 wrote to memory of 1316	1648	aspnet_regiis.exe	88

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2964
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1316

C:\Users\Admin\AppData\Local\Temp\1d1505d6acae5dfe0ad58fddd7933cfc.exe
"C:\Users\Admin\AppData\Local\Temp\1d1505d6acae5dfe0ad58fddd7933cfc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 436
    3⤵
    - Program crash
    PID:1520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 444
    3⤵
    - Program crash
    PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1648 -ip 1648
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
617KB

MD5
b209cf5480673daefd7af11fd9a4ca69

SHA1
a4517d0f3b77603f58c44992fa0fef1d46746595

SHA256
fc709d1c3497c624a2a27e1a2306cbba764e6e52c8cedb597d0b49377d91f676

SHA512
d2c97f6a6e4e6a4f4b5f1809f6a15bab0c96d9399447550e3528471617426658de41795a9d4ca9dcdae8f84fdd8eb2516aa658f3469f19328849627c7650ba65

Download Submit
memory/1316-24-0x00000000008F0000-0x00000000008F9000-memory.dmp

Filesize
36KB

Download
memory/1316-32-0x0000000002400000-0x0000000002800000-memory.dmp

Filesize
4.0MB

Download
memory/1316-28-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

Filesize
2.0MB

Download
memory/1316-31-0x0000000002400000-0x0000000002800000-memory.dmp

Filesize
4.0MB

Download
memory/1316-30-0x0000000075D40000-0x0000000075F55000-memory.dmp

Filesize
2.1MB

Download
memory/1316-27-0x0000000002400000-0x0000000002800000-memory.dmp

Filesize
4.0MB

Download
memory/1648-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1648-23-0x0000000075D40000-0x0000000075F55000-memory.dmp

Filesize
2.1MB

Download
memory/1648-33-0x00000000038B0000-0x0000000003CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1648-17-0x00000000038B0000-0x0000000003CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-21-0x00000000038B0000-0x0000000003CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-20-0x00000000038B0000-0x0000000003CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-19-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

Filesize
2.0MB

Download
memory/1648-18-0x00000000038B0000-0x0000000003CB0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1648-15-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4068-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/4068-14-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4068-9-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4068-2-0x0000000001260000-0x0000000001266000-memory.dmp

Filesize
24KB

Download
memory/4068-1-0x0000000000B60000-0x0000000000BD8000-memory.dmp

Filesize
480KB

Download
memory/4068-16-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing