rhadamanthys | 8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
submitted
10-10-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
Size

16.6MB
MD5

1d9ff0bd9ea42831f3bf1fdb7d0da614
SHA1

08a966dcfd2f72394a8cb9e65c46d67a2cfbb7c6
SHA256

8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8
SHA512

a7419987678ac7e9ab850fbc6b680b70f80903cce597ef2ef03be2b62d0d633b118655fc72b26d6bf404f798de55f463b2c6760c9e4cb147cd16a48332913705
SSDEEP

393216:8nKVnXcAt/cWmKtNz99Sghe0S+zAQIkCZKNHfFEuOyjqG:wiXcAtkkNzneuIHZaHfFayj7

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1388 created 1396	1388	s-etup.exe	20

Executes dropped EXE 5 IoCs

pid	Process
2612	7z.exe
2620	s-etup.exe
2856	data-retriever-x64.exe
620	data-retriever-x64.tmp
1388	s-etup.exe

Loads dropped DLL 10 IoCs

pid	Process
2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
2752	Process not Found
2612	7z.exe
2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
2620	s-etup.exe
2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
2856	data-retriever-x64.exe
2620	s-etup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a46f-40.dat	upx
behavioral1/memory/2128-42-0x00000000089B0000-0x0000000009337000-memory.dmp	upx
behavioral1/memory/2620-45-0x0000000001290000-0x0000000001C17000-memory.dmp	upx
behavioral1/memory/2620-71-0x0000000001290000-0x0000000001C17000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-retriever-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-retriever-x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1388	s-etup.exe
1388	s-etup.exe
1372	dialer.exe
1372	dialer.exe
1372	dialer.exe
1372	dialer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2612	7z.exe
Token: 35	2612	7z.exe
Token: SeSecurityPrivilege	2612	7z.exe
Token: SeSecurityPrivilege	2612	7z.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2612	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	30
PID 2128 wrote to memory of 2612	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	30
PID 2128 wrote to memory of 2612	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	30
PID 2128 wrote to memory of 2612	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	30
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2620	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	32
PID 2128 wrote to memory of 2856	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	33
PID 2128 wrote to memory of 2856	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	33
PID 2128 wrote to memory of 2856	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	33
PID 2128 wrote to memory of 2856	2128	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	33
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2856 wrote to memory of 620	2856	data-retriever-x64.exe	34
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 2620 wrote to memory of 1388	2620	s-etup.exe	35
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36
PID 1388 wrote to memory of 1372	1388	s-etup.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
  "C:\Users\Admin\AppData\Local\Temp\8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
    C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
      "C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1388
- - C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe
    "C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\is-A95B9.tmp\data-retriever-x64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A95B9.tmp\data-retriever-x64.tmp" /SL5="$501DE,16656910,560128,C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:620
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Users\Admin\AppData\Local\Temp\files925.zip

Filesize
9.9MB

MD5
ea79b672e19fb5eecf77291b0a3014fe

SHA1
5e90a7e7e7d53c408352390cef6870ddfdd2acae

SHA256
9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9

SHA512
c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A95B9.tmp\data-retriever-x64.tmp

Filesize
1.9MB

MD5
35bc4141dcc816bbf5afb1bfe5d1fc71

SHA1
9d39c51e339f0945abb0a8fe24da51afc3681462

SHA256
7fc827dbf49b2933d6e7b7b174d9d19c4d83beadc1c023a734c1b73f3d447f71

SHA512
6b490cf14f535aab676cd7400a1d720558afbff54683f5b4ed5ba3d9f90991e10eeff98fcb2a0f25d6d8c71ba7fcda8bb16340e29553defa468dd2f08fdce8e7

Download Submit
\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe

Filesize
16.6MB

MD5
947889c3e22ae1445273ac279cb9c674

SHA1
6d27a9191bce6991e2c86639d5546d4104266d15

SHA256
b9912d4ea1a7aa51c8207a90a87560e3516aa50f7e8c4d95fffe2cd60a32c89d

SHA512
a8de10a05f75621450c5fb522963edf561311af42629706d0a9f59760b11c9ee91741ce6dc440f8b2263cae870d30a4a750ad84a9e3f0f30c71d8d157c49163d

Download Submit
\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
549KB

MD5
0b24892597dcb0257cdb78b5ed165218

SHA1
5fe5d446406ff1e34d2fe3ee347769941636e323

SHA256
707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71

SHA512
24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f

Download Submit
\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe

Filesize
2.7MB

MD5
a0fab21c52fb92a79bc492d2eb91d1d6

SHA1
03d14da347c554669916d60e24bee1b540c2822e

SHA256
e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

SHA512
e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7F8D.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7F8D.tmp\nsExec.dll

Filesize
7KB

MD5
2746f5b49ef1a2d17a1d4a290dc45615

SHA1
26e98eea903b5f34812885ec289e82bcdaeaac07

SHA256
24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd

SHA512
2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3

Download Submit
memory/620-109-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-103-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-121-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-123-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-117-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-115-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-113-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-111-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-101-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-107-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-78-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-119-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/620-105-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1372-99-0x0000000076220000-0x0000000076267000-memory.dmp

Filesize
284KB

Download
memory/1372-94-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1372-96-0x0000000001F50000-0x0000000002350000-memory.dmp

Filesize
4.0MB

Download
memory/1372-97-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1388-87-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/1388-82-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/1388-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1388-79-0x0000000000230000-0x00000000002AE000-memory.dmp

Filesize
504KB

Download
memory/1388-89-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1388-90-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1388-91-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1388-93-0x0000000076220000-0x0000000076267000-memory.dmp

Filesize
284KB

Download
memory/2128-69-0x00000000089B0000-0x0000000009337000-memory.dmp

Filesize
9.5MB

Download
memory/2128-42-0x00000000089B0000-0x0000000009337000-memory.dmp

Filesize
9.5MB

Download
memory/2620-83-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-84-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-88-0x0000000003020000-0x00000000039A7000-memory.dmp

Filesize
9.5MB

Download
memory/2620-75-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-76-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-74-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-73-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/2620-71-0x0000000001290000-0x0000000001C17000-memory.dmp

Filesize
9.5MB

Download
memory/2620-45-0x0000000001290000-0x0000000001C17000-memory.dmp

Filesize
9.5MB

Download
memory/2856-72-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2856-52-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download