rhadamanthys | 8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8

General

Target

8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
Size

16.6MB
MD5

1d9ff0bd9ea42831f3bf1fdb7d0da614
SHA1

08a966dcfd2f72394a8cb9e65c46d67a2cfbb7c6
SHA256

8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8
SHA512

a7419987678ac7e9ab850fbc6b680b70f80903cce597ef2ef03be2b62d0d633b118655fc72b26d6bf404f798de55f463b2c6760c9e4cb147cd16a48332913705
SSDEEP

393216:8nKVnXcAt/cWmKtNz99Sghe0S+zAQIkCZKNHfFEuOyjqG:wiXcAtkkNzneuIHZaHfFayj7

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4888 created 2848	4888	s-etup.exe	49

Executes dropped EXE 5 IoCs

pid	Process
4992	7z.exe
5104	s-etup.exe
4892	data-retriever-x64.exe
4828	data-retriever-x64.tmp
4888	s-etup.exe

Loads dropped DLL 4 IoCs

pid	Process
3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
4992	7z.exe
5104	s-etup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca6-30.dat	upx
behavioral2/memory/5104-33-0x00000000004D0000-0x0000000000E57000-memory.dmp	upx
behavioral2/memory/5104-53-0x00000000004D0000-0x0000000000E57000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
680	4888	WerFault.exe	91
4104	4888	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-retriever-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-retriever-x64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4888	s-etup.exe
4888	s-etup.exe
3016	openwith.exe
3016	openwith.exe
3016	openwith.exe
3016	openwith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4992	7z.exe
Token: 35	4992	7z.exe
Token: SeSecurityPrivilege	4992	7z.exe
Token: SeSecurityPrivilege	4992	7z.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4992	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	86
PID 3292 wrote to memory of 4992	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	86
PID 3292 wrote to memory of 5104	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	88
PID 3292 wrote to memory of 5104	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	88
PID 3292 wrote to memory of 5104	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	88
PID 3292 wrote to memory of 4892	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	89
PID 3292 wrote to memory of 4892	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	89
PID 3292 wrote to memory of 4892	3292	8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe	89
PID 4892 wrote to memory of 4828	4892	data-retriever-x64.exe	90
PID 4892 wrote to memory of 4828	4892	data-retriever-x64.exe	90
PID 4892 wrote to memory of 4828	4892	data-retriever-x64.exe	90
PID 5104 wrote to memory of 4888	5104	s-etup.exe	91
PID 5104 wrote to memory of 4888	5104	s-etup.exe	91
PID 5104 wrote to memory of 4888	5104	s-etup.exe	91
PID 5104 wrote to memory of 4888	5104	s-etup.exe	91
PID 5104 wrote to memory of 4888	5104	s-etup.exe	91
PID 4888 wrote to memory of 3016	4888	s-etup.exe	92
PID 4888 wrote to memory of 3016	4888	s-etup.exe	92
PID 4888 wrote to memory of 3016	4888	s-etup.exe	92
PID 4888 wrote to memory of 3016	4888	s-etup.exe	92
PID 4888 wrote to memory of 3016	4888	s-etup.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016

C:\Users\Admin\AppData\Local\Temp\8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe
"C:\Users\Admin\AppData\Local\Temp\8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
    "C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 444
      4⤵
      Program crash
      PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 452
      4⤵
      Program crash
      PID:4104
- C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe
  "C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\is-O3L8K.tmp\data-retriever-x64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O3L8K.tmp\data-retriever-x64.tmp" /SL5="$701FE,16656910,560128,C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FoneLab Data Retriever\data-retriever-x64.exe

Filesize
16.6MB

MD5
947889c3e22ae1445273ac279cb9c674

SHA1
6d27a9191bce6991e2c86639d5546d4104266d15

SHA256
b9912d4ea1a7aa51c8207a90a87560e3516aa50f7e8c4d95fffe2cd60a32c89d

SHA512
a8de10a05f75621450c5fb522963edf561311af42629706d0a9f59760b11c9ee91741ce6dc440f8b2263cae870d30a4a750ad84a9e3f0f30c71d8d157c49163d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
549KB

MD5
0b24892597dcb0257cdb78b5ed165218

SHA1
5fe5d446406ff1e34d2fe3ee347769941636e323

SHA256
707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71

SHA512
24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe

Filesize
2.7MB

MD5
a0fab21c52fb92a79bc492d2eb91d1d6

SHA1
03d14da347c554669916d60e24bee1b540c2822e

SHA256
e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863

SHA512
e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\files925.zip

Filesize
9.9MB

MD5
ea79b672e19fb5eecf77291b0a3014fe

SHA1
5e90a7e7e7d53c408352390cef6870ddfdd2acae

SHA256
9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9

SHA512
c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3L8K.tmp\data-retriever-x64.tmp

Filesize
1.9MB

MD5
35bc4141dcc816bbf5afb1bfe5d1fc71

SHA1
9d39c51e339f0945abb0a8fe24da51afc3681462

SHA256
7fc827dbf49b2933d6e7b7b174d9d19c4d83beadc1c023a734c1b73f3d447f71

SHA512
6b490cf14f535aab676cd7400a1d720558afbff54683f5b4ed5ba3d9f90991e10eeff98fcb2a0f25d6d8c71ba7fcda8bb16340e29553defa468dd2f08fdce8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC489.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC489.tmp\nsExec.dll

Filesize
7KB

MD5
2746f5b49ef1a2d17a1d4a290dc45615

SHA1
26e98eea903b5f34812885ec289e82bcdaeaac07

SHA256
24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd

SHA512
2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3

Download Submit
memory/3016-74-0x0000000002420000-0x0000000002820000-memory.dmp

Filesize
4.0MB

Download
memory/3016-72-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/3016-75-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/3016-77-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/4828-55-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-93-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-91-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-89-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-87-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-85-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-83-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-81-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-95-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-79-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-97-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-99-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4828-101-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/4888-66-0x0000000001220000-0x000000000129E000-memory.dmp

Filesize
504KB

Download
memory/4888-69-0x00007FFF47630000-0x00007FFF47825000-memory.dmp

Filesize
2.0MB

Download
memory/4888-68-0x0000000004150000-0x0000000004550000-memory.dmp

Filesize
4.0MB

Download
memory/4888-67-0x0000000004150000-0x0000000004550000-memory.dmp

Filesize
4.0MB

Download
memory/4888-61-0x0000000001220000-0x000000000129E000-memory.dmp

Filesize
504KB

Download
memory/4888-71-0x0000000075D20000-0x0000000075F35000-memory.dmp

Filesize
2.1MB

Download
memory/4892-54-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4892-37-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/5104-63-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-57-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-59-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-58-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-56-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-53-0x00000000004D0000-0x0000000000E57000-memory.dmp

Filesize
9.5MB

Download
memory/5104-62-0x0000000065000000-0x00000000656EB000-memory.dmp

Filesize
6.9MB

Download
memory/5104-33-0x00000000004D0000-0x0000000000E57000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing