rhadamanthys | 1390254e815bcf8b165746e61b75c33a67be98a927def1c0dcd9af10da66d9fc

General

Target

s-etup.exe
Size

678KB
MD5

fd57b4457b9c453bf563559c53b9071b
SHA1

08eb3a76af5c337b73f50efe5a27c43b68edce88
SHA256

995bf2a06730050f99f6e5ff53d641e1e98f022e7d7c376d91d65959aa79a70e
SHA512

ba9518440625fef53101440c976951b5c8e2b07f946a975da77b8a7ab2cbfc795cd20a264f61ff1fc4a7c0b77ea9b75ed8a9c9e69b9d22ae65d10163a510c5a7
SSDEEP

12288:PoZ5cyP2UluWW7hvraWyE/7bQGLnkQzeD6lHCMfm7HUb3s9a40:PoHhP2YW7hzak7bQ8HCM+4QI40

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

s-etup.exe

description pid process target process

PID 2056 created 2504 2056 s-etup.exe sihost.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4436 2056 WerFault.exe s-etup.exe
3708 2056 WerFault.exe s-etup.exe

description	pid	process	target process
PID 2056 created 2504	2056	s-etup.exe	sihost.exe

pid	pid_target	process	target process
4436	2056	WerFault.exe	s-etup.exe
3708	2056	WerFault.exe	s-etup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

s-etup.exes-etup.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s-etup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

s-etup.exeopenwith.exe

pid process

2056 s-etup.exe
2056 s-etup.exe
3600 openwith.exe
3600 openwith.exe
3600 openwith.exe
3600 openwith.exe

pid	process
2056	s-etup.exe
2056	s-etup.exe
3600	openwith.exe
3600	openwith.exe
3600	openwith.exe
3600	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

s-etup.exes-etup.exe

description	pid	process	target process
PID 2352 wrote to memory of 2056	2352	s-etup.exe	s-etup.exe
PID 2352 wrote to memory of 2056	2352	s-etup.exe	s-etup.exe
PID 2352 wrote to memory of 2056	2352	s-etup.exe	s-etup.exe
PID 2352 wrote to memory of 2056	2352	s-etup.exe	s-etup.exe
PID 2352 wrote to memory of 2056	2352	s-etup.exe	s-etup.exe
PID 2056 wrote to memory of 3600	2056	s-etup.exe	openwith.exe
PID 2056 wrote to memory of 3600	2056	s-etup.exe	openwith.exe
PID 2056 wrote to memory of 3600	2056	s-etup.exe	openwith.exe
PID 2056 wrote to memory of 3600	2056	s-etup.exe	openwith.exe
PID 2056 wrote to memory of 3600	2056	s-etup.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2504
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3600

C:\Users\Admin\AppData\Local\Temp\s-etup.exe
"C:\Users\Admin\AppData\Local\Temp\s-etup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\s-etup.exe
  "C:\Users\Admin\AppData\Local\Temp\s-etup.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 432
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 448
    3⤵
    - Program crash
    PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2056 -ip 2056
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2056 -ip 2056
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-18-0x0000000000500000-0x000000000057E000-memory.dmp

Filesize
504KB

Download
memory/2056-35-0x0000000003470000-0x0000000003870000-memory.dmp

Filesize
4.0MB

Download
memory/2056-25-0x00000000768C0000-0x0000000076AD5000-memory.dmp

Filesize
2.1MB

Download
memory/2056-23-0x0000000003470000-0x0000000003870000-memory.dmp

Filesize
4.0MB

Download
memory/2056-22-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/2056-19-0x0000000003470000-0x0000000003870000-memory.dmp

Filesize
4.0MB

Download
memory/2056-7-0x0000000000500000-0x000000000057E000-memory.dmp

Filesize
504KB

Download
memory/2056-20-0x0000000003470000-0x0000000003870000-memory.dmp

Filesize
4.0MB

Download
memory/2056-21-0x0000000003470000-0x0000000003870000-memory.dmp

Filesize
4.0MB

Download
memory/2056-16-0x0000000000500000-0x000000000057E000-memory.dmp

Filesize
504KB

Download
memory/2056-17-0x0000000000500000-0x000000000057E000-memory.dmp

Filesize
504KB

Download
memory/2352-8-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-12-0x000000001F9F5000-0x000000001F9FC000-memory.dmp

Filesize
28KB

Download
memory/2352-15-0x000000001FA36000-0x000000001FA4E000-memory.dmp

Filesize
96KB

Download
memory/2352-13-0x000000001FA33000-0x000000001FA4E000-memory.dmp

Filesize
108KB

Download
memory/2352-3-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-4-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-6-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-1-0x000000001F8AD000-0x000000001F8CC000-memory.dmp

Filesize
124KB

Download
memory/2352-11-0x000000001F8AD000-0x000000001F8CC000-memory.dmp

Filesize
124KB

Download
memory/2352-14-0x000000001FA06000-0x000000001FA32000-memory.dmp

Filesize
176KB

Download
memory/2352-10-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-5-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/2352-0-0x000000001F870000-0x000000001FA4E000-memory.dmp

Filesize
1.9MB

Download
memory/3600-29-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/3600-28-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/3600-30-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-33-0x00000000768C0000-0x0000000076AD5000-memory.dmp

Filesize
2.1MB

Download
memory/3600-31-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/3600-34-0x00000000025D0000-0x00000000029D0000-memory.dmp

Filesize
4.0MB

Download
memory/3600-26-0x0000000000A70000-0x0000000000A79000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing