rhadamanthys | a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014

General

Target

RG Launcher.exe
Size

175.7MB
MD5

cb3ce412a9c4cb7f0cf20344fdb2f46e
SHA1

bed9b9bedfe2f7d328b66fd9c5914ad8fa0f69a2
SHA256

a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014
SHA512

5b92e1c448ab2f6b46c04d496207bbc843cb223db341ca493469907dc96206e02e9db95356fac6d75833c018d876417481c429b2def5dc9be54eec9cce288c26
SSDEEP

786432:0C6zTLvV+8ym5CqWpQshx4i9vnrX5hf9RMFJKaRODgJZhybxJXZdZdDIll3S+GE3:0fTB/P4Dzr9v/1iFIRDgtmxJp1O3h

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://147.45.70.184:1525/f6e80fbec866c8b43/AVS

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

1.exe2.exe

description pid process target process

PID 632 created 3080 632 1.exe sihost.exe
PID 2920 created 3080 2920 2.exe sihost.exe
Downloads MZ/PE file

description	pid	process	target process
PID 632 created 3080	632	1.exe	sihost.exe
PID 2920 created 3080	2920	2.exe	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RG Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	RG Launcher.exe

Executes dropped EXE 2 IoCs

Processes:

1.exe2.exe

pid process

632 1.exe
2920 2.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 myexternalip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1060 632 WerFault.exe 1.exe
2808 632 WerFault.exe 1.exe
3852 2920 WerFault.exe 2.exe
5052 2920 WerFault.exe 2.exe

flow	ioc
38	myexternalip.com

pid	pid_target	process	target process
1060	632	WerFault.exe	1.exe
2808	632	WerFault.exe	1.exe
3852	2920	WerFault.exe	2.exe
5052	2920	WerFault.exe	2.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

openwith.exe1.exe2.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

RG Launcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RG Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RG Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RG Launcher.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

1.exeopenwith.exe2.exeopenwith.exe

pid	process
632	1.exe
632	1.exe
5064	openwith.exe
5064	openwith.exe
5064	openwith.exe
5064	openwith.exe
2920	2.exe
2920	2.exe
464	openwith.exe
464	openwith.exe
464	openwith.exe
464	openwith.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

RG Launcher.exe1.exe2.exe

description	pid	process	target process
PID 1192 wrote to memory of 632	1192	RG Launcher.exe	1.exe
PID 1192 wrote to memory of 632	1192	RG Launcher.exe	1.exe
PID 1192 wrote to memory of 632	1192	RG Launcher.exe	1.exe
PID 1192 wrote to memory of 2920	1192	RG Launcher.exe	2.exe
PID 1192 wrote to memory of 2920	1192	RG Launcher.exe	2.exe
PID 1192 wrote to memory of 2920	1192	RG Launcher.exe	2.exe
PID 632 wrote to memory of 5064	632	1.exe	openwith.exe
PID 632 wrote to memory of 5064	632	1.exe	openwith.exe
PID 632 wrote to memory of 5064	632	1.exe	openwith.exe
PID 632 wrote to memory of 5064	632	1.exe	openwith.exe
PID 632 wrote to memory of 5064	632	1.exe	openwith.exe
PID 2920 wrote to memory of 464	2920	2.exe	openwith.exe
PID 2920 wrote to memory of 464	2920	2.exe	openwith.exe
PID 2920 wrote to memory of 464	2920	2.exe	openwith.exe
PID 2920 wrote to memory of 464	2920	2.exe	openwith.exe
PID 2920 wrote to memory of 464	2920	2.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3080
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:464

C:\Users\Admin\AppData\Local\Temp\RG Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RG Launcher.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\DownloadedExes\1.exe
  "C:\Users\Admin\AppData\Local\DownloadedExes\1.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 532
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 568
    3⤵
    - Program crash
    PID:2808
- C:\Users\Admin\AppData\Local\DownloadedExes\2.exe
  "C:\Users\Admin\AppData\Local\DownloadedExes\2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 544
    3⤵
    - Program crash
    PID:3852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 540
    3⤵
    - Program crash
    PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 632 -ip 632
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 632 -ip 632
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2920 -ip 2920
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2920 -ip 2920
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DownloadedExes\1.exe

Filesize
16.6MB

MD5
b4e80b2b2278c16fc0d9d96509273b38

SHA1
3a690dba90353088dbb5da1897b09bdb55a934d6

SHA256
afa73902cb62bd3fc39c67ff494172148144f2bc194a31250390d8b6f94f3473

SHA512
830d858cade6a20021c3bf4addca71ca01638107ced1d51278a515745862274c6ca96c23104dba645c0c513060c06474e2fa878c0820bddda2a37f4f3181cc48

Download Submit
C:\Users\Admin\AppData\Local\DownloadedExes\2.exe

Filesize
16.5MB

MD5
0c6b1946ae82e2cb099f3f24ec6082ed

SHA1
1bff64d5b7657b6b77daef3037215043d48aaad5

SHA256
2f2309857af8f8fdb34f7e077c8059ae3e734f1f2685736f69771cf9497cf4c2

SHA512
6dccfba891128d5c85d7b120863fad2954d99abcf826c2a786d24450d47db0f0e094761b58c7d83dd5292a73b6c964ddb0086a412ff13b518628d6df8282b99d

Download Submit
memory/464-56-0x00000000764D0000-0x000000007670A000-memory.dmp

Filesize
2.2MB

Download
memory/464-53-0x00000000024A0000-0x00000000028A0000-memory.dmp

Filesize
4.0MB

Download
memory/464-54-0x00007FF9F9450000-0x00007FF9F9648000-memory.dmp

Filesize
2.0MB

Download
memory/632-32-0x0000000003BB0000-0x0000000003FB0000-memory.dmp

Filesize
4.0MB

Download
memory/632-35-0x0000000003BB0000-0x0000000003FB0000-memory.dmp

Filesize
4.0MB

Download
memory/632-36-0x00007FF9F9450000-0x00007FF9F9648000-memory.dmp

Filesize
2.0MB

Download
memory/632-38-0x00000000764D0000-0x000000007670A000-memory.dmp

Filesize
2.2MB

Download
memory/632-34-0x0000000003BB0000-0x0000000003FB0000-memory.dmp

Filesize
4.0MB

Download
memory/632-33-0x0000000003BB0000-0x0000000003FB0000-memory.dmp

Filesize
4.0MB

Download
memory/632-45-0x0000000003BB0000-0x0000000003FB0000-memory.dmp

Filesize
4.0MB

Download
memory/632-31-0x00000000010B0000-0x000000000112E000-memory.dmp

Filesize
504KB

Download
memory/2920-50-0x00000000764D0000-0x000000007670A000-memory.dmp

Filesize
2.2MB

Download
memory/2920-47-0x0000000003D30000-0x0000000004130000-memory.dmp

Filesize
4.0MB

Download
memory/2920-48-0x00007FF9F9450000-0x00007FF9F9648000-memory.dmp

Filesize
2.0MB

Download
memory/5064-42-0x00007FF9F9450000-0x00007FF9F9648000-memory.dmp

Filesize
2.0MB

Download
memory/5064-44-0x00000000764D0000-0x000000007670A000-memory.dmp

Filesize
2.2MB

Download
memory/5064-41-0x0000000002EE0000-0x00000000032E0000-memory.dmp

Filesize
4.0MB

Download
memory/5064-39-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads