rhadamanthys | f2d043e2159f6d68cbbc22adf3d5aa871fbfcefc571b57565616c981096a2d9e

General

Target

Sunlogin_output.exe
Size

63.6MB
MD5

af61e50d2c391aefd54d6fef36be542d
SHA1

0bd5a47894cf6436e541644ea957d2da6544b78a
SHA256

46379d431e8e4bb7104555ece6dd254b34ad461cca1793d0f7dcd3f7b70de7bf
SHA512

46ce0fd1f135ec19359d5cdb59c3f67dc31104f92d2a97b81a47b3ddd45311564dba49adcf6ea90eec168bca6b68c27b7da67ead648162d5f630332819cc7209
SSDEEP

786432:llOLwxvg0im7xP8tNA7RJlzOob13dT3mBspsQzS/bhu5UI798wJMwmnX0HGR5z:llOLio0r71qAvUob135mzQzpUu/rmZF

Score

10^/10

rhadamanthys discovery stealer upx

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SunAnquan.exe

description pid process target process

PID 4840 created 2596 4840 SunAnquan.exe sihost.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4840 created 2596	4840	SunAnquan.exe	sihost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sunlogin_output.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Sunlogin_output.exe

Executes dropped EXE 5 IoCs

Processes:

SunloginClient.exeSunAnquan.exeSunAnquan.exeSunloginClient.exeSunAnquan.exe

pid process

1148 SunloginClient.exe
1052 SunAnquan.exe
4840 SunAnquan.exe
1792 SunloginClient.exe
3080 SunAnquan.exe

pid	process
1148	SunloginClient.exe
1052	SunAnquan.exe
4840	SunAnquan.exe
1792	SunloginClient.exe
3080	SunAnquan.exe

Loads dropped DLL 14 IoCs

Processes:

Sunlogin_output.exeSunAnquan.exeSunAnquan.exeSunAnquan.exe

pid	process
2660	Sunlogin_output.exe
2660	Sunlogin_output.exe
2660	Sunlogin_output.exe
2660	Sunlogin_output.exe
2660	Sunlogin_output.exe
4840	SunAnquan.exe
1052	SunAnquan.exe
4840	SunAnquan.exe
4840	SunAnquan.exe
1052	SunAnquan.exe
1052	SunAnquan.exe
3080	SunAnquan.exe
3080	SunAnquan.exe
3080	SunAnquan.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1148-78-0x0000000000D90000-0x00000000070E2000-memory.dmp	upx
behavioral4/memory/1148-73-0x0000000000D90000-0x00000000070E2000-memory.dmp	upx
behavioral4/memory/1792-87-0x0000000000D90000-0x00000000070E2000-memory.dmp	upx
behavioral4/memory/1792-92-0x0000000000D90000-0x00000000070E2000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

Processes:

Sunlogin_output.exe

description	ioc	process
File created	C:\Program Files (x86)\Sunlogin\SunloginClient.exe	Sunlogin_output.exe
File created	C:\Program Files (x86)\Sunlogin\lua5.1.dll	Sunlogin_output.exe
File created	C:\Program Files (x86)\Sunlogin\SunAnquan.exe	Sunlogin_output.exe
File created	C:\Program Files (x86)\Sunlogin\alien\core.dll	Sunlogin_output.exe
File created	C:\Program Files (x86)\Sunlogin\config.ini	Sunlogin_output.exe
File created	C:\Program Files (x86)\Sunlogin\sun_config.ini	Sunlogin_output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Sunlogin_output.exeSunloginClient.exeSunAnquan.exeSunAnquan.exeopenwith.exeSunloginClient.exeSunAnquan.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sunlogin_output.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SunloginClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SunAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SunAnquan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SunloginClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SunAnquan.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SunAnquan.exeopenwith.exe

pid process

4840 SunAnquan.exe
4840 SunAnquan.exe
4376 openwith.exe
4376 openwith.exe
4376 openwith.exe
4376 openwith.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SunAnquan.exeSunAnquan.exe

description pid process

Token: SeDebugPrivilege 1052 SunAnquan.exe
Token: SeDebugPrivilege 3080 SunAnquan.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SunloginClient.exe

pid process

1792 SunloginClient.exe

pid	process
4840	SunAnquan.exe
4840	SunAnquan.exe
4376	openwith.exe
4376	openwith.exe
4376	openwith.exe
4376	openwith.exe

description	pid	process
Token: SeDebugPrivilege	1052	SunAnquan.exe
Token: SeDebugPrivilege	3080	SunAnquan.exe

pid	process
1792	SunloginClient.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Sunlogin_output.exeSunAnquan.exeSunloginClient.exe

description	pid	process	target process
PID 2660 wrote to memory of 1148	2660	Sunlogin_output.exe	SunloginClient.exe
PID 2660 wrote to memory of 1148	2660	Sunlogin_output.exe	SunloginClient.exe
PID 2660 wrote to memory of 1148	2660	Sunlogin_output.exe	SunloginClient.exe
PID 2660 wrote to memory of 1052	2660	Sunlogin_output.exe	SunAnquan.exe
PID 2660 wrote to memory of 1052	2660	Sunlogin_output.exe	SunAnquan.exe
PID 2660 wrote to memory of 1052	2660	Sunlogin_output.exe	SunAnquan.exe
PID 2660 wrote to memory of 4840	2660	Sunlogin_output.exe	SunAnquan.exe
PID 2660 wrote to memory of 4840	2660	Sunlogin_output.exe	SunAnquan.exe
PID 2660 wrote to memory of 4840	2660	Sunlogin_output.exe	SunAnquan.exe
PID 4840 wrote to memory of 4376	4840	SunAnquan.exe	openwith.exe
PID 4840 wrote to memory of 4376	4840	SunAnquan.exe	openwith.exe
PID 4840 wrote to memory of 4376	4840	SunAnquan.exe	openwith.exe
PID 4840 wrote to memory of 4376	4840	SunAnquan.exe	openwith.exe
PID 4840 wrote to memory of 4376	4840	SunAnquan.exe	openwith.exe
PID 1148 wrote to memory of 1792	1148	SunloginClient.exe	SunloginClient.exe
PID 1148 wrote to memory of 1792	1148	SunloginClient.exe	SunloginClient.exe
PID 1148 wrote to memory of 1792	1148	SunloginClient.exe	SunloginClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2596
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4376

C:\Users\Admin\AppData\Local\Temp\Sunlogin_output.exe
"C:\Users\Admin\AppData\Local\Temp\Sunlogin_output.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files (x86)\Sunlogin\SunloginClient.exe
  "C:\Program Files (x86)\Sunlogin\SunloginClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Program Files (x86)\Sunlogin\SunloginClient.exe
    "C:\Program Files (x86)\Sunlogin\SunloginClient.exe" --mod=install --admin=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1792
- C:\Program Files (x86)\Sunlogin\SunAnquan.exe
  "C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\config.ini"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Program Files (x86)\Sunlogin\SunAnquan.exe
  "C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\sun_config.ini"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4840

C:\Program Files (x86)\Sunlogin\SunAnquan.exe
"C:\Program Files (x86)\Sunlogin\SunAnquan.exe" "C:\Program Files (x86)\Sunlogin\config.ini"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sunlogin\SunAnquan.exe

Filesize
14KB

MD5
426dfd5ece3b41970773031637cd5539

SHA1
d0fe14f8dab89aaddac8b1c89b1cee48396ec636

SHA256
737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8

SHA512
5c66ea3360115d6dcc71f6d624a886f3c992c5d30338880b0ba48db77dd7fa744b60a3d65fed63427ebb3a8bcf9b204e9ba1521d8c9f0e804ce0db76befa8935

Download Submit
C:\Program Files (x86)\Sunlogin\alien\core.dll

Filesize
25KB

MD5
24b6950afd8663a46246044e6b09add8

SHA1
6444dab57d93ce987c22da66b3706d5d7fc226da

SHA256
9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071

SHA512
e1967e7e8c3d64b61451254da281415edf9946a6c8a46006f39ae091609c65666c376934b1bdcbd2a7f73adea7aa68e557694f804bf3bc3ce7854fa527e91740

Download Submit
C:\Program Files (x86)\Sunlogin\config.ini

Filesize
910KB

MD5
93c7ca328e30b4142f1d7202f864eba7

SHA1
53dac1968204812a95dedea4b923ed3d1e18b5c1

SHA256
01a668544e0bf9ff0ee12f4c090738a8b460c0d183fb4da0169b93d5c02efa7b

SHA512
9c68adcb1736d4c4606dbe512df78cca08ba262024d104edb17ceba7014d21eb26747942f4b92c6b87bec537d781c0c00031b581010b67d5f21a4f34b7581441

Download Submit
C:\Program Files (x86)\Sunlogin\lua5.1.dll

Filesize
164KB

MD5
24a0d2ef5b931a2a13341a2503b1de80

SHA1
6201347d1ded92d365126a1225768e11c33ee818

SHA256
fbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f

SHA512
5e06f88bb3920cef40a4941efb3b4d3012edf868cc3042f9dbc1989c76b410b4e2da12c20ae2fbcffe5525b43aeca8875e51167d0ce041864d546fdb2e1fecd2

Download Submit
C:\Program Files (x86)\Sunlogin\sun_config.ini

Filesize
636KB

MD5
fb5c9d4258a310e13712a1a4ec63a5b3

SHA1
4c8db46c25b6ef9071dff884bf2a08e17ea4e384

SHA256
d0c667d6b7ed468f409079dff0ba8d8db8b20df71b1cb52c92a400dba8aa8bfe

SHA512
ad24ee048599f3f32876290e1d010be2d45bd1bea4a4bf2e52f74d01481fdd16bab8dda9eeccc965ac1be8337792778556022b6c530fac4cbff79bd87897fd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SunAnquan.exe.log

Filesize
521B

MD5
82fd1c0a56b8af6ad97d973328281509

SHA1
5b4d01cb01d2e5e62dd3026de96dcf37f5713b89

SHA256
a57a4a3a9e484a52872a0c105ac939bf91e97033f4e40c21e5fd03f0bf8bc548

SHA512
3ced1456093d84e9617e630d06128da646b41720e873822c37cb40b4698919c4c543250ab9f191d73d6aac1109206655faa179dd781a578e1f778fe92b9a4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
280B

MD5
8394de2d276795e5602db0a28da1fa19

SHA1
cb6ffc6e9ee2bae3f8f10cd36032a3d0eb823ef4

SHA256
0fc2261bdb1256e74ff8ca4aa1d413ce584c325fc1e47ccccb3e40876b97a9a1

SHA512
9baca0f3d91b261e8d52498f8bae2eae0164fa7d130e287add3ea31ad4666c79dd6bbd35eb147641ebad909cd1993840c0c405821d0ea34033a33ab7431c91b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrC9F8.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/1052-64-0x0000000004A10000-0x0000000004A78000-memory.dmp

Filesize
416KB

Download
memory/1052-74-0x0000000005060000-0x0000000005067000-memory.dmp

Filesize
28KB

Download
memory/1052-68-0x0000000004A80000-0x0000000004AA2000-memory.dmp

Filesize
136KB

Download
memory/1148-78-0x0000000000D90000-0x00000000070E2000-memory.dmp

Filesize
99.3MB

Download
memory/1148-73-0x0000000000D90000-0x00000000070E2000-memory.dmp

Filesize
99.3MB

Download
memory/1148-88-0x0000000000D90000-0x00000000070E2000-memory.dmp

Filesize
99.3MB

Download
memory/1792-92-0x0000000000D90000-0x00000000070E2000-memory.dmp

Filesize
99.3MB

Download
memory/1792-87-0x0000000000D90000-0x00000000070E2000-memory.dmp

Filesize
99.3MB

Download
memory/4376-69-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4376-62-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/4376-71-0x0000000076730000-0x0000000076945000-memory.dmp

Filesize
2.1MB

Download
memory/4376-65-0x00000000029D0000-0x0000000002DD0000-memory.dmp

Filesize
4.0MB

Download
memory/4840-61-0x0000000076730000-0x0000000076945000-memory.dmp

Filesize
2.1MB

Download
memory/4840-55-0x0000000002130000-0x0000000002530000-memory.dmp

Filesize
4.0MB

Download
memory/4840-58-0x0000000002130000-0x0000000002530000-memory.dmp

Filesize
4.0MB

Download
memory/4840-54-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4840-59-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads