rhadamanthys | 9ad0324340223dbe0dd10e61f2b497be6013b8840b5fda015e4c7296270d2122

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-12-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LockBitRW.rar
Size

2.6MB
MD5

cff570c34e99218bd2ae7454234082e3
SHA1

7037992c0d898866ee344eb0a8f36b99d3603ea2
SHA256

9ad0324340223dbe0dd10e61f2b497be6013b8840b5fda015e4c7296270d2122
SHA512

22d6ea113e56707450995c5025467def6a91e4efae5f9d1b719cbe5eb9c6d499d693a40e14f4f65a685c98edff45a50fb9b5f4e80c2238bf7fa53308e2226613
SSDEEP

49152:REmempzmEmeJS6+KWxxeEiqTwoGbC8aASHi8nNzFjVUWkEm3Q7iC3uEsTEmu:/eUUeINGokC8FH8NZjveg753Rslu

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/1480-99-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1480-100-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1480-101-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1480-102-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Executes dropped EXE 1 IoCs

pid	Process
1480	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	builder.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	builder.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	builder.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	builder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1480	builder.exe
1480	builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4672	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4672	7zFM.exe
Token: 35	4672	7zFM.exe
Token: SeSecurityPrivilege	4672	7zFM.exe
Token: SeShutdownPrivilege	1480	builder.exe
Token: SeCreatePagefilePrivilege	1480	builder.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4672	7zFM.exe
4672	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\LockBitRW.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Users\Admin\Desktop\kaka\builder.exe
"C:\Users\Admin\Desktop\kaka\builder.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE042F7047\Release\decryptor.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE042F7047\Release\decryptor.pdb

Filesize
1.1MB

MD5
d28f6d860cc7415c725caaca414a6a32

SHA1
3823cf5c63b6d1ba15a3ca2581e83d830e63074b

SHA256
6b8ef6acb7d99764102dd29c2fc5d6305d2b0106a1247020fe5178985a5499f9

SHA512
2a29d46bfcc52681527fb2833866db04e0ee48c7bd058ca948dfa202a821ffcc544ceab286a2fdb0132c01fadb79990a88d759a1ba04cbbfa6ac4b6d3c1445d6

Download Submit
memory/1480-98-0x0000000002300000-0x0000000002307000-memory.dmp

Filesize
28KB

Download
memory/1480-99-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1480-100-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1480-101-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1480-102-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download