rhadamanthys | e18b6d133656117a09751990c173b1a19136568d455b5b0c10b5e3e91151915b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nedfe.rar
Size

2.2MB
MD5

accc94d0684fbb9e043d2863696b5ae0
SHA1

03a71e4036d8950907fd405381d5bcfea0c2c684
SHA256

e18b6d133656117a09751990c173b1a19136568d455b5b0c10b5e3e91151915b
SHA512

6c933dda5bdcd3ac0ba098198062b3f4a3d599a3104dc98a4bd66358a515c9d98cd79627d083aaf18c203b1b1708fd38ad11205fa7b2597a11f36e03029c4b2a
SSDEEP

49152:uR7m07hzxQzTzgzLIgEEXKRGyLYvrv5xofaG/ZH1DejeD8mJ3mXQJmBo0:o0ALIgExRGzrv5WZVDejq2A6

Score

10^/10

rhadamanthys defense_evasion discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://195.3.223.126:4287/9d0dc091285eb9fbf2e/o8f3c8oj.8rdif

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral1/memory/2676-22-0x0000000001FC0000-0x00000000023C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2676-23-0x0000000001FC0000-0x00000000023C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2868-58-0x0000000001D40000-0x0000000002140000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Executes dropped EXE 6 IoCs

pid	Process
2776	Anubis.exe
2308	Launcher.exe
2676	WindowsHost.exe
2852	Anubis.exe
3004	Launcher.exe
2868	WindowsHost.exe

Loads dropped DLL 16 IoCs

pid	Process
2776	Anubis.exe
2776	Anubis.exe
2776	Anubis.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2852	Anubis.exe
2852	Anubis.exe
2852	Anubis.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anubis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anubis.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2860	powershell.exe
2676	WindowsHost.exe
2676	WindowsHost.exe
3008	powershell.exe
2868	WindowsHost.exe
2868	WindowsHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2524	7zFM.exe
Token: 35	2524	7zFM.exe
Token: SeSecurityPrivilege	2524	7zFM.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeShutdownPrivilege	2676	WindowsHost.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2524	7zFM.exe
2524	7zFM.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2860	2776	Anubis.exe	32
PID 2776 wrote to memory of 2860	2776	Anubis.exe	32
PID 2776 wrote to memory of 2860	2776	Anubis.exe	32
PID 2776 wrote to memory of 2860	2776	Anubis.exe	32
PID 2776 wrote to memory of 2308	2776	Anubis.exe	34
PID 2776 wrote to memory of 2308	2776	Anubis.exe	34
PID 2776 wrote to memory of 2308	2776	Anubis.exe	34
PID 2776 wrote to memory of 2308	2776	Anubis.exe	34
PID 2776 wrote to memory of 2676	2776	Anubis.exe	36
PID 2776 wrote to memory of 2676	2776	Anubis.exe	36
PID 2776 wrote to memory of 2676	2776	Anubis.exe	36
PID 2776 wrote to memory of 2676	2776	Anubis.exe	36
PID 2308 wrote to memory of 2932	2308	Launcher.exe	37
PID 2308 wrote to memory of 2932	2308	Launcher.exe	37
PID 2308 wrote to memory of 2932	2308	Launcher.exe	37
PID 2852 wrote to memory of 3008	2852	Anubis.exe	41
PID 2852 wrote to memory of 3008	2852	Anubis.exe	41
PID 2852 wrote to memory of 3008	2852	Anubis.exe	41
PID 2852 wrote to memory of 3008	2852	Anubis.exe	41
PID 2852 wrote to memory of 3004	2852	Anubis.exe	43
PID 2852 wrote to memory of 3004	2852	Anubis.exe	43
PID 2852 wrote to memory of 3004	2852	Anubis.exe	43
PID 2852 wrote to memory of 3004	2852	Anubis.exe	43
PID 2852 wrote to memory of 2868	2852	Anubis.exe	45
PID 2852 wrote to memory of 2868	2852	Anubis.exe	45
PID 2852 wrote to memory of 2868	2852	Anubis.exe	45
PID 2852 wrote to memory of 2868	2852	Anubis.exe	45
PID 3004 wrote to memory of 2040	3004	Launcher.exe	46
PID 3004 wrote to memory of 2040	3004	Launcher.exe	46
PID 3004 wrote to memory of 2040	3004	Launcher.exe	46

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nedfe.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2524

C:\Users\Admin\Desktop\Anubis.exe
"C:\Users\Admin\Desktop\Anubis.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2932
- C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

C:\Users\Admin\Desktop\Anubis.exe
"C:\Users\Admin\Desktop\Anubis.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAegBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdgBuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
748KB

MD5
a8db312e9364d1d82600bf5a398212fe

SHA1
3bbacada2b463bb9f62ed7ae34a8e8440bc91dcb

SHA256
84e01afa9f1f134caa4e49456f4a1700e17bae4cbd962c1dfdf6cdfd61b3a3cb

SHA512
a7994ab1901aa1fc6ee89a302a92c9ec7fc3febc348a21e0445d4e17bb2c736ef563543dde94a01fe5d81094e792b354db1d02f8069992b36791fdbb0f8a5782

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsHost.exe

Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8923196efb4272ca86b2611201f569d5

SHA1
fe02add6d26298089bf3331aab2b0606e4014712

SHA256
8aa710d9d5a3fb9da32076acdf8dcf36408c6a758e0fb7240795eb79c5dbf7c2

SHA512
76d9cba988196c89368dd142bca9bf9e57d8ad1e24fb5595c56fc61093999348902c1cfe08582b976c96f494ca8724855cda8e63a2e73b3b277955f18dd80fbc

Download Submit
C:\Users\Admin\Desktop\Anubis.exe

Filesize
1.2MB

MD5
c2adb7ff42f1c961035f17bad5bee12d

SHA1
e2ae36539f9ff88e8a89d750e99d15ea6e84f0dc

SHA256
4b350ae0b85aa7f7818e37e3f02397cd3667af8d62eb3132fb3297bd96a0abe2

SHA512
16413f90689cfa3fc509637bea54634ead1bba7f89d621bbc8096279f2413cd3477142a63becfa457e5756583c34049699ab1e960d1133dad2f72e3325ecb348

Download Submit
\Users\Admin\Desktop\spooferconfig.dll

Filesize
6.0MB

MD5
f553ad722875c02d5b45f5c975ceb771

SHA1
867f41aa5b67cf7e15e3efe6cb4360f8f415fa6e

SHA256
35f12093577d9c58fe7858ca26a935aaf409269057a9a8bdf975693d6dfe208a

SHA512
041924f9a64d626d1a3b7111de968f11cc08d384b9dcd47e832744bc195d71d6f58bf06cc9f14fcf31a2f1490230779d9a1afd70e8eb836424fd14d59e6f663b

Download Submit
memory/2676-21-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2676-22-0x0000000001FC0000-0x00000000023C0000-memory.dmp

Filesize
4.0MB

Download
memory/2676-23-0x0000000001FC0000-0x00000000023C0000-memory.dmp

Filesize
4.0MB

Download
memory/2868-58-0x0000000001D40000-0x0000000002140000-memory.dmp

Filesize
4.0MB

Download