rhadamanthys | 3a3be4d63ea60273d2a4eda55d735e5f5066d564b9512ef0852e075e684bdd46

Analysis

max time kernel
136s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Faersafe.exe
Size

155.8MB
MD5

21b2dba93a27ee2755263187503d3a8e
SHA1

25b6fea260fbb28e053d0f5f7209a7f1aad18cb9
SHA256

ff4957a6001fffcb534dd97ec2ee8f869f6deaccb24263beaf953767c404c8ed
SHA512

f1d1df7896d5ebafdbd468b47463aca72eb3e3513245910f0d11bb9b1c2f059e071bab455e97fe8bc868adee66bb8bcea9edc5575e53846da0b6a3e31fa8b338
SSDEEP

1572864:sVU4t/Ct6JMgabao+nh+bw4FlWMZBZHuoM2t52kOUeEbaVO7GJbdHDexdypGT+LY:qYUJkH0sEQ

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral8/memory/4668-121-0x0000000002520000-0x0000000002597000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4668 created 2588	4668	atlantis4en.exe	44

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Faersafe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Faersafe.exe

Executes dropped EXE 1 IoCs

pid	Process
4668	atlantis4en.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atlantis4en.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4668	atlantis4en.exe
4668	atlantis4en.exe
4668	atlantis4en.exe
4668	atlantis4en.exe
4668	atlantis4en.exe
4668	atlantis4en.exe
564	svchost.exe
564	svchost.exe
564	svchost.exe
564	svchost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe
Token: SeShutdownPrivilege	2584	Faersafe.exe
Token: SeCreatePagefilePrivilege	2584	Faersafe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2824	2584	Faersafe.exe	84
PID 2584 wrote to memory of 2324	2584	Faersafe.exe	85
PID 2584 wrote to memory of 2324	2584	Faersafe.exe	85
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86
PID 2584 wrote to memory of 1288	2584	Faersafe.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2588
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:564

C:\Users\Admin\AppData\Local\Temp\Faersafe.exe
"C:\Users\Admin\AppData\Local\Temp\Faersafe.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\Faersafe.exe
  "C:\Users\Admin\AppData\Local\Temp\Faersafe.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-electron-app" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1684 --field-trial-handle=1688,i,3838136809222540271,7431860885203500598,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\Faersafe.exe
  "C:\Users\Admin\AppData\Local\Temp\Faersafe.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-electron-app" --mojo-platform-channel-handle=2040 --field-trial-handle=1688,i,3838136809222540271,7431860885203500598,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\Faersafe.exe
  "C:\Users\Admin\AppData\Local\Temp\Faersafe.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-electron-app" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2316 --field-trial-handle=1688,i,3838136809222540271,7431860885203500598,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1288
- C:\games\DDR5_NetCache\atlantis4en.exe
  C:\games\DDR5_NetCache\atlantis4en.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\my-electron-app\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\games\DDR5_NetCache\atlantis4en.exe

Filesize
681KB

MD5
d351f00ca827a832d1cd9efc7f5a3073

SHA1
daed6eebb1c8532982c2e489603077dac6d1423d

SHA256
52b9f48481c6b437b6cf1e228a59887a9b85563efbf44bc3c0db98401f086b4c

SHA512
3f8bb916e5ce1f92cb4e1cca32f00e989bed3e6cdf8d0a34141537e93b840029c2ec5784d7d8b52a18a1bfabcce526ae076fb34283972af5d11bd98ec7f4fe63

Download Submit
memory/564-127-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/564-133-0x00000000772B0000-0x00000000774C5000-memory.dmp

Filesize
2.1MB

Download
memory/564-131-0x00007FFECB890000-0x00007FFECBA85000-memory.dmp

Filesize
2.0MB

Download
memory/564-130-0x0000000001200000-0x0000000001600000-memory.dmp

Filesize
4.0MB

Download
memory/1288-101-0x000001D607F70000-0x000001D6086AF000-memory.dmp

Filesize
7.2MB

Download
memory/1288-45-0x00007FFECA5D0000-0x00007FFECA5D1000-memory.dmp

Filesize
4KB

Download
memory/1288-46-0x00007FFECB700000-0x00007FFECB701000-memory.dmp

Filesize
4KB

Download
memory/4668-123-0x00000000029C0000-0x0000000002DC0000-memory.dmp

Filesize
4.0MB

Download
memory/4668-124-0x00007FFECB890000-0x00007FFECBA85000-memory.dmp

Filesize
2.0MB

Download
memory/4668-126-0x00000000772B0000-0x00000000774C5000-memory.dmp

Filesize
2.1MB

Download
memory/4668-122-0x00000000029C0000-0x0000000002DC0000-memory.dmp

Filesize
4.0MB

Download
memory/4668-128-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4668-121-0x0000000002520000-0x0000000002597000-memory.dmp

Filesize
476KB

Download