rhadamanthys | 2596ce84f291c7ee4b60d32329e4926830617365e4206905b4ab7ae4987f3caa

Analysis

max time kernel
92s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/New V1.0.3.exe
Size

1.2MB
MD5

bb51d554e3b4fd7fed2bad278b9970d0
SHA1

7d6f516b0755b2472bfb39d086da0106a8eb3e68
SHA256

1fb66beef1b9185abbf99a473188a755a0dee0e122a066a0e0776e251d716f95
SHA512

acafe93c075c71b94ab3efacaec6dd168986d2a88b330958e57647adaca4e043a5ea538bb0007ba8685925c8373fda6a3d99c59c9f30f65de8fc948e2304efac
SSDEEP

24576:lsKH7wrz1OIcJhiTKGOwD8HxgQotG411iS4QZl+5nLHoWLb57BW21wRqNb:rjIcJhrJxgQHPS42sHoWH9QuA+

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral2/memory/3272-377-0x0000000004940000-0x00000000049C1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3272-380-0x0000000004940000-0x00000000049C1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3272-379-0x0000000004940000-0x00000000049C1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3272-378-0x0000000004940000-0x00000000049C1000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3272 created 2640	3272	Unity.com	44

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	New V1.0.3.exe

Executes dropped EXE 1 IoCs

pid	Process
3272	Unity.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4200	tasklist.exe
4784	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ConsentSyria	New V1.0.3.exe
File opened for modification	C:\Windows\TractRecovery	New V1.0.3.exe
File opened for modification	C:\Windows\JoeFunctional	New V1.0.3.exe
File opened for modification	C:\Windows\ExpenseRecognize	New V1.0.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4724	3272	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New V1.0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unity.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
3272	Unity.com
8	svchost.exe
8	svchost.exe
8	svchost.exe
8	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	tasklist.exe
Token: SeDebugPrivilege	4784	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3272	Unity.com
3272	Unity.com
3272	Unity.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3272	Unity.com
3272	Unity.com
3272	Unity.com

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2100	2828	New V1.0.3.exe	84
PID 2828 wrote to memory of 2100	2828	New V1.0.3.exe	84
PID 2828 wrote to memory of 2100	2828	New V1.0.3.exe	84
PID 2100 wrote to memory of 4200	2100	cmd.exe	86
PID 2100 wrote to memory of 4200	2100	cmd.exe	86
PID 2100 wrote to memory of 4200	2100	cmd.exe	86
PID 2100 wrote to memory of 3948	2100	cmd.exe	87
PID 2100 wrote to memory of 3948	2100	cmd.exe	87
PID 2100 wrote to memory of 3948	2100	cmd.exe	87
PID 2100 wrote to memory of 4784	2100	cmd.exe	89
PID 2100 wrote to memory of 4784	2100	cmd.exe	89
PID 2100 wrote to memory of 4784	2100	cmd.exe	89
PID 2100 wrote to memory of 5112	2100	cmd.exe	90
PID 2100 wrote to memory of 5112	2100	cmd.exe	90
PID 2100 wrote to memory of 5112	2100	cmd.exe	90
PID 2100 wrote to memory of 4960	2100	cmd.exe	91
PID 2100 wrote to memory of 4960	2100	cmd.exe	91
PID 2100 wrote to memory of 4960	2100	cmd.exe	91
PID 2100 wrote to memory of 4832	2100	cmd.exe	92
PID 2100 wrote to memory of 4832	2100	cmd.exe	92
PID 2100 wrote to memory of 4832	2100	cmd.exe	92
PID 2100 wrote to memory of 1224	2100	cmd.exe	93
PID 2100 wrote to memory of 1224	2100	cmd.exe	93
PID 2100 wrote to memory of 1224	2100	cmd.exe	93
PID 2100 wrote to memory of 1656	2100	cmd.exe	94
PID 2100 wrote to memory of 1656	2100	cmd.exe	94
PID 2100 wrote to memory of 1656	2100	cmd.exe	94
PID 2100 wrote to memory of 2936	2100	cmd.exe	95
PID 2100 wrote to memory of 2936	2100	cmd.exe	95
PID 2100 wrote to memory of 2936	2100	cmd.exe	95
PID 2100 wrote to memory of 3272	2100	cmd.exe	96
PID 2100 wrote to memory of 3272	2100	cmd.exe	96
PID 2100 wrote to memory of 3272	2100	cmd.exe	96
PID 2100 wrote to memory of 2496	2100	cmd.exe	97
PID 2100 wrote to memory of 2496	2100	cmd.exe	97
PID 2100 wrote to memory of 2496	2100	cmd.exe	97
PID 3272 wrote to memory of 8	3272	Unity.com	99
PID 3272 wrote to memory of 8	3272	Unity.com	99
PID 3272 wrote to memory of 8	3272	Unity.com	99
PID 3272 wrote to memory of 8	3272	Unity.com	99
PID 3272 wrote to memory of 8	3272	Unity.com	99

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:8

C:\Users\Admin\AppData\Local\Temp\Release\New V1.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\Release\New V1.0.3.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Sent Sent.cmd & Sent.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 261464
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Carroll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Circumstances" Club
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 261464\Unity.com + Excellent + Annotation + Changing + Decades + Beginning + Junior + Notebooks + Regional + License + Blog 261464\Unity.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Products + ..\Additions + ..\Promotions + ..\Packet + ..\Weblogs + ..\Variation + ..\Among + ..\Volleyball + ..\Story f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\261464\Unity.com
    Unity.com f
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 904
      4⤵
      Program crash
      PID:4724
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3272 -ip 3272
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\261464\Unity.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\261464\f

Filesize
659KB

MD5
0c333a581ed96e1e6a88953420dda7a9

SHA1
64850d764dd78c09142bc69be5dd9de0b3f94804

SHA256
12b25168ff8a9cf95062d43c335690ef1f7bc85e991995ac29bc40cca8888e0d

SHA512
43cd057d602c3822ef4acad70762d91af7b41188c8f0e421a7e08ca04ef29c2c02a801d88a106be8976affa685357918a7bc5552c8b233a4398895236cf0f53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Additions

Filesize
90KB

MD5
c72f068db481aea27a842c9bfe9860cd

SHA1
a5561a6759b918a5764704a6e11b3db42aa87a62

SHA256
286f77e1e107ffc16bddc64df1d9002c15a832c4cebd4c5b880f39edc0881e76

SHA512
d7fad6083e721437d54c706310ca3ca467c7b9cacb285e774a94df82929cf1f885d05a2b57570dedd5114741f0fbf7ebcd7cec1f91a43881ed12b7129cf21b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Among

Filesize
79KB

MD5
7012d631f674f310afa13ce8914d65fd

SHA1
22a7c3cad15d58e3a457a85283819fc011fb3723

SHA256
1c914ffb2f2482606616fb6ebde6f0a7a6951d5010de4ba2171a2e5c9e327d15

SHA512
4162b802b91d8e57d1e6a9d23f9e2e695d455cb2b90797a09e8a337097433c90770834fbab8e6b820c60f461058043ff854dfeaed4024aeddec2cbbd3c409c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carroll

Filesize
477KB

MD5
a77177e063866e67b654a09a832672c0

SHA1
6ee75c8e8829c39e6b2faae314389d02318f8f4d

SHA256
a7b45687d0a9e018e6e855831f91e762a54971cdf63531f53dbd8469393e85cd

SHA512
14984d6680ec1a7a0bf3b25db92ee3bb12d0b99abd52f8b33bb4369bc5bc69795c4fce5b28468d94354c5f33392ab605c97a9dbe174fc28fb4cabd428d532a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Club

Filesize
2KB

MD5
d40a9665e004c5013821eb49f33a0bb3

SHA1
c95a41dbf5736a553e7cee3712c34c9c502650cd

SHA256
36fbdb6df849a7569df809733c55594f7a85f564c1ea9253cc571f48e0b9e6de

SHA512
d6c91ce9cbb414680943c105e14529a8c73ff27a30a1eaa79f828d5dc075a616406c70736cee27d6e6f5d84a97c33613e728edae8a6caae2f8f5b8a6d493c50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Packet

Filesize
81KB

MD5
456f43b6e72ff0d24fa3c53b217ba4d4

SHA1
faf97b154f4ff5cf3ea3c05edd181b678851b791

SHA256
06ce66ef041544e67e2285cb1058609c96956666fc9871ce73f7a18f935d9d22

SHA512
f305823a2874b563f8ee903261032ba7e906bb99e6ade2403d81794f4f62e1384262ca89766fd8fac860cdef13cdebf4bf4245af33d28d82b51ebf40944dcdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Products

Filesize
98KB

MD5
111b101b105931f30eb83a71fe5afdd0

SHA1
c6d2a3d962cba8a577810a9f28a90f830868d085

SHA256
c4ba666d274ccd8b84f0b7a380a4631ff854fb13e1488de00e23f541def45c37

SHA512
094877a2d43d004e44140f6954bbb8536fe4671a81572033886de00001b84bdfbdb896dcda85bc9eec7e8497899bcc0e10697a24ab557d1ad1f09c3dce540633

Download Submit
C:\Users\Admin\AppData\Local\Temp\Promotions

Filesize
75KB

MD5
f27774e72d304c34dc7b89ad60d60795

SHA1
e4f2fac6ada186cb09f4453671dc975b7d05ff4a

SHA256
3528c5df4b5ffa9b32abd75b9ce12d64e06e6f074e6f423b15e34e414554aa1a

SHA512
2c22b06f67a4c9e41b96dff72c6a621dcd54308dd5e2b401074256b2cc7248158caae9d88f2f87d8521dc7e800c74bae10801dd8fc4f4049d898ca25d6b6192b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sent

Filesize
13KB

MD5
3ee7cdd746bba67652fc33569f65b26c

SHA1
faf8d585c7f958fb6fdb4c1722804e7cc72706a6

SHA256
830c15610555e0a97af93db9b52ca77def4a3f9f3591e92f7ca8ff24f6c0ba08

SHA512
5808fcdd9fd0f8cef9f2d4cfd09647fbebc1dc36384e8dc4ed77746e4b94315420d4005a6e37307583825c8bf5806ad86047507573a83046ce28fb939816b709

Download Submit
C:\Users\Admin\AppData\Local\Temp\Story

Filesize
16KB

MD5
868f399817a4fd0ccd2f6f7811a8ac6c

SHA1
dd7b57fe6fd0334c54d99ec6ffba70f681bd166c

SHA256
6e4c030887808454f3c0636e96cd37d51bf27dbc955cd749713729e6a27cf5f0

SHA512
2b479c61c71511420d0357053164073e0a32b4796321dfaa3b0757dfc146f45ec600c78b114e002e8caba26e2ad59cb3fa2148457bc889bfb769e3d16851aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Variation

Filesize
62KB

MD5
e15f86584daedd177c1296dc33f188e4

SHA1
bc6515f729472565cffefb14a1ae3f14429a026d

SHA256
b52645f7bc60e9e6b7b49f4d5da26d5d64f4d44a38fa8afaae507d16a9ca8698

SHA512
5d6f9408a84e25e35aae00a9813685572bc5553a0a747cd5956cd9004259928ec3700f58c31ca08f1205fbcc27257f527092651e05d6138e20c87d280117c51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Volleyball

Filesize
61KB

MD5
463da136de6fde57596fcdb3372d6fd0

SHA1
085f19e35378ad99f6af3b40412ab355ae2d2de3

SHA256
edc012053ae253ed0877b417177f8dae9bc2040a91f9ed294e3b8ddb78627150

SHA512
5b86fd3249e9291f45370f27a8dd45d8ad407329648c03500d2fbddca99d9a9c73815420ee14dce2be963e06663bcd6d7342872ea83fbe5ab73b796809bf2608

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weblogs

Filesize
97KB

MD5
d705b020227898d3e059653391c1b796

SHA1
6889cd184e9db0ef19cdb7fdde5917e03088d2ed

SHA256
c3ce02ff43ebb1c2015b96689cde0767ddc77dc76ad8e41d8b117f3bba196163

SHA512
411cad3b86b2aaa6baf4f71b5db65bca259c65c8e69c218504825c86c4f3c6171649fa7e2e37a2a96ebb5b7a85aa1d207d1ad9d67744f63df2d0efd071c3db4b

Download Submit
memory/8-386-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/8-389-0x00007FFF88590000-0x00007FFF88785000-memory.dmp

Filesize
2.0MB

Download
memory/8-391-0x0000000075DE0000-0x0000000075FF5000-memory.dmp

Filesize
2.1MB

Download
memory/8-388-0x00000000012E0000-0x00000000016E0000-memory.dmp

Filesize
4.0MB

Download
memory/3272-374-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download
memory/3272-378-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download
memory/3272-381-0x00000000049D0000-0x0000000004DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3272-382-0x00000000049D0000-0x0000000004DD0000-memory.dmp

Filesize
4.0MB

Download
memory/3272-383-0x00007FFF88590000-0x00007FFF88785000-memory.dmp

Filesize
2.0MB

Download
memory/3272-385-0x0000000075DE0000-0x0000000075FF5000-memory.dmp

Filesize
2.1MB

Download
memory/3272-379-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download
memory/3272-380-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download
memory/3272-375-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download
memory/3272-377-0x0000000004940000-0x00000000049C1000-memory.dmp

Filesize
516KB

Download