rhadamanthys | bd81ca8a166107a79709ed9c51850afa8aa4116c1e61b0d1010211464f7e8aa0

Analysis

max time kernel
41s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader_dll/loaderV12.exe
Size

62.3MB
MD5

8e533e9d973e49f1251a5a5343650130
SHA1

2c94ccaf726d034c426425e6b74755b941880566
SHA256

6465765c30c964f99f3afadb81383993893cfcbb47d4740b368a11e5dc614f1e
SHA512

a03ce278551642f8e615dbf617d6480794909f5648e108644f1db9c5a694a334c6b14ed3bc1b82da65e67e78d2d03f3871335d19116ad4624fdc1e0ca32a0d38
SSDEEP

393216:W5HH6Cms5ku95LoagbWWToiadeqW5ZKwq/2Q3HAswsOjNnFRujVebELXD6uP9wjT:WhH6CmsXV1WpaAPZc2ugV2ebVuP+/

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral2/memory/1996-35-0x0000000000EB0000-0x0000000000F31000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1996 created 3064	1996	driver1.exe	51

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
8	powershell.exe
1036	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	driver1.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4900	1996	WerFault.exe	93
3336	1996	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
8	powershell.exe
8	powershell.exe
1036	powershell.exe
1036	powershell.exe
1996	driver1.exe
1996	driver1.exe
1996	driver1.exe
1996	driver1.exe
3612	svchost.exe
3612	svchost.exe
3612	svchost.exe
3612	svchost.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe
Token: 35	4504	wmic.exe
Token: 36	4504	wmic.exe
Token: SeIncreaseQuotaPrivilege	4504	wmic.exe
Token: SeSecurityPrivilege	4504	wmic.exe
Token: SeTakeOwnershipPrivilege	4504	wmic.exe
Token: SeLoadDriverPrivilege	4504	wmic.exe
Token: SeSystemProfilePrivilege	4504	wmic.exe
Token: SeSystemtimePrivilege	4504	wmic.exe
Token: SeProfSingleProcessPrivilege	4504	wmic.exe
Token: SeIncBasePriorityPrivilege	4504	wmic.exe
Token: SeCreatePagefilePrivilege	4504	wmic.exe
Token: SeBackupPrivilege	4504	wmic.exe
Token: SeRestorePrivilege	4504	wmic.exe
Token: SeShutdownPrivilege	4504	wmic.exe
Token: SeDebugPrivilege	4504	wmic.exe
Token: SeSystemEnvironmentPrivilege	4504	wmic.exe
Token: SeRemoteShutdownPrivilege	4504	wmic.exe
Token: SeUndockPrivilege	4504	wmic.exe
Token: SeManageVolumePrivilege	4504	wmic.exe
Token: 33	4504	wmic.exe
Token: 34	4504	wmic.exe
Token: 35	4504	wmic.exe
Token: 36	4504	wmic.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 8	4536	loaderV12.exe	85
PID 4536 wrote to memory of 8	4536	loaderV12.exe	85
PID 8 wrote to memory of 1036	8	powershell.exe	87
PID 8 wrote to memory of 1036	8	powershell.exe	87
PID 4536 wrote to memory of 4504	4536	loaderV12.exe	89
PID 4536 wrote to memory of 4504	4536	loaderV12.exe	89
PID 4536 wrote to memory of 1996	4536	loaderV12.exe	93
PID 4536 wrote to memory of 1996	4536	loaderV12.exe	93
PID 4536 wrote to memory of 1996	4536	loaderV12.exe	93
PID 1996 wrote to memory of 3612	1996	driver1.exe	94
PID 1996 wrote to memory of 3612	1996	driver1.exe	94
PID 1996 wrote to memory of 3612	1996	driver1.exe	94
PID 1996 wrote to memory of 3612	1996	driver1.exe	94
PID 1996 wrote to memory of 3612	1996	driver1.exe	94

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3064
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3612

C:\Users\Admin\AppData\Local\Temp\Loader_dll\loaderV12.exe
"C:\Users\Admin\AppData\Local\Temp\Loader_dll\loaderV12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\Loader_dll\loaderV12.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Loader_dll\loaderV12.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\ProgramData\driver1.exe
  C:\ProgramData\driver1.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 388
    3⤵
    - Program crash
    PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 412
    3⤵
    - Program crash
    PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1996 -ip 1996
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe

Filesize
1.1MB

MD5
9cff7f2ffa235062a389eafa44385df5

SHA1
97f06a91915400aaf0f2e93352172395e9dc1c66

SHA256
1103d24428005f23b7c88bdaafc615d1b4ed4320f3554e096712c80dfc4048f8

SHA512
aa242d26d02ed4eefe317781ad0692a2e70269221b26042a6f9e47ae18e286dda5dac3959397f85ea4a40ba82206a553c4b5e82962393142e45ab235fffbeadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arv3xyij.yu2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/8-12-0x00007FFEA8F40000-0x00007FFEA9A01000-memory.dmp

Filesize
10.8MB

Download
memory/8-0-0x00007FFEA8F43000-0x00007FFEA8F45000-memory.dmp

Filesize
8KB

Download
memory/8-11-0x00007FFEA8F40000-0x00007FFEA9A01000-memory.dmp

Filesize
10.8MB

Download
memory/8-27-0x00007FFEA8F40000-0x00007FFEA9A01000-memory.dmp

Filesize
10.8MB

Download
memory/8-1-0x000002358B6B0000-0x000002358B6D2000-memory.dmp

Filesize
136KB

Download
memory/1996-42-0x0000000000F40000-0x0000000001340000-memory.dmp

Filesize
4.0MB

Download
memory/1996-41-0x0000000000F40000-0x0000000001340000-memory.dmp

Filesize
4.0MB

Download
memory/1996-35-0x0000000000EB0000-0x0000000000F31000-memory.dmp

Filesize
516KB

Download
memory/1996-43-0x00007FFEC7930000-0x00007FFEC7B25000-memory.dmp

Filesize
2.0MB

Download
memory/1996-45-0x0000000075E20000-0x0000000076035000-memory.dmp

Filesize
2.1MB

Download
memory/3612-46-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3612-48-0x0000000000E00000-0x0000000001200000-memory.dmp

Filesize
4.0MB

Download
memory/3612-51-0x0000000075E20000-0x0000000076035000-memory.dmp

Filesize
2.1MB

Download
memory/3612-49-0x00007FFEC7930000-0x00007FFEC7B25000-memory.dmp

Filesize
2.0MB

Download