rhadamanthys | 8eb3f7a87e9f33f64793dde4bbe4c63d97b600fdecc00cf77341abbe27d69553

General

Target

8eb3f7a87e9f33f64793dde4bbe4c63d97b600fdecc00cf77341abbe27d69553.dll
Size

62.0MB
MD5

c878951a604018f259ac092ff2251a98
SHA1

b5a1a4cd2b88ed67adcb6293e54c1b13953c6f19
SHA256

8eb3f7a87e9f33f64793dde4bbe4c63d97b600fdecc00cf77341abbe27d69553
SHA512

c827468238bea1de6fabcd46f45a62accdaba62d4f3506f4baba15b846d47fcd1a21134700639f55ee532a6b38fa769df0c12e5f568b49ab8d7e8a2628068a05
SSDEEP

1572864:9YsjkeZwu3B4RHLqyzWZvbYF8WNLKUnBDUpG5FQ:vIfzW6xBK

Score

10^/10

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral2/memory/5024-2-0x0000000000B30000-0x0000000000BB1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/5024-4-0x0000000000B30000-0x0000000000BB1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/5024-3-0x0000000000B30000-0x0000000000BB1000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/5024-5-0x0000000000B30000-0x0000000000BB1000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5024 created 396	5024	rundll32.exe	49

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	5024	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
4892	svchost.exe
4892	svchost.exe
4892	svchost.exe
4892	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3516	3372	rundll32.exe	83
PID 3372 wrote to memory of 3516	3372	rundll32.exe	83
PID 3372 wrote to memory of 3516	3372	rundll32.exe	83
PID 3516 wrote to memory of 5024	3516	rundll32.exe	87
PID 3516 wrote to memory of 5024	3516	rundll32.exe	87
PID 3516 wrote to memory of 5024	3516	rundll32.exe	87
PID 3516 wrote to memory of 5024	3516	rundll32.exe	87
PID 3516 wrote to memory of 5024	3516	rundll32.exe	87
PID 5024 wrote to memory of 4892	5024	rundll32.exe	88
PID 5024 wrote to memory of 4892	5024	rundll32.exe	88
PID 5024 wrote to memory of 4892	5024	rundll32.exe	88
PID 5024 wrote to memory of 4892	5024	rundll32.exe	88
PID 5024 wrote to memory of 4892	5024	rundll32.exe	88

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:396
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4892

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8eb3f7a87e9f33f64793dde4bbe4c63d97b600fdecc00cf77341abbe27d69553.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8eb3f7a87e9f33f64793dde4bbe4c63d97b600fdecc00cf77341abbe27d69553.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 584
      4⤵
      Program crash
      PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3516-0-0x00000000121C3000-0x00000000121C9000-memory.dmp

Filesize
24KB

Download
memory/3516-1-0x0000000010000000-0x0000000013E60000-memory.dmp

Filesize
62.4MB

Download
memory/3516-6-0x00000000125A4000-0x00000000125AC000-memory.dmp

Filesize
32KB

Download
memory/4892-17-0x00007FFFF9CD0000-0x00007FFFF9EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4892-19-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/4892-16-0x0000000000AD0000-0x0000000000ED0000-memory.dmp

Filesize
4.0MB

Download
memory/4892-14-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/5024-9-0x0000000002920000-0x0000000002D20000-memory.dmp

Filesize
4.0MB

Download
memory/5024-8-0x0000000002920000-0x0000000002D20000-memory.dmp

Filesize
4.0MB

Download
memory/5024-10-0x00007FFFF9CD0000-0x00007FFFF9EC5000-memory.dmp

Filesize
2.0MB

Download
memory/5024-13-0x0000000076090000-0x00000000762A5000-memory.dmp

Filesize
2.1MB

Download
memory/5024-5-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/5024-11-0x0000000002920000-0x0000000002D20000-memory.dmp

Filesize
4.0MB

Download
memory/5024-7-0x0000000002920000-0x0000000002D20000-memory.dmp

Filesize
4.0MB

Download
memory/5024-3-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/5024-4-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/5024-2-0x0000000000B30000-0x0000000000BB1000-memory.dmp

Filesize
516KB

Download
memory/5024-20-0x0000000002920000-0x0000000002D20000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing