rhadamanthys | 46b84b2fee0b41e72b3e9f23a852f99f0d726e5c8e37838ad25114b6cafb78f4

Analysis

max time kernel
104s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ST.exe
Size

14.8MB
MD5

69faf96407c407a1bf211be76f919bbf
SHA1

7c7de8b16d7e3fe1f73800fa233643a3d0f4acac
SHA256

46b84b2fee0b41e72b3e9f23a852f99f0d726e5c8e37838ad25114b6cafb78f4
SHA512

15b5309deb50900aad2649624ace4f24f44a50d954dd295a5a13bd505adab167f3f893043cd41c445c98cbadeb36a6db377edee9adf94358799737c762484cbb
SSDEEP

393216:aSROShqgErsTyid5GqtHxdKBHTSyx+2LbLlpNPAJ4xxHHP6:dIQGm5ddK0yI2Lfl3bv6

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral2/memory/4308-12-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4308-15-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4308-16-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4308-14-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4308 created 2612	4308	AddInProcess32.exe	44

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3104 set thread context of 4308	3104	ST.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1388	4308	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3104	ST.exe
3104	ST.exe
3104	ST.exe
3104	ST.exe
3104	ST.exe
3104	ST.exe
3104	ST.exe
4308	AddInProcess32.exe
4308	AddInProcess32.exe
4308	AddInProcess32.exe
4308	AddInProcess32.exe
4524	fontdrvhost.exe
4524	fontdrvhost.exe
4524	fontdrvhost.exe
4524	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	ST.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4168	3104	ST.exe	93
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4540	3104	ST.exe	94
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 3104 wrote to memory of 4308	3104	ST.exe	95
PID 4308 wrote to memory of 4524	4308	AddInProcess32.exe	96
PID 4308 wrote to memory of 4524	4308	AddInProcess32.exe	96
PID 4308 wrote to memory of 4524	4308	AddInProcess32.exe	96
PID 4308 wrote to memory of 4524	4308	AddInProcess32.exe	96
PID 4308 wrote to memory of 4524	4308	AddInProcess32.exe	96

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2612
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4524

C:\Users\Admin\AppData\Local\Temp\ST.exe
"C:\Users\Admin\AppData\Local\Temp\ST.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:4540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 340
    3⤵
    - Program crash
    PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4308 -ip 4308
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3104-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/3104-1-0x00000000000C0000-0x0000000000F96000-memory.dmp

Filesize
14.8MB

Download
memory/3104-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/3104-3-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/3104-4-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/3104-5-0x0000000005900000-0x0000000005942000-memory.dmp

Filesize
264KB

Download
memory/3104-6-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3104-7-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/3104-8-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/3104-9-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3104-10-0x00000000017B0000-0x00000000017CA000-memory.dmp

Filesize
104KB

Download
memory/3104-11-0x0000000001820000-0x0000000001826000-memory.dmp

Filesize
24KB

Download
memory/3104-17-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4308-23-0x0000000075E90000-0x00000000760A5000-memory.dmp

Filesize
2.1MB

Download
memory/4308-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4308-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4308-18-0x0000000001540000-0x0000000001940000-memory.dmp

Filesize
4.0MB

Download
memory/4308-20-0x0000000001540000-0x0000000001940000-memory.dmp

Filesize
4.0MB

Download
memory/4308-21-0x00007FFABE030000-0x00007FFABE225000-memory.dmp

Filesize
2.0MB

Download
memory/4308-19-0x0000000001540000-0x0000000001940000-memory.dmp

Filesize
4.0MB

Download
memory/4308-26-0x0000000001540000-0x0000000001940000-memory.dmp

Filesize
4.0MB

Download
memory/4308-15-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4308-34-0x0000000001540000-0x0000000001940000-memory.dmp

Filesize
4.0MB

Download
memory/4524-32-0x0000000000F90000-0x0000000001390000-memory.dmp

Filesize
4.0MB

Download
memory/4524-31-0x0000000075E90000-0x00000000760A5000-memory.dmp

Filesize
2.1MB

Download
memory/4524-29-0x00007FFABE030000-0x00007FFABE225000-memory.dmp

Filesize
2.0MB

Download
memory/4524-33-0x0000000000F90000-0x0000000001390000-memory.dmp

Filesize
4.0MB

Download
memory/4524-27-0x0000000000F90000-0x0000000001390000-memory.dmp

Filesize
4.0MB

Download
memory/4524-28-0x0000000000F90000-0x0000000001390000-memory.dmp

Filesize
4.0MB

Download
memory/4524-24-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download