rhadamanthys | e919f713c6d27cd035cb63ee8f182ba1e75b6f6df9195714af59cf8dcaf661e0 | Triage

Submit
Reports

Overview

overview

Static

static

3

Arcadia.exe

windows11-21h2-x64

Sharing

General

Target

Arcadia.exe
Size

138KB
Sample

250210-bcj3yaxlgl
MD5

7758d01b5675326c5ff61a7bf39336d4
SHA1

ca5604b82aa3395b268e10ce0223a2bd115983f2
SHA256

e919f713c6d27cd035cb63ee8f182ba1e75b6f6df9195714af59cf8dcaf661e0
SHA512

14394dd7de351683db346bef4a4ae083bbe8ac60df5573b53f4557b4b143d6795671ca583510d3c6b7cae6be380b92e59344bb9c99a651b6a03fa403d212663a
SSDEEP

3072:ShK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxOhBu4RqY:ShK4XycqgpfCup5sVxuZ042hAQq

Score

10^/10

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Arcadia.exe

Resource

win11-20250207-en

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer

windows11-21h2-x64

35 signatures

150 seconds

Malware Config

Targets

- Target
  
  Arcadia.exe
- Size
  
  138KB
- MD5
  
  7758d01b5675326c5ff61a7bf39336d4
- SHA1
  
  ca5604b82aa3395b268e10ce0223a2bd115983f2
- SHA256
  
  e919f713c6d27cd035cb63ee8f182ba1e75b6f6df9195714af59cf8dcaf661e0
- SHA512
  
  14394dd7de351683db346bef4a4ae083bbe8ac60df5573b53f4557b4b143d6795671ca583510d3c6b7cae6be380b92e59344bb9c99a651b6a03fa403d212663a
- SSDEEP
  
  3072:ShK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxOhBu4RqY:ShK4XycqgpfCup5sVxuZ042hAQq
Score

10^/10

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer
- Detects Rhadamanthys payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates VirtualBox registry keys
  defense_evasion
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Downloads MZ/PE file
- Looks for VMWare services registry key.
  defense_evasion
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdefense_evasiondiscoverypersistenceprivilege_escalationstealer

© 2018-2025

Terms | Privacy