rhadamanthys | 3fb6948c6dcbeec334b3722fd0a61676094a2171a7eb88164534cb17dded7819

General

Target

standalone/run.bat
Size

20B
MD5

d5dcfc4a880ac2ab6c92ed02368e299a
SHA1

3f9787360815416373dcb3ff9c8a9f2437eb5a72
SHA256

74bf0562d4f563924e643f8c14940e7cb85ca38e8c18601b9dcabb00ee2d7a86
SHA512

0da00a32fd90c9799aa224f3ffb33d67cfae643e6c81a4abfb17196c86115dfba386ffb65f8a3300c71b16048eea9d6df28a6f81a8984f5d982e43250f337bb5

Score

10^/10

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral1/memory/1672-16-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1672-18-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1672-17-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1672-25-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1672 created 2256	1672	explorer.exe	49

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1672	1500	pythonw.exe	85

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
976	svchost.exe
976	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5688	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1500	pythonw.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5688	taskmgr.exe
Token: SeSystemProfilePrivilege	5688	taskmgr.exe
Token: SeCreateGlobalPrivilege	5688	taskmgr.exe
Token: 33	5688	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5688	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1500	1760	cmd.exe	82
PID 1760 wrote to memory of 1500	1760	cmd.exe	82
PID 1500 wrote to memory of 1672	1500	pythonw.exe	85
PID 1500 wrote to memory of 1672	1500	pythonw.exe	85
PID 1672 wrote to memory of 976	1672	explorer.exe	86
PID 1672 wrote to memory of 976	1672	explorer.exe	86
PID 1672 wrote to memory of 976	1672	explorer.exe	86
PID 1672 wrote to memory of 976	1672	explorer.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2256
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\standalone\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\standalone\pythonw.exe
  pythonw.exe load.py
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-24-0x0000026018760000-0x000002601876A000-memory.dmp

Filesize
40KB

Download
memory/976-29-0x00007FF817EC0000-0x00007FF8180C9000-memory.dmp

Filesize
2.0MB

Download
memory/976-30-0x00007FF816590000-0x00007FF81664D000-memory.dmp

Filesize
756KB

Download
memory/976-31-0x00007FF815450000-0x00007FF8157C4000-memory.dmp

Filesize
3.5MB

Download
memory/976-28-0x0000026018B00000-0x0000026018F00000-memory.dmp

Filesize
4.0MB

Download
memory/1500-2-0x000002DE98950000-0x000002DE98A00000-memory.dmp

Filesize
704KB

Download
memory/1500-1-0x000002DE98950000-0x000002DE98A00000-memory.dmp

Filesize
704KB

Download
memory/1672-25-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp

Filesize
536KB

Download
memory/1672-20-0x0000000000A30000-0x0000000000E30000-memory.dmp

Filesize
4.0MB

Download
memory/1672-21-0x00007FF817EC0000-0x00007FF8180C9000-memory.dmp

Filesize
2.0MB

Download
memory/1672-22-0x00007FF816590000-0x00007FF81664D000-memory.dmp

Filesize
756KB

Download
memory/1672-23-0x00007FF815450000-0x00007FF8157C4000-memory.dmp

Filesize
3.5MB

Download
memory/1672-16-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp

Filesize
536KB

Download
memory/1672-18-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp

Filesize
536KB

Download
memory/1672-17-0x00007FF714B50000-0x00007FF714BD6000-memory.dmp

Filesize
536KB

Download
memory/1672-19-0x0000000000A30000-0x0000000000E30000-memory.dmp

Filesize
4.0MB

Download
memory/5688-13-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-14-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-15-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-9-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-11-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-12-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-10-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-5-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-4-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download
memory/5688-3-0x0000024167E50000-0x0000024167E51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing