rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

Bootstrapper.exe
Size

250.0MB
Sample

250315-zqp34ss1az
MD5

c7102c624c1599933063af2bc66ffd77
SHA1

cbd5deda7ce4fb90fb8cf6295bacaaf9dbd265fc
SHA256

3342b0a18be89977895326bdb51efaad6ad82a4ca8dbf420300debec0824f607
SHA512

26e8c6a0f31a562577f42e63c70498228b65ebb6704d512a9d4db1e5edac56d5873a52bda94575637394ca4677f5d0ff5263681774bf171bed1396672b4c8018
SSDEEP

24576:93RriG1mpGYo8xnYfdw6iBr/Lxc6FBirVADjZGpN+jP9zB77+swD:5Z9Aq86dwrLNcsYrwzV7rwD

Score

10^/10

Malware Config

Targets

- Target
  
  Bootstrapper.exe
- Size
  
  250.0MB
- MD5
  
  c7102c624c1599933063af2bc66ffd77
- SHA1
  
  cbd5deda7ce4fb90fb8cf6295bacaaf9dbd265fc
- SHA256
  
  3342b0a18be89977895326bdb51efaad6ad82a4ca8dbf420300debec0824f607
- SHA512
  
  26e8c6a0f31a562577f42e63c70498228b65ebb6704d512a9d4db1e5edac56d5873a52bda94575637394ca4677f5d0ff5263681774bf171bed1396672b4c8018
- SSDEEP
  
  24576:93RriG1mpGYo8xnYfdw6iBr/Lxc6FBirVADjZGpN+jP9zB77+swD:5Z9Aq86dwrLNcsYrwzV7rwD
Score

10^/10

rhadamanthys discovery stealer
- Detects Rhadamanthys payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Enumerates processes with tasklist
  discovery
behavioral1
- Target
  
  $TEMP/Bc.xll
- Size
  
  61KB
- MD5
  
  6ed41054372d0bb368d955d6a070a803
- SHA1
  
  f1a9621dbd245cabb08f3f4296569436a9474ac3
- SHA256
  
  598d42a7c5a106153b7ac405d6f2ad84724e1d135759b46d02bab971cf08f5b2
- SHA512
  
  e86e97f3c095acc6bbca870d0799e543e4d95fa9de9b26af9a9be47df06dc12c0d77f0e223a0068e191a2527bad804eb84e16a73763628befe7765b04f360903
- SSDEEP
  
  1536:5MDSgi+kgjTWLS7pTt+HdyWGtZMvIJpcdrgL6xg5AB7Clqk:5MDrkkWm1GGt6g2rgkJAAk
Score

1^/10
behavioral2
- Target
  
  $TEMP/Fat.xll
- Size
  
  74KB
- MD5
  
  db0a553f0830dd13ea00d489d75a59cf
- SHA1
  
  3be047bba4f4f6252b91879afb8eb1448e985463
- SHA256
  
  9c99a9c5c17fe4a33b81b5118baaad232397d87516f15718b73d028c34f29afb
- SHA512
  
  487f16c427fcc7aa13a058dd401cc845bf07a5a92de3fb49edf62a4be8279edf80ffa14465dbcbd5fd2fb76674c193995d9afb992ff9b4cd24ca7ba78502a066
- SSDEEP
  
  1536:WR8MBTGoQfK+IgWzibcHyWMwhH49hjnv9ZPJ72VtsZBFBjcsMwlliA:WfQy+I1ebsyWhC9hjlb72z4Bw+lz
Score

1^/10
behavioral3
- Target
  
  $TEMP/Maternity.xll
- Size
  
  30KB
- MD5
  
  fe2b47d95ebbbe6dbb215eb426999ccc
- SHA1
  
  7b9d70adcdc52ae63c3578d3479b6159cba3de5d
- SHA256
  
  8a832b996da79f08801ef99954e3f79ce01ab6dda8d80e0cf73b5db8ae74fd56
- SHA512
  
  ab414ac3516ee27f04301dde62f55da71468cc4f4cfbcbdc69e04e96f63e92236723a64fa62a816a7dc8eb8151e18c9bf7d071c806a45b5f48757f1f5955b88c
- SSDEEP
  
  768:4qZbZN2jYK2fjUkEwE1ejZ30FwXi7waQpsnHXPECVLY8n:4qDQYFPCmYQp2PdVL3
Score

1^/10
behavioral4
- Target
  
  $TEMP/Pairs.xll
- Size
  
  73KB
- MD5
  
  b6459f6df266d629b98353f547cd27e9
- SHA1
  
  0a63e7f709975dc46049f7a86f6d3fe36d9f202c
- SHA256
  
  ed10be904d3789078628ee68e74d9f5bd86dbb965d1019e5c0bf57cf988aabda
- SHA512
  
  be36c7bdcd4d49366c4203dd94a181182e8748dbf0682d9b55529196e76f8fd9c06fa58f19bfaf95200f5e9d86d7220306477432f6320ead0f6fbdb4015c9b6f
- SSDEEP
  
  1536:AdRC+emvq5HX/p3kaqZL91khClPfe4aLYtn4sCM4y:ATfPvGyzkcne4Q4t
Score

1^/10
behavioral5
- Target
  
  $TEMP/Picking.xll
- Size
  
  96KB
- MD5
  
  3c423a6595086f8c05c9a8c93deca4ae
- SHA1
  
  2df46cfc9b72d8b2356077ff70152f15bfe1e9c6
- SHA256
  
  228aec6da2103ffac6868cb0cdf37c3b0610d6b89b7627ea7e577c7bee2aff22
- SHA512
  
  750a948b7df9f0b7d497574d5a6c45a99e0283886ab458861805e8faa5566d866e74a8258737cf11e44f7b776be4edb70d3e91c15e6a2a1f4c73886292bf7812
- SSDEEP
  
  1536:Yj8Vu8CWM8n6GRwmmOg0226fTrw8r9q8w/Oimm84WMgS/ihT/BAMNjqHDkSp78xD:YgvjmGrgU6fTrb4GehWMbqtBAEq5poBt
Score

1^/10
behavioral6
- Target
  
  FilenameDesirable/Gather.xll
- Size
  
  14KB
- MD5
  
  ecccc237fcc18a0d5b0b27ade82dc8a7
- SHA1
  
  7d67280fb4eaf263b0759293c334e621b0c28333
- SHA256
  
  8bac425f8c5c67b51d4445bb4364002e01259f0f43063317c43a8efd70eb8b47
- SHA512
  
  07aa172f0c2f69a4766653bae1e2e85947748f361504196476502b32b872919da5f068ebe603478eb1d57fb8a9a1d24b575f395eef611f0388f0a5bc9678a982
- SSDEEP
  
  384:FxP/UQYBxzIEsRP91GaPlnBCsCUqR91Y7rRgK:7/U9Dz6P9MaPlBXa1Y/L
Score

1^/10
behavioral7
- Target
  
  FilenameDesirable/Greater.xll
- Size
  
  70KB
- MD5
  
  f1fd84ea9b8e52d3c74b3a2205d704f1
- SHA1
  
  f08981533c68337da0fc57093b5f7ca34e8fae1d
- SHA256
  
  9b73986db9c06e3c4338546f7e270f8b6c28c376d7b6aa7b626eb966553420a2
- SHA512
  
  40e9be86035d27ddfad030f49269ac12c661252731d86276950337337685ba49db5715c2fd4b1c4dfc315f912b805e2efd73554e898a1048a9bbaf3d9e0bbcd7
- SSDEEP
  
  1536:tqOkORDUUFFs2TT3dErYwOCt+vLJBlRmYrzaGmyz+mHqvI6kSqlL:t3kbUs+Kz9ETmYq9I+ZSSqlL
Score

1^/10
behavioral8
- Target
  
  FilenameDesirable/Harvest.xll
- Size
  
  52KB
- MD5
  
  7363de7605e5ff4c3e265dbe5f4ac73d
- SHA1
  
  83cae618c50b7c3c5af42408be108a4b5b356bdf
- SHA256
  
  3e76968c44a7283c0f4f62a778f69edc023402e2ced36f173305d3e3f693ff0e
- SHA512
  
  a2c49016069acbb85bba9f8a46285b0a43a95ba8ee5c87b97894c5d8f1d48d4b81412f443948956fefcaba43f047b8e88053517b06226d2654c6737e0c4dc9f3
- SSDEEP
  
  768:h0160wgXld4xIyts4sUzWFanTuUUHHzZC08jh68XN0iRGpH2cFdiqp3g6:mu+4IspsTFJUUH1CW2N0iMH2OdVg6
Score

1^/10
behavioral9
- Target
  
  FilenameDesirable/Hence.xll
- Size
  
  98KB
- MD5
  
  e4fb974bb5837a2b5488bcca63d704cb
- SHA1
  
  a3be82b22ae0162f9b98c69dc9bb8e818b0a780e
- SHA256
  
  fd253c98c7fad4302fcf15d06c4d649e93c7efbe206a05c95bf55a1d5cbe4a68
- SHA512
  
  433b5236eab56aacf9cb020c3ccea858d03379a41f3cb9fd355e10ccf22ac458572949fbe44d1fcff4edecb0db373c0668d3e612c74017c1c8ae5088ea21d770
- SSDEEP
  
  3072:Xmd1TNcujYd5N3hgPcMfdI8QLgfgSGaWuPbY0:ETNcujYd5Nhkc2nQL0gSGaT
Score

1^/10
behavioral10
- Target
  
  FilenameDesirable/Mask.xll
- Size
  
  51KB
- MD5
  
  63230584f42d7cb40c9741c18fe0d4be
- SHA1
  
  a7b89c752e59c7d610c39c42ecb7ae510aec56e6
- SHA256
  
  b4cdd291699df575c017a8b5f01f7e51f21abe9ab33a2dabd4cdee241d3ffa29
- SHA512
  
  d2f9237f003d9f38d8113d952c04b7a998a18ae34295b386509f3dd86b01a809ed1556a2f2b30bfa0c10e6464e8ec2d02a71cdc6db038e9e2d61c5df498f7de8
- SSDEEP
  
  1536:DhKHkaRPmTLBBOr3fBVPDUoo2LeRy7/xZL:DYka4f70PzSRID
Score

1^/10
behavioral11
- Target
  
  FilenameDesirable/Subcommittee.xll
- Size
  
  67KB
- MD5
  
  9a631707f4c2d2a8b86d01e81fde674d
- SHA1
  
  3b78693ad353acf6833e802ddf398ca7f9cc7fef
- SHA256
  
  d604a23485e9dee5b33d5774b0a3e22b397b7cbc30a907e962da4eb47420bd3c
- SHA512
  
  e30f850229a3bf81d566bad909da64ba5a174b288ecb925a3b4fdd4b557a12a41ba1aba61efa9799b86f74d99f7036545705e0780941a5a60a4dd5cc3b19bf4e
- SSDEEP
  
  1536:DM9qkE55KDvgrBgblWhvPRJenYtVWWBSRDUL/F64//yl7MkGZckR:4MkszOblWhvP/SY3WQkUL/F64//ipQcQ
Score

1^/10
behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Detects Rhadamanthys payload

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12