rhadamanthys | a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Size

5.0MB
MD5

77ca2815ab23eac7d6cf72e6fb7a4871
SHA1

413e668869fe4a5b5833a45e47a8208ad2cc10ee
SHA256

a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164
SHA512

35000b5b6d068bf7f3979b219dcdba183f90d34cfff75eb4bc941797505569d714935f7be495944173323c6258b7b16c29a76d55559e66b524b523fd8d5296a3
SSDEEP

98304:sfUbLyFhZSspAtvVGY+8ATnSkrM64DlWl6UHrn6hOxUdyWMh:sfUyhT0cY5on7rZ4BWl6ULn6QCZu

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.8.83:4785/531f751d32a6cfcb/fdl16fq7.j6l1q

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Executes dropped EXE 3 IoCs

pid	Process
1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
2252	RttHlp.exe
2752	RttHlp.exe

Loads dropped DLL 12 IoCs

pid	Process
1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
2252	RttHlp.exe
2252	RttHlp.exe
2252	RttHlp.exe
2252	RttHlp.exe
2252	RttHlp.exe
2752	RttHlp.exe
2752	RttHlp.exe
2752	RttHlp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 2224	2752	RttHlp.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2252	RttHlp.exe
2752	RttHlp.exe
2752	RttHlp.exe
2224	cmd.exe
2224	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2752	RttHlp.exe
2224	cmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1112 wrote to memory of 1632	1112	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	30
PID 1632 wrote to memory of 2252	1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	32
PID 1632 wrote to memory of 2252	1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	32
PID 1632 wrote to memory of 2252	1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	32
PID 1632 wrote to memory of 2252	1632	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	32
PID 2252 wrote to memory of 2752	2252	RttHlp.exe	33
PID 2252 wrote to memory of 2752	2252	RttHlp.exe	33
PID 2252 wrote to memory of 2752	2252	RttHlp.exe	33
PID 2252 wrote to memory of 2752	2252	RttHlp.exe	33
PID 2752 wrote to memory of 2224	2752	RttHlp.exe	34
PID 2752 wrote to memory of 2224	2752	RttHlp.exe	34
PID 2752 wrote to memory of 2224	2752	RttHlp.exe	34
PID 2752 wrote to memory of 2224	2752	RttHlp.exe	34
PID 2752 wrote to memory of 2224	2752	RttHlp.exe	34
PID 2224 wrote to memory of 1836	2224	cmd.exe	36
PID 2224 wrote to memory of 1836	2224	cmd.exe	36
PID 2224 wrote to memory of 1836	2224	cmd.exe	36
PID 2224 wrote to memory of 1836	2224	cmd.exe	36
PID 2224 wrote to memory of 1836	2224	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
"C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
  "C:\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\RttHlp.exe
    "C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\RttHlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe
      "C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68ba8e17

Filesize
1.0MB

MD5
ca668b905be1aa70efe6258a3fe1b1c2

SHA1
fe8e0b72104c5bf977951720482314a65d6f3a50

SHA256
96e9c773b765ed6cb9bcfc7ca300439bb913b2fa5bbdfd0dd48ee8e8390733ba

SHA512
7ab58520b3ee37791defa1f6053d554a7f6294b4a0a9748131133adaf85e1c9d6502228fd1d9b4e5390b3db5973998c2f216eacfc082e1750bc3becb9bbe85ee

Download Submit
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\Register.dll

Filesize
1.0MB

MD5
fe6fde51e5f2397667f8b9424968f55b

SHA1
293154bfda2fd9a882aa39be5da32e8057820130

SHA256
87550210bd083496cd991c90dbc6bdb89ee8bf5873f8d8fad8e255c6fc4a5f54

SHA512
c5d402464181555e39163432a672a64976bbfc4408a699e6c03e6d86eef08acf8cbc91546591587378c1cdda0ccf28b5c685368acc2825c569defd44dd9c3870

Download Submit
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\hypha.rpm

Filesize
922KB

MD5
4b05303b9e4d729e3b108b21f590c545

SHA1
43b7ebd1994c55d20efe4a40af7296b368d3470b

SHA256
a89a15a940e32494a339d74546f14d42af9c7541d491442ef774423755592f0e

SHA512
f22077b6e044f7b4b63d129c2a75969fcacf77c4f8c2cde4b87ecba593b5642640ce64a937dcc0628d0efbdedb02f6c6ae10ca3caa5a15eed83d17a78829a292

Download Submit
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\squirearch.db

Filesize
85KB

MD5
bcc468a592298d4063a354a9a190878c

SHA1
6ea1c4a46b4e03036b338c38d2455fb97ea82a7a

SHA256
c69149e6e6e271f7655381ccd513f91eba0f57a2b20b8c4bfbc01a0ca769fc20

SHA512
3ba6c7100c69fb83db20c80c66b6cd682e68ad4960954ffafb181e109612723474f1f36413c6d6cf7c14ba367f56443aaa26470c089f5e271f75cfa46ba3eab2

Download Submit
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe

Filesize
5.0MB

MD5
58f5ba535531f592d76b432c078885fc

SHA1
9b9db1ce6d16e40c5c8460efe58a5654a3a48e94

SHA256
078434dbd2e2109eae624900cabbb3b21dc3047ccfcabdd9acedfbdfbc55154f

SHA512
f2ee06c7f52a263d3e2804feaf9bbc45b9fee23873b94ecd506e64b14a0b33b383a04c371a6778c64d3142e2e70a133444f499b1bded07576303d18c0b64dd78

Download Submit
\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\Divestiture.dll

Filesize
3.5MB

MD5
9546061d235523ef31f88faff2b6c212

SHA1
3c9110c6ae4a8aa973e5b2eef088f7e4f73a2382

SHA256
7f9d6a7e9ac4789e4addb1e8480f9a7e184ab6fd88d26c97cf904e71345be7ed

SHA512
9794138a67bf6efd90db78526de8083d4c0d02ffa19083ef99ab1f49c69aa80dde7946a9143f37cde53c65447929bbdb0d47bb9eaa1a25b78315ebcd0f02f1e9

Download Submit
\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
memory/1836-124-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1836-121-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1836-120-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/1836-119-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2224-117-0x00000000745A0000-0x0000000074714000-memory.dmp

Filesize
1.5MB

Download
memory/2224-71-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2252-30-0x0000000003100000-0x000000000320F000-memory.dmp

Filesize
1.1MB

Download
memory/2252-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2252-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2252-33-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/2252-50-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2252-34-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2252-51-0x0000000003100000-0x000000000320F000-memory.dmp

Filesize
1.1MB

Download
memory/2252-49-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2752-64-0x00000000745A0000-0x0000000074714000-memory.dmp

Filesize
1.5MB

Download
memory/2752-67-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2752-68-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2752-69-0x0000000001F80000-0x000000000208F000-memory.dmp

Filesize
1.1MB

Download
memory/2752-59-0x0000000001F80000-0x000000000208F000-memory.dmp

Filesize
1.1MB

Download
memory/2752-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2752-62-0x00000000745A0000-0x0000000074714000-memory.dmp

Filesize
1.5MB

Download
memory/2752-63-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download