Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/03/2025, 22:50
Static task
static1
Behavioral task
behavioral1
Sample
a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Resource
win10v2004-20250314-en
General
-
Target
a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
-
Size
5.0MB
-
MD5
77ca2815ab23eac7d6cf72e6fb7a4871
-
SHA1
413e668869fe4a5b5833a45e47a8208ad2cc10ee
-
SHA256
a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164
-
SHA512
35000b5b6d068bf7f3979b219dcdba183f90d34cfff75eb4bc941797505569d714935f7be495944173323c6258b7b16c29a76d55559e66b524b523fd8d5296a3
-
SSDEEP
98304:sfUbLyFhZSspAtvVGY+8ATnSkrM64DlWl6UHrn6hOxUdyWMh:sfUyhT0cY5on7rZ4BWl6ULn6QCZu
Malware Config
Extracted
rhadamanthys
https://94.156.8.83:4785/531f751d32a6cfcb/fdl16fq7.j6l1q
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Executes dropped EXE 3 IoCs
pid Process 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 2252 RttHlp.exe 2752 RttHlp.exe -
Loads dropped DLL 12 IoCs
pid Process 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 2252 RttHlp.exe 2252 RttHlp.exe 2252 RttHlp.exe 2252 RttHlp.exe 2252 RttHlp.exe 2752 RttHlp.exe 2752 RttHlp.exe 2752 RttHlp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2752 set thread context of 2224 2752 RttHlp.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RttHlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RttHlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2252 RttHlp.exe 2752 RttHlp.exe 2752 RttHlp.exe 2224 cmd.exe 2224 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2752 RttHlp.exe 2224 cmd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1112 wrote to memory of 1632 1112 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 30 PID 1632 wrote to memory of 2252 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 32 PID 1632 wrote to memory of 2252 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 32 PID 1632 wrote to memory of 2252 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 32 PID 1632 wrote to memory of 2252 1632 a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe 32 PID 2252 wrote to memory of 2752 2252 RttHlp.exe 33 PID 2252 wrote to memory of 2752 2252 RttHlp.exe 33 PID 2252 wrote to memory of 2752 2252 RttHlp.exe 33 PID 2252 wrote to memory of 2752 2252 RttHlp.exe 33 PID 2752 wrote to memory of 2224 2752 RttHlp.exe 34 PID 2752 wrote to memory of 2224 2752 RttHlp.exe 34 PID 2752 wrote to memory of 2224 2752 RttHlp.exe 34 PID 2752 wrote to memory of 2224 2752 RttHlp.exe 34 PID 2752 wrote to memory of 2224 2752 RttHlp.exe 34 PID 2224 wrote to memory of 1836 2224 cmd.exe 36 PID 2224 wrote to memory of 1836 2224 cmd.exe 36 PID 2224 wrote to memory of 1836 2224 cmd.exe 36 PID 2224 wrote to memory of 1836 2224 cmd.exe 36 PID 2224 wrote to memory of 1836 2224 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe"C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe"C:\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\RttHlp.exe"C:\Windows\Temp\{EF6C8A41-0D81-4AF3-985E-66CA693FF7B6}\.ba\RttHlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe"C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ca668b905be1aa70efe6258a3fe1b1c2
SHA1fe8e0b72104c5bf977951720482314a65d6f3a50
SHA25696e9c773b765ed6cb9bcfc7ca300439bb913b2fa5bbdfd0dd48ee8e8390733ba
SHA5127ab58520b3ee37791defa1f6053d554a7f6294b4a0a9748131133adaf85e1c9d6502228fd1d9b4e5390b3db5973998c2f216eacfc082e1750bc3becb9bbe85ee
-
Filesize
1.0MB
MD5fe6fde51e5f2397667f8b9424968f55b
SHA1293154bfda2fd9a882aa39be5da32e8057820130
SHA25687550210bd083496cd991c90dbc6bdb89ee8bf5873f8d8fad8e255c6fc4a5f54
SHA512c5d402464181555e39163432a672a64976bbfc4408a699e6c03e6d86eef08acf8cbc91546591587378c1cdda0ccf28b5c685368acc2825c569defd44dd9c3870
-
Filesize
922KB
MD54b05303b9e4d729e3b108b21f590c545
SHA143b7ebd1994c55d20efe4a40af7296b368d3470b
SHA256a89a15a940e32494a339d74546f14d42af9c7541d491442ef774423755592f0e
SHA512f22077b6e044f7b4b63d129c2a75969fcacf77c4f8c2cde4b87ecba593b5642640ce64a937dcc0628d0efbdedb02f6c6ae10ca3caa5a15eed83d17a78829a292
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
Filesize
85KB
MD5bcc468a592298d4063a354a9a190878c
SHA16ea1c4a46b4e03036b338c38d2455fb97ea82a7a
SHA256c69149e6e6e271f7655381ccd513f91eba0f57a2b20b8c4bfbc01a0ca769fc20
SHA5123ba6c7100c69fb83db20c80c66b6cd682e68ad4960954ffafb181e109612723474f1f36413c6d6cf7c14ba367f56443aaa26470c089f5e271f75cfa46ba3eab2
-
Filesize
1.9MB
MD5c594d746ff6c99d140b5e8da97f12fd4
SHA1f21742707c5f3fee776f98641f36bd755e24a7b0
SHA256572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec
SHA51233b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b
-
\Windows\Temp\{E0B94CD1-0BE0-4447-921A-09C1724DCC49}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Filesize5.0MB
MD558f5ba535531f592d76b432c078885fc
SHA19b9db1ce6d16e40c5c8460efe58a5654a3a48e94
SHA256078434dbd2e2109eae624900cabbb3b21dc3047ccfcabdd9acedfbdfbc55154f
SHA512f2ee06c7f52a263d3e2804feaf9bbc45b9fee23873b94ecd506e64b14a0b33b383a04c371a6778c64d3142e2e70a133444f499b1bded07576303d18c0b64dd78
-
Filesize
3.5MB
MD59546061d235523ef31f88faff2b6c212
SHA13c9110c6ae4a8aa973e5b2eef088f7e4f73a2382
SHA2567f9d6a7e9ac4789e4addb1e8480f9a7e184ab6fd88d26c97cf904e71345be7ed
SHA5129794138a67bf6efd90db78526de8083d4c0d02ffa19083ef99ab1f49c69aa80dde7946a9143f37cde53c65447929bbdb0d47bb9eaa1a25b78315ebcd0f02f1e9
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83