rhadamanthys | a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164

Analysis

max time kernel
106s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Size

5.0MB
MD5

77ca2815ab23eac7d6cf72e6fb7a4871
SHA1

413e668869fe4a5b5833a45e47a8208ad2cc10ee
SHA256

a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164
SHA512

35000b5b6d068bf7f3979b219dcdba183f90d34cfff75eb4bc941797505569d714935f7be495944173323c6258b7b16c29a76d55559e66b524b523fd8d5296a3
SSDEEP

98304:sfUbLyFhZSspAtvVGY+8ATnSkrM64DlWl6UHrn6hOxUdyWMh:sfUyhT0cY5on7rZ4BWl6ULn6QCZu

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.8.83:4785/531f751d32a6cfcb/fdl16fq7.j6l1q

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3968 created 2988	3968	explorer.exe	51

Executes dropped EXE 3 IoCs

pid	Process
3828	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
4552	RttHlp.exe
2528	RttHlp.exe

Loads dropped DLL 12 IoCs

pid	Process
3828	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
4552	RttHlp.exe
4552	RttHlp.exe
4552	RttHlp.exe
4552	RttHlp.exe
4552	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 4820	2528	RttHlp.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4552	RttHlp.exe
2528	RttHlp.exe
2528	RttHlp.exe
4820	cmd.exe
4820	cmd.exe
3968	explorer.exe
3968	explorer.exe
2248	dialer.exe
2248	dialer.exe
2248	dialer.exe
2248	dialer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2528	RttHlp.exe
4820	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3828	3848	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	87
PID 3848 wrote to memory of 3828	3848	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	87
PID 3848 wrote to memory of 3828	3848	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	87
PID 3828 wrote to memory of 4552	3828	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	90
PID 3828 wrote to memory of 4552	3828	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	90
PID 3828 wrote to memory of 4552	3828	a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe	90
PID 4552 wrote to memory of 2528	4552	RttHlp.exe	91
PID 4552 wrote to memory of 2528	4552	RttHlp.exe	91
PID 4552 wrote to memory of 2528	4552	RttHlp.exe	91
PID 2528 wrote to memory of 4820	2528	RttHlp.exe	92
PID 2528 wrote to memory of 4820	2528	RttHlp.exe	92
PID 2528 wrote to memory of 4820	2528	RttHlp.exe	92
PID 2528 wrote to memory of 4820	2528	RttHlp.exe	92
PID 4820 wrote to memory of 3968	4820	cmd.exe	97
PID 4820 wrote to memory of 3968	4820	cmd.exe	97
PID 4820 wrote to memory of 3968	4820	cmd.exe	97
PID 4820 wrote to memory of 3968	4820	cmd.exe	97
PID 3968 wrote to memory of 2248	3968	explorer.exe	98
PID 3968 wrote to memory of 2248	3968	explorer.exe	98
PID 3968 wrote to memory of 2248	3968	explorer.exe	98
PID 3968 wrote to memory of 2248	3968	explorer.exe	98
PID 3968 wrote to memory of 2248	3968	explorer.exe	98

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2988
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2248

C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
"C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\Temp\{C9B86CE6-2DE4-4331-B84E-7632EA7DE21C}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe
  "C:\Windows\Temp\{C9B86CE6-2DE4-4331-B84E-7632EA7DE21C}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe" -burn.filehandle.attached=692 -burn.filehandle.self=696
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\RttHlp.exe
    "C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\RttHlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe
      "C:\Users\Admin\AppData\Roaming\hostPower_dbg_v4\RttHlp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83ac9396

Filesize
1.0MB

MD5
27873392ea81dd03e666897cf1ad1f7a

SHA1
6790b2aebb0a9e4c1340a69472e01a204bc9b77b

SHA256
dc6069f8a707c0748e89e53a2ea76e7707618f83b3978199468cbff9521ad7f7

SHA512
3c1a9da64fc348a281e08a7081ba55d4531eedf4c720ef7dd37c7ebe023a985a2d0e2df96e919836a011ba4462a414ea7e8b340ed9f35c6c9f8814af0c5e9583

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\Divestiture.dll

Filesize
3.5MB

MD5
9546061d235523ef31f88faff2b6c212

SHA1
3c9110c6ae4a8aa973e5b2eef088f7e4f73a2382

SHA256
7f9d6a7e9ac4789e4addb1e8480f9a7e184ab6fd88d26c97cf904e71345be7ed

SHA512
9794138a67bf6efd90db78526de8083d4c0d02ffa19083ef99ab1f49c69aa80dde7946a9143f37cde53c65447929bbdb0d47bb9eaa1a25b78315ebcd0f02f1e9

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\Register.dll

Filesize
1.0MB

MD5
fe6fde51e5f2397667f8b9424968f55b

SHA1
293154bfda2fd9a882aa39be5da32e8057820130

SHA256
87550210bd083496cd991c90dbc6bdb89ee8bf5873f8d8fad8e255c6fc4a5f54

SHA512
c5d402464181555e39163432a672a64976bbfc4408a699e6c03e6d86eef08acf8cbc91546591587378c1cdda0ccf28b5c685368acc2825c569defd44dd9c3870

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\hypha.rpm

Filesize
922KB

MD5
4b05303b9e4d729e3b108b21f590c545

SHA1
43b7ebd1994c55d20efe4a40af7296b368d3470b

SHA256
a89a15a940e32494a339d74546f14d42af9c7541d491442ef774423755592f0e

SHA512
f22077b6e044f7b4b63d129c2a75969fcacf77c4f8c2cde4b87ecba593b5642640ce64a937dcc0628d0efbdedb02f6c6ae10ca3caa5a15eed83d17a78829a292

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\squirearch.db

Filesize
85KB

MD5
bcc468a592298d4063a354a9a190878c

SHA1
6ea1c4a46b4e03036b338c38d2455fb97ea82a7a

SHA256
c69149e6e6e271f7655381ccd513f91eba0f57a2b20b8c4bfbc01a0ca769fc20

SHA512
3ba6c7100c69fb83db20c80c66b6cd682e68ad4960954ffafb181e109612723474f1f36413c6d6cf7c14ba367f56443aaa26470c089f5e271f75cfa46ba3eab2

Download Submit
C:\Windows\Temp\{21D89A29-F110-46D4-A6D9-4B72DBF832E0}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
C:\Windows\Temp\{C9B86CE6-2DE4-4331-B84E-7632EA7DE21C}\.cr\a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164.exe

Filesize
5.0MB

MD5
58f5ba535531f592d76b432c078885fc

SHA1
9b9db1ce6d16e40c5c8460efe58a5654a3a48e94

SHA256
078434dbd2e2109eae624900cabbb3b21dc3047ccfcabdd9acedfbdfbc55154f

SHA512
f2ee06c7f52a263d3e2804feaf9bbc45b9fee23873b94ecd506e64b14a0b33b383a04c371a6778c64d3142e2e70a133444f499b1bded07576303d18c0b64dd78

Download Submit
memory/2248-83-0x00007FFC67910000-0x00007FFC67B05000-memory.dmp

Filesize
2.0MB

Download
memory/2248-85-0x00000000770D0000-0x00000000772E5000-memory.dmp

Filesize
2.1MB

Download
memory/2248-78-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/2248-82-0x00000000023E0000-0x00000000027E0000-memory.dmp

Filesize
4.0MB

Download
memory/2528-57-0x00007FFC67910000-0x00007FFC67B05000-memory.dmp

Filesize
2.0MB

Download
memory/2528-62-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2528-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-53-0x00000000026E0000-0x00000000027EF000-memory.dmp

Filesize
1.1MB

Download
memory/2528-56-0x0000000075140000-0x00000000752BB000-memory.dmp

Filesize
1.5MB

Download
memory/2528-61-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2528-58-0x0000000075140000-0x00000000752BB000-memory.dmp

Filesize
1.5MB

Download
memory/2528-63-0x00000000026E0000-0x00000000027EF000-memory.dmp

Filesize
1.1MB

Download
memory/3968-80-0x0000000000310000-0x000000000037E000-memory.dmp

Filesize
440KB

Download
memory/3968-70-0x00007FFC67910000-0x00007FFC67B05000-memory.dmp

Filesize
2.0MB

Download
memory/3968-77-0x00000000770D0000-0x00000000772E5000-memory.dmp

Filesize
2.1MB

Download
memory/3968-74-0x0000000004050000-0x0000000004450000-memory.dmp

Filesize
4.0MB

Download
memory/3968-73-0x0000000004050000-0x0000000004450000-memory.dmp

Filesize
4.0MB

Download
memory/3968-71-0x0000000000310000-0x000000000037E000-memory.dmp

Filesize
440KB

Download
memory/3968-69-0x0000000000310000-0x000000000037E000-memory.dmp

Filesize
440KB

Download
memory/4552-29-0x0000000073D80000-0x0000000073EFB000-memory.dmp

Filesize
1.5MB

Download
memory/4552-43-0x0000000002810000-0x000000000291F000-memory.dmp

Filesize
1.1MB

Download
memory/4552-40-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4552-30-0x00007FFC67910000-0x00007FFC67B05000-memory.dmp

Filesize
2.0MB

Download
memory/4552-41-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/4552-26-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4552-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4552-25-0x0000000002810000-0x000000000291F000-memory.dmp

Filesize
1.1MB

Download
memory/4820-67-0x0000000075140000-0x00000000752BB000-memory.dmp

Filesize
1.5MB

Download
memory/4820-65-0x00007FFC67910000-0x00007FFC67B05000-memory.dmp

Filesize
2.0MB

Download