rhadamanthys | 35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe
Size

934KB
MD5

7def16e0ceea0ad69d53e0e636541dd9
SHA1

92080bb5ad272cf69f69aa0588856cda4b4b1c28
SHA256

35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297
SHA512

9616fb69ed3fd6d59ae060a671c5af86f0d7e1a4e6f8436a9c7244928a2bb1f0a76ec4f1968f77180141493c16a4e1090faf8786ead929c3bd3812f2e09e596a
SSDEEP

24576:gbVB9BI+CacE07NGWx1G0MEL2XH09GIGiSUS00dpf:qVrIacF7dnMBXU9GIzSUlypf

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://188.208.197.140:5906/9c546e1bf3c6b5dc20/a3523sr9.121ks

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 832 created 1212	832	Cheers.pif	21

Executes dropped EXE 1 IoCs

pid	Process
832	Cheers.pif

Loads dropped DLL 1 IoCs

pid	Process
2228	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2756	tasklist.exe
2680	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheers.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	cmd.exe
1952	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1952	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif
2132	dialer.exe
2132	dialer.exe
2132	dialer.exe
2132	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
832	Cheers.pif
832	Cheers.pif
832	Cheers.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2228	2816	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	30
PID 2816 wrote to memory of 2228	2816	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	30
PID 2816 wrote to memory of 2228	2816	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	30
PID 2816 wrote to memory of 2228	2816	35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe	30
PID 2228 wrote to memory of 2756	2228	cmd.exe	32
PID 2228 wrote to memory of 2756	2228	cmd.exe	32
PID 2228 wrote to memory of 2756	2228	cmd.exe	32
PID 2228 wrote to memory of 2756	2228	cmd.exe	32
PID 2228 wrote to memory of 2948	2228	cmd.exe	33
PID 2228 wrote to memory of 2948	2228	cmd.exe	33
PID 2228 wrote to memory of 2948	2228	cmd.exe	33
PID 2228 wrote to memory of 2948	2228	cmd.exe	33
PID 2228 wrote to memory of 2680	2228	cmd.exe	35
PID 2228 wrote to memory of 2680	2228	cmd.exe	35
PID 2228 wrote to memory of 2680	2228	cmd.exe	35
PID 2228 wrote to memory of 2680	2228	cmd.exe	35
PID 2228 wrote to memory of 2688	2228	cmd.exe	36
PID 2228 wrote to memory of 2688	2228	cmd.exe	36
PID 2228 wrote to memory of 2688	2228	cmd.exe	36
PID 2228 wrote to memory of 2688	2228	cmd.exe	36
PID 2228 wrote to memory of 2112	2228	cmd.exe	37
PID 2228 wrote to memory of 2112	2228	cmd.exe	37
PID 2228 wrote to memory of 2112	2228	cmd.exe	37
PID 2228 wrote to memory of 2112	2228	cmd.exe	37
PID 2228 wrote to memory of 2096	2228	cmd.exe	38
PID 2228 wrote to memory of 2096	2228	cmd.exe	38
PID 2228 wrote to memory of 2096	2228	cmd.exe	38
PID 2228 wrote to memory of 2096	2228	cmd.exe	38
PID 2228 wrote to memory of 2380	2228	cmd.exe	39
PID 2228 wrote to memory of 2380	2228	cmd.exe	39
PID 2228 wrote to memory of 2380	2228	cmd.exe	39
PID 2228 wrote to memory of 2380	2228	cmd.exe	39
PID 2228 wrote to memory of 2644	2228	cmd.exe	40
PID 2228 wrote to memory of 2644	2228	cmd.exe	40
PID 2228 wrote to memory of 2644	2228	cmd.exe	40
PID 2228 wrote to memory of 2644	2228	cmd.exe	40
PID 2228 wrote to memory of 832	2228	cmd.exe	41
PID 2228 wrote to memory of 832	2228	cmd.exe	41
PID 2228 wrote to memory of 832	2228	cmd.exe	41
PID 2228 wrote to memory of 832	2228	cmd.exe	41
PID 2228 wrote to memory of 1952	2228	cmd.exe	42
PID 2228 wrote to memory of 1952	2228	cmd.exe	42
PID 2228 wrote to memory of 1952	2228	cmd.exe	42
PID 2228 wrote to memory of 1952	2228	cmd.exe	42
PID 832 wrote to memory of 2132	832	Cheers.pif	43
PID 832 wrote to memory of 2132	832	Cheers.pif	43
PID 832 wrote to memory of 2132	832	Cheers.pif	43
PID 832 wrote to memory of 2132	832	Cheers.pif	43
PID 832 wrote to memory of 2132	832	Cheers.pif	43
PID 832 wrote to memory of 2132	832	Cheers.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe
  "C:\Users\Admin\AppData\Local\Temp\35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Observed Observed.bat && Observed.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 5290885
      4⤵
      System Location Discovery: System Language Discovery
      PID:2112
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AndreaAccessibleOriginallyElizabeth" Ons
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 5290885\Cheers.pif + Software + Cap + Typing + Cingular + Dominican 5290885\Cheers.pif
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Customs + Placing + Anatomy + Church 5290885\M
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\5290885\Cheers.pif
      5290885\Cheers.pif 5290885\M
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1952
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\5290885\Cheers.pif

Filesize
103B

MD5
9fb8e634ff869eec8cb42ab7af0b6fb5

SHA1
d7553a9bb0e28264e33ae55fd9f472b4b64370ba

SHA256
610a3efda69516655dd03cfc7d26224b2efe35934521af69fd9e96421fe1f3df

SHA512
76edab533503200b549171988f355176ba80a3976dc1ed3c74578b1da858fefd50bdc9bdee0418d4fa4543f7630a7b78fce7da758217627f71b2bd15fc773422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\5290885\M

Filesize
867KB

MD5
b18b385dc3c027bc4cd4362e23677edc

SHA1
65b09d44a81ca8528cf472f91e783a5199411f45

SHA256
c43b8b1a8b8ab1455009a1463c77166c87d21b5ded408a9b9d2eb91213e783de

SHA512
66889a43e26f37bd4ea756719c07e389c2292a2b971f7367c6779d63ba1de82f5509e62dbb5ab994b4d5e819614cb8a2051b21a7e7d5197e2067054314baa46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Anatomy

Filesize
268KB

MD5
3d0fe94011bfc11f960f3692773becf6

SHA1
eda278f584c80b7a5ec1a48c16c1453fd79d30fe

SHA256
f1e2acd5399b8fd82a7d3be16aba6cf70dd4f5fea82211979b89e6293b736e85

SHA512
4f15232e5966d2c024e929de468a4ff427d5ec714b15c3a19c55ce6c03342f01a4dd9784672aa3a4ec738db9c926727fc0108d36d751f2669b27837470bce0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cap

Filesize
152KB

MD5
d7b3e4a1f20444dd37b4ef305b6f8199

SHA1
bfd1d1bdff7c9d7e1ab6b46399252e94bbab8258

SHA256
b64c28e45770c23ba7b4cc1b80efd0edafaa0ad8109d3c9e340b45ae40565929

SHA512
24e83d25a23170f0d5c5f9f2afac13e72c017c98e443014e82a7b1b5a3a7aa9aafdfd795517e0a2b93bae2f742809c6a9e0627669c73dc3a8a0b57e9b2b8663a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Church

Filesize
113KB

MD5
b020ac666f105e582800755e46b87e54

SHA1
33c9afc7390f7fefe0b11ee2f9e32f8107d5ec21

SHA256
1713e9701d98f06a20391a048b2f5cb213b0ccf23f45df39df3cdbd55b23935c

SHA512
0d6c163717bef8e894cdf95b619ac1d7728bc1b88a2485606b1f2270d5c683caab7c4d693f467ec89d83a7ae34ca4e1afad1df3a7d25e8a7fc750826a89a59b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cingular

Filesize
262KB

MD5
5b18970d8c464ca95ef183c6eddf2c79

SHA1
30f9ef49ce58ded149dd60a32359052c7fda6b25

SHA256
53a87d85121c6e590a928d3fae1f72ab3c266c980cc6a89f39cd74a2127d6b1e

SHA512
2f636bb7527a194467ce15046d9bf1368fca37a9b160c22aeb022a1c15a0c6cbf978373fb6d59ac692c9e7de37310c9fcc9f26c1c1d54ecace41f94ccc5fedbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Customs

Filesize
239KB

MD5
4c4ea6968e54f5f5c4c254587fee63dc

SHA1
d21927f93dfb1626405cf09f3379d6bc7dd8a505

SHA256
3a6b764666b1675287f39a952e072fcd41332b4d0ce2b4e59a96aa5a27af8707

SHA512
8b3f479dd3accfffe0235f2a3e102c306c288788d533ae78f9b8d8bbd95f36a4a613f6c1c1f2443566e17971c6116274b8b901b83608a6189e4d4927e47e42b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dominican

Filesize
137KB

MD5
3c699f1767c677adfed1c113de6d184f

SHA1
ca15988fb3c81b6b4e0d7c5914e0bb2e07b35d1b

SHA256
740648b4a35012828dc95ef4258677d80659d820461ccfc9f98216facf0fea9a

SHA512
9ba925d63f2f9c0dbb244d6cea56d4bfd0b39de973e9c68c743ef6a1014c2a72b93072606af17bc770a837320c3cf8dc5f51976389cd599922c7b668d263c2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Observed

Filesize
25KB

MD5
ad5b9509809e2c43efd8e4e0cbb697aa

SHA1
440d24a228fd1a0b125d535e55b887713b237f37

SHA256
eb882bf341c37bcd1c625e156f33db1b338d0e435aa074fa379cc3e73d6d9dad

SHA512
553bf92ac85b4b5ce9605fd0630e9f0396f282ece3f2cd4c0741cfd2b29acdb2246c7df749b0ae6d0d7cd3327f0fd34588ab205659f7cdd91a43e92b34dcd695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ons

Filesize
140B

MD5
61bab20dd66e4690943a6165fd4ff9ca

SHA1
01237b42f749d18c2529aa6233349ecc5de29db2

SHA256
4dab1074edd81fc8d7b5c1e989b025f96ff09ae42e58934668bcc2f696a167c9

SHA512
9419cde00c25107d5ea4dd683b43d437fb508b951f5d7fbe919169724218b8bb13f2e91b3068f7a31433c3b899e9ae26e18cf94f9a9468ac5624efaa8c8f2ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Placing

Filesize
247KB

MD5
b68df1f6cc55a943bd8bd6a1ba4baeb2

SHA1
ed2f9c007bef6a9e8d52aba49704b56c9babea6d

SHA256
fdd8a7a40fdee48bd3a93b70e27c8efbb1aa860e2f7f587e1eecacbee3d6dd68

SHA512
0f622f1d33bcbe46483fa9f578eaa845e49c3617d6f0c76f46d2a32bf33e350a74bb44b4b0c43ddb25fa9f808de763d49f2af37072748b3f98010a8eb6ded273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Software

Filesize
101KB

MD5
722238ba226d0e01df25a8d6e95d609f

SHA1
2f5e912ff0660bdc3f85ccf6d61bcb10fab8edef

SHA256
00559112065d90d8ba296b46949907ea4141c19323e999670a918bd50c5ae162

SHA512
3200e2063b157198c62a69fce4435d1c139c6e7b7f00e0a8e0d05fb0bf54fc886adeea0a2a4e4e8ec055ae0c94eabb1867e6d019920aade7ccef33e91e3be042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Typing

Filesize
220KB

MD5
f0c0d7aff4f13ac8f3c247cb9fca2943

SHA1
94b642aa412319f2bfd814fefefa1b66c9fd7cc7

SHA256
2e933f3194ac2649b3f2c3f0289174b787ef71314143d63980b4d0c3ca698582

SHA512
36f1296f06acccfb3d621aaaf60ea24b354633568b0a946b2f2239e0e61f62dac2f6c418f1b9d2512572b308f176eeb657d479e1448bc330c63b9b01ae585b39

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\5290885\Cheers.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/832-30-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-32-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-31-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-36-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-35-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-34-0x0000000004520000-0x000000000458D000-memory.dmp

Filesize
436KB

Download
memory/832-37-0x0000000005620000-0x0000000005A20000-memory.dmp

Filesize
4.0MB

Download
memory/832-38-0x0000000005620000-0x0000000005A20000-memory.dmp

Filesize
4.0MB

Download
memory/832-39-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/832-41-0x0000000076BD0000-0x0000000076C17000-memory.dmp

Filesize
284KB

Download
memory/2132-42-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2132-44-0x0000000001E60000-0x0000000002260000-memory.dmp

Filesize
4.0MB

Download
memory/2132-45-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/2132-47-0x0000000076BD0000-0x0000000076C17000-memory.dmp

Filesize
284KB

Download