rhadamanthys | 66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d

Analysis

max time kernel
240s
max time network
245s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
Size

935KB
MD5

e4fbe0286a7802d4a7cd91a3d55d9f3c
SHA1

320869f193d91388ae4c2337a91d7545ca0a201a
SHA256

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d
SHA512

36acfe26eded83721d7d35d9441342ea8e6a61da20ded05493e4cf9a88995ad52dedbd81229f3d31f670adf058b3e1696e8359af60e59dca8db847cd54daad9b
SSDEEP

24576:GbTeCswwSe/fDyBvSGy45nJtYsf8J7f7VvgWncL3f5llrINn9Ra7I7:8vdwH/LyBvg+JKsf8JzFgWcDf5m9M7m

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.8.103:2055/efc85e6acdfc3a785/r5erbrlf.2oeme

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2696 created 1220	2696	Ent.pif	21

Executes dropped EXE 1 IoCs

pid	Process
2696	Ent.pif

Loads dropped DLL 1 IoCs

pid	Process
1632	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2760	tasklist.exe
3028	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ent.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2648	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2696	Ent.pif
2696	Ent.pif
2696	Ent.pif
2696	Ent.pif
2696	Ent.pif
3004	dialer.exe
3004	dialer.exe
3004	dialer.exe
3004	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	3028	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2696	Ent.pif
2696	Ent.pif
2696	Ent.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2696	Ent.pif
2696	Ent.pif
2696	Ent.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1632	1056	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	29
PID 1056 wrote to memory of 1632	1056	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	29
PID 1056 wrote to memory of 1632	1056	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	29
PID 1056 wrote to memory of 1632	1056	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	29
PID 1632 wrote to memory of 2760	1632	cmd.exe	31
PID 1632 wrote to memory of 2760	1632	cmd.exe	31
PID 1632 wrote to memory of 2760	1632	cmd.exe	31
PID 1632 wrote to memory of 2760	1632	cmd.exe	31
PID 1632 wrote to memory of 2852	1632	cmd.exe	32
PID 1632 wrote to memory of 2852	1632	cmd.exe	32
PID 1632 wrote to memory of 2852	1632	cmd.exe	32
PID 1632 wrote to memory of 2852	1632	cmd.exe	32
PID 1632 wrote to memory of 3028	1632	cmd.exe	34
PID 1632 wrote to memory of 3028	1632	cmd.exe	34
PID 1632 wrote to memory of 3028	1632	cmd.exe	34
PID 1632 wrote to memory of 3028	1632	cmd.exe	34
PID 1632 wrote to memory of 2764	1632	cmd.exe	35
PID 1632 wrote to memory of 2764	1632	cmd.exe	35
PID 1632 wrote to memory of 2764	1632	cmd.exe	35
PID 1632 wrote to memory of 2764	1632	cmd.exe	35
PID 1632 wrote to memory of 2916	1632	cmd.exe	36
PID 1632 wrote to memory of 2916	1632	cmd.exe	36
PID 1632 wrote to memory of 2916	1632	cmd.exe	36
PID 1632 wrote to memory of 2916	1632	cmd.exe	36
PID 1632 wrote to memory of 2792	1632	cmd.exe	37
PID 1632 wrote to memory of 2792	1632	cmd.exe	37
PID 1632 wrote to memory of 2792	1632	cmd.exe	37
PID 1632 wrote to memory of 2792	1632	cmd.exe	37
PID 1632 wrote to memory of 2796	1632	cmd.exe	38
PID 1632 wrote to memory of 2796	1632	cmd.exe	38
PID 1632 wrote to memory of 2796	1632	cmd.exe	38
PID 1632 wrote to memory of 2796	1632	cmd.exe	38
PID 1632 wrote to memory of 2696	1632	cmd.exe	39
PID 1632 wrote to memory of 2696	1632	cmd.exe	39
PID 1632 wrote to memory of 2696	1632	cmd.exe	39
PID 1632 wrote to memory of 2696	1632	cmd.exe	39
PID 1632 wrote to memory of 2648	1632	cmd.exe	40
PID 1632 wrote to memory of 2648	1632	cmd.exe	40
PID 1632 wrote to memory of 2648	1632	cmd.exe	40
PID 1632 wrote to memory of 2648	1632	cmd.exe	40
PID 2696 wrote to memory of 3004	2696	Ent.pif	41
PID 2696 wrote to memory of 3004	2696	Ent.pif	41
PID 2696 wrote to memory of 3004	2696	Ent.pif	41
PID 2696 wrote to memory of 3004	2696	Ent.pif	41
PID 2696 wrote to memory of 3004	2696	Ent.pif	41
PID 2696 wrote to memory of 3004	2696	Ent.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
  "C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Legislative Legislative.bat && Legislative.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 1141
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "HOPEDRETURNREVENGEDELAYED" Life
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Would + Interstate + Documentcreatetextnode + Lifestyle 1141\r
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1141\Ent.pif
      1141\Ent.pif 1141\r
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2648
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1141\r

Filesize
884KB

MD5
96fb4955f0be2a74b566336d363c0cf7

SHA1
ebe07c83ee0529f2fdb1f68782c10db1c337f2d7

SHA256
88ff557c3a950ff880e44f29f90e7da3f089859564c4a1d2ef557caf834acfb1

SHA512
b0c8b639688887e1a75abd665c15f022c478c6ca7f8f0909ecaa5483da81c46b5d4e25449d4511c9cd3e6dea8d93d8d947b13247583bcb580e825d01d6b772e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Documentcreatetextnode

Filesize
227KB

MD5
d69760b152bfa02a204037910a82af49

SHA1
eeaf6fc3c34d38acaa84f2f352401a750d434358

SHA256
48c659b35aa7ca443ddebe96c1b8d5f5527b5a7fee965d9bd89d5a37e5898005

SHA512
11e5581ce53007231f04229965cf6c2b7eab159737f7a42e65684a5255e1e2dc29865a259253077b892c2fc48cc597a936404b2672cbc59e6d457ede213bcaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eminem

Filesize
18KB

MD5
596b8ecdbc8e0f011dfe85af7411dd18

SHA1
89b67e0cade851dbc83b67dccda250d80215dbf2

SHA256
8fbae4a3b2128397534b035fd010967ebe3ecb67403324e782e2781529df946d

SHA512
5d78918719d70e9699010dfb01fb5f145b9460672dc05e51414ca4b53eff42fbcf1bc642a42a2cf27cbf7b7e4eb57935418cf44ea96b9096b15f54e80b151dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fly

Filesize
246KB

MD5
fa7db9b5000c991b67a79b15fda39aba

SHA1
617cdbccc0579f79405022127506a446b9210ab2

SHA256
d6e76247b9145e33387ce0aef49a6540f74c3e86934b86df3801005bd50acec3

SHA512
5ec668d0b93922a835c90077f64939882973973088c9a6559260f233d49d2fd0e90149ec80d1e2870d3fd2dbc5d802cc5c584eb302f6f2d0460592e76bae45b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Interstate

Filesize
228KB

MD5
4d12a68c93c9c812e5d773f34cc0f34c

SHA1
82c4417cdab26c51ab504a5575cb830a72cb4109

SHA256
a357856aca612a451706906b80059d4849165191f476b1e6d6cab94443a71aa7

SHA512
66df8f2b58e75587478fec5c281f04c28e0af0e0a4bd4343296131dfcce0948a863d305b9a0b0a584d102a74312a9c5c9a491a9e16c1ef7d4e4e13fb9ba09873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Invite

Filesize
62KB

MD5
85b7677a3b8f96b14664013d215b806b

SHA1
29690789d7e3a4b577809d728a7fb0a7b794b03c

SHA256
1397f24c2a9f41208024a1fd6ee11d825b780626b606fb2f32998443c7be415e

SHA512
2438ef98e33d004474f32134b921482c46e2d8f73362699c3e28a718d82c04f37abac41ef5a106b0c94167257922542d0eece0b0a264fb981148f26a35410622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Legislative

Filesize
29KB

MD5
7835e82b306158158296241ae8c9bcc8

SHA1
c833574a2b85a363088cf3a154297381ed399262

SHA256
88761cfbe7839c89939ac085f8b3b2dbf563e79e041173255130d63340be28c3

SHA512
8ab937a07ebce76e36899c1c124c09c52920fb75d59b417937545013bde256f3c108432bc594ea8e682d45aa78d041c5c0d531e975d2542c53f8256164d65cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Life

Filesize
95B

MD5
9730be7ca992763ce7e46a31bf891f9d

SHA1
7653922a59ff43a09a2df8f0d4be3e959923c7cc

SHA256
ff2e1c3901a0f928bc18302c2f138866f183e6ebea4118cd254723d2addb3bfd

SHA512
9602339d3b56019ce98224c2a03730c58b94f8f85d30b3ce05249ae45b0efb3fefa4c9cfbf5978d445cbaf01a364bd9c2beaabfff062e220dfe1efb1d1b89143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lifestyle

Filesize
216KB

MD5
d11334e857587fed4083f21f1aad0832

SHA1
5a14a3b025c4b88914a85b731503d674328ea494

SHA256
b1f1d6dec9e24797161d8159fe78b1e2664431904c7de6c39bfa3043bdc192ff

SHA512
c347d4daeb23ae3068ab0ff441483fe5ca2b6cb7abe6d0e1dc21706c35e0cc4fa94f0c89177af575dfd257ba7d59ab4586c9425202dd2eb67974204f6adfc19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lit

Filesize
67KB

MD5
4b67a1dce52ac959384f18d92d4cea33

SHA1
71741326e1d30f80bc4d93df83678e8137695e8d

SHA256
f45ce9898b27b528deb4797dbc360dbd61abf0bc6706909bea1aaf7bc6ceb5b3

SHA512
fb45144ccf35ea68fd258ae14591502922e8046db12d22692a00e46c61cfe80c77e5fb63d1d1062dd9081928055797e6a98d042ae7f4367a2b832729f6346a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Protect

Filesize
16KB

MD5
2992415204f328038c186bdb7ba5ae86

SHA1
fb0dc067051315a81ec9f60a180e60c6f543cb26

SHA256
9b4e34f7125ef28f7aa04cdfb88359fbcad7b6657b88ab17d8bcf2a059c6bd4c

SHA512
d1884ea3ebade1dbfd22392c78b7ddb23b183df181e5f8383845c7ffd046f64be581a125ee8372424ca9fbf27fd36d1055fd4e0f3944b901831d14f02cb64885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Record

Filesize
164KB

MD5
2a397d51da3949fe228dbd3438233a29

SHA1
0f5e7aabffdcee7069243ae0837fe591e20b4752

SHA256
6c0efe34e2d39f7132d9771ccb264f8e04658a3be47b20884a372fe6cba0e1c0

SHA512
b33338bf8b4e9aa171987776dcd199b4420742fadd8dd4cda10f9a38a40c44166c48f1fdc21ee6dbab70f24f566eb1f12fc4604b1c96785f2fc4544dbe5f63f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rome

Filesize
53KB

MD5
bb5aaeb374f59a4203c2f6d11502978c

SHA1
07801c312468601289eb0b3c1dc2993ce910c0eb

SHA256
06fdf3480808187764fe12263003716492d7ab5d01671c290be3bdd1b56efb26

SHA512
1c0c496d59eb2c990e9320f196c5dee0c0db97409ddad3f522da0e483cd9865efe0e76f3f21419d1c3ca8d457f7c6bf1c4c2d066642029920f2cd8108b8b6891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Southampton

Filesize
246KB

MD5
f87c8703ee712dc6ef0aaa968ea2eaae

SHA1
a4aef7e9f12e96e475cdad4c0e23e77e30fe7c60

SHA256
f1c45d16156c7ee2db1082b1c0f4a092ba23dcf6a021ebe3ccea7d9e9494358a

SHA512
d4eee768fe4e89f23b023d487fb522f0ed85e23970615e7169b88fce1c93670f6b3cac0f08dad9d15e6604858c4d25fd211b0eb96f002f73c064fee830455cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Would

Filesize
213KB

MD5
c0a4f917f959c0099ff4341a6f9178e4

SHA1
50b15915c04f02ad905d7fc3faefad4899e3eb74

SHA256
0915f627a18a4bf6b142829d81d1d013a98ccd27f9b16b33967bb0a5b0cc39b8

SHA512
575d03749b42ea2deeff55d5c383696b69a1b6280e3e62e08ed41be130446b052a4daa0a3f4b1e2f2bb751e58a3f82d75d61d89b10165c7b540c5a60855f4d72

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1141\Ent.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2696-37-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-38-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-43-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-42-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-41-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-39-0x0000000003B10000-0x0000000003B7D000-memory.dmp

Filesize
436KB

Download
memory/2696-44-0x00000000055C0000-0x00000000059C0000-memory.dmp

Filesize
4.0MB

Download
memory/2696-45-0x00000000055C0000-0x00000000059C0000-memory.dmp

Filesize
4.0MB

Download
memory/2696-46-0x0000000077C90000-0x0000000077E39000-memory.dmp

Filesize
1.7MB

Download
memory/2696-48-0x0000000077300000-0x0000000077347000-memory.dmp

Filesize
284KB

Download
memory/3004-49-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/3004-51-0x0000000001EB0000-0x00000000022B0000-memory.dmp

Filesize
4.0MB

Download
memory/3004-55-0x0000000077300000-0x0000000077347000-memory.dmp

Filesize
284KB

Download
memory/3004-53-0x0000000077C90000-0x0000000077E39000-memory.dmp

Filesize
1.7MB

Download