rhadamanthys | 66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d

Analysis

max time kernel
104s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
Size

935KB
MD5

e4fbe0286a7802d4a7cd91a3d55d9f3c
SHA1

320869f193d91388ae4c2337a91d7545ca0a201a
SHA256

66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d
SHA512

36acfe26eded83721d7d35d9441342ea8e6a61da20ded05493e4cf9a88995ad52dedbd81229f3d31f670adf058b3e1696e8359af60e59dca8db847cd54daad9b
SSDEEP

24576:GbTeCswwSe/fDyBvSGy45nJtYsf8J7f7VvgWncL3f5llrINn9Ra7I7:8vdwH/LyBvg+JKsf8JzFgWcDf5m9M7m

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.8.103:2055/efc85e6acdfc3a785/r5erbrlf.2oeme

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6008 created 2548	6008	Ent.pif	42

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe

Executes dropped EXE 1 IoCs

pid	Process
6008	Ent.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5928	tasklist.exe
4592	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4860	6008	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ent.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4664	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif
2228	dialer.exe
2228	dialer.exe
2228	dialer.exe
2228	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5928	tasklist.exe
Token: SeDebugPrivilege	4592	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
6008	Ent.pif
6008	Ent.pif
6008	Ent.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 5196 wrote to memory of 4072	5196	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	88
PID 5196 wrote to memory of 4072	5196	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	88
PID 5196 wrote to memory of 4072	5196	66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe	88
PID 4072 wrote to memory of 5928	4072	cmd.exe	93
PID 4072 wrote to memory of 5928	4072	cmd.exe	93
PID 4072 wrote to memory of 5928	4072	cmd.exe	93
PID 4072 wrote to memory of 5936	4072	cmd.exe	94
PID 4072 wrote to memory of 5936	4072	cmd.exe	94
PID 4072 wrote to memory of 5936	4072	cmd.exe	94
PID 4072 wrote to memory of 4592	4072	cmd.exe	97
PID 4072 wrote to memory of 4592	4072	cmd.exe	97
PID 4072 wrote to memory of 4592	4072	cmd.exe	97
PID 4072 wrote to memory of 4604	4072	cmd.exe	98
PID 4072 wrote to memory of 4604	4072	cmd.exe	98
PID 4072 wrote to memory of 4604	4072	cmd.exe	98
PID 4072 wrote to memory of 4612	4072	cmd.exe	99
PID 4072 wrote to memory of 4612	4072	cmd.exe	99
PID 4072 wrote to memory of 4612	4072	cmd.exe	99
PID 4072 wrote to memory of 2196	4072	cmd.exe	100
PID 4072 wrote to memory of 2196	4072	cmd.exe	100
PID 4072 wrote to memory of 2196	4072	cmd.exe	100
PID 4072 wrote to memory of 4844	4072	cmd.exe	101
PID 4072 wrote to memory of 4844	4072	cmd.exe	101
PID 4072 wrote to memory of 4844	4072	cmd.exe	101
PID 4072 wrote to memory of 6008	4072	cmd.exe	102
PID 4072 wrote to memory of 6008	4072	cmd.exe	102
PID 4072 wrote to memory of 6008	4072	cmd.exe	102
PID 4072 wrote to memory of 4664	4072	cmd.exe	103
PID 4072 wrote to memory of 4664	4072	cmd.exe	103
PID 4072 wrote to memory of 4664	4072	cmd.exe	103
PID 6008 wrote to memory of 2228	6008	Ent.pif	107
PID 6008 wrote to memory of 2228	6008	Ent.pif	107
PID 6008 wrote to memory of 2228	6008	Ent.pif	107
PID 6008 wrote to memory of 2228	6008	Ent.pif	107
PID 6008 wrote to memory of 2228	6008	Ent.pif	107

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2548
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2228

C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe
"C:\Users\Admin\AppData\Local\Temp\66f138849b45ba75c5e99484739c990056387b676eeadf66e32f1f27dd6b9c6d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c move Legislative Legislative.bat && Legislative.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5936
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 1141
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "HOPEDRETURNREVENGEDELAYED" Life
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Would + Interstate + Documentcreatetextnode + Lifestyle 1141\r
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1141\Ent.pif
    1141\Ent.pif 1141\r
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:6008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 904
      4⤵
      Program crash
      PID:4860
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6008 -ip 6008
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1141\Ent.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1141\r

Filesize
884KB

MD5
96fb4955f0be2a74b566336d363c0cf7

SHA1
ebe07c83ee0529f2fdb1f68782c10db1c337f2d7

SHA256
88ff557c3a950ff880e44f29f90e7da3f089859564c4a1d2ef557caf834acfb1

SHA512
b0c8b639688887e1a75abd665c15f022c478c6ca7f8f0909ecaa5483da81c46b5d4e25449d4511c9cd3e6dea8d93d8d947b13247583bcb580e825d01d6b772e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Documentcreatetextnode

Filesize
227KB

MD5
d69760b152bfa02a204037910a82af49

SHA1
eeaf6fc3c34d38acaa84f2f352401a750d434358

SHA256
48c659b35aa7ca443ddebe96c1b8d5f5527b5a7fee965d9bd89d5a37e5898005

SHA512
11e5581ce53007231f04229965cf6c2b7eab159737f7a42e65684a5255e1e2dc29865a259253077b892c2fc48cc597a936404b2672cbc59e6d457ede213bcaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eminem

Filesize
18KB

MD5
596b8ecdbc8e0f011dfe85af7411dd18

SHA1
89b67e0cade851dbc83b67dccda250d80215dbf2

SHA256
8fbae4a3b2128397534b035fd010967ebe3ecb67403324e782e2781529df946d

SHA512
5d78918719d70e9699010dfb01fb5f145b9460672dc05e51414ca4b53eff42fbcf1bc642a42a2cf27cbf7b7e4eb57935418cf44ea96b9096b15f54e80b151dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fly

Filesize
246KB

MD5
fa7db9b5000c991b67a79b15fda39aba

SHA1
617cdbccc0579f79405022127506a446b9210ab2

SHA256
d6e76247b9145e33387ce0aef49a6540f74c3e86934b86df3801005bd50acec3

SHA512
5ec668d0b93922a835c90077f64939882973973088c9a6559260f233d49d2fd0e90149ec80d1e2870d3fd2dbc5d802cc5c584eb302f6f2d0460592e76bae45b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Interstate

Filesize
228KB

MD5
4d12a68c93c9c812e5d773f34cc0f34c

SHA1
82c4417cdab26c51ab504a5575cb830a72cb4109

SHA256
a357856aca612a451706906b80059d4849165191f476b1e6d6cab94443a71aa7

SHA512
66df8f2b58e75587478fec5c281f04c28e0af0e0a4bd4343296131dfcce0948a863d305b9a0b0a584d102a74312a9c5c9a491a9e16c1ef7d4e4e13fb9ba09873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Invite

Filesize
62KB

MD5
85b7677a3b8f96b14664013d215b806b

SHA1
29690789d7e3a4b577809d728a7fb0a7b794b03c

SHA256
1397f24c2a9f41208024a1fd6ee11d825b780626b606fb2f32998443c7be415e

SHA512
2438ef98e33d004474f32134b921482c46e2d8f73362699c3e28a718d82c04f37abac41ef5a106b0c94167257922542d0eece0b0a264fb981148f26a35410622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Legislative

Filesize
29KB

MD5
7835e82b306158158296241ae8c9bcc8

SHA1
c833574a2b85a363088cf3a154297381ed399262

SHA256
88761cfbe7839c89939ac085f8b3b2dbf563e79e041173255130d63340be28c3

SHA512
8ab937a07ebce76e36899c1c124c09c52920fb75d59b417937545013bde256f3c108432bc594ea8e682d45aa78d041c5c0d531e975d2542c53f8256164d65cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Life

Filesize
95B

MD5
9730be7ca992763ce7e46a31bf891f9d

SHA1
7653922a59ff43a09a2df8f0d4be3e959923c7cc

SHA256
ff2e1c3901a0f928bc18302c2f138866f183e6ebea4118cd254723d2addb3bfd

SHA512
9602339d3b56019ce98224c2a03730c58b94f8f85d30b3ce05249ae45b0efb3fefa4c9cfbf5978d445cbaf01a364bd9c2beaabfff062e220dfe1efb1d1b89143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lifestyle

Filesize
216KB

MD5
d11334e857587fed4083f21f1aad0832

SHA1
5a14a3b025c4b88914a85b731503d674328ea494

SHA256
b1f1d6dec9e24797161d8159fe78b1e2664431904c7de6c39bfa3043bdc192ff

SHA512
c347d4daeb23ae3068ab0ff441483fe5ca2b6cb7abe6d0e1dc21706c35e0cc4fa94f0c89177af575dfd257ba7d59ab4586c9425202dd2eb67974204f6adfc19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lit

Filesize
67KB

MD5
4b67a1dce52ac959384f18d92d4cea33

SHA1
71741326e1d30f80bc4d93df83678e8137695e8d

SHA256
f45ce9898b27b528deb4797dbc360dbd61abf0bc6706909bea1aaf7bc6ceb5b3

SHA512
fb45144ccf35ea68fd258ae14591502922e8046db12d22692a00e46c61cfe80c77e5fb63d1d1062dd9081928055797e6a98d042ae7f4367a2b832729f6346a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Protect

Filesize
16KB

MD5
2992415204f328038c186bdb7ba5ae86

SHA1
fb0dc067051315a81ec9f60a180e60c6f543cb26

SHA256
9b4e34f7125ef28f7aa04cdfb88359fbcad7b6657b88ab17d8bcf2a059c6bd4c

SHA512
d1884ea3ebade1dbfd22392c78b7ddb23b183df181e5f8383845c7ffd046f64be581a125ee8372424ca9fbf27fd36d1055fd4e0f3944b901831d14f02cb64885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Record

Filesize
164KB

MD5
2a397d51da3949fe228dbd3438233a29

SHA1
0f5e7aabffdcee7069243ae0837fe591e20b4752

SHA256
6c0efe34e2d39f7132d9771ccb264f8e04658a3be47b20884a372fe6cba0e1c0

SHA512
b33338bf8b4e9aa171987776dcd199b4420742fadd8dd4cda10f9a38a40c44166c48f1fdc21ee6dbab70f24f566eb1f12fc4604b1c96785f2fc4544dbe5f63f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rome

Filesize
53KB

MD5
bb5aaeb374f59a4203c2f6d11502978c

SHA1
07801c312468601289eb0b3c1dc2993ce910c0eb

SHA256
06fdf3480808187764fe12263003716492d7ab5d01671c290be3bdd1b56efb26

SHA512
1c0c496d59eb2c990e9320f196c5dee0c0db97409ddad3f522da0e483cd9865efe0e76f3f21419d1c3ca8d457f7c6bf1c4c2d066642029920f2cd8108b8b6891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Southampton

Filesize
246KB

MD5
f87c8703ee712dc6ef0aaa968ea2eaae

SHA1
a4aef7e9f12e96e475cdad4c0e23e77e30fe7c60

SHA256
f1c45d16156c7ee2db1082b1c0f4a092ba23dcf6a021ebe3ccea7d9e9494358a

SHA512
d4eee768fe4e89f23b023d487fb522f0ed85e23970615e7169b88fce1c93670f6b3cac0f08dad9d15e6604858c4d25fd211b0eb96f002f73c064fee830455cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Would

Filesize
213KB

MD5
c0a4f917f959c0099ff4341a6f9178e4

SHA1
50b15915c04f02ad905d7fc3faefad4899e3eb74

SHA256
0915f627a18a4bf6b142829d81d1d013a98ccd27f9b16b33967bb0a5b0cc39b8

SHA512
575d03749b42ea2deeff55d5c383696b69a1b6280e3e62e08ed41be130446b052a4daa0a3f4b1e2f2bb751e58a3f82d75d61d89b10165c7b540c5a60855f4d72

Download Submit
memory/2228-47-0x0000000001210000-0x0000000001219000-memory.dmp

Filesize
36KB

Download
memory/2228-53-0x0000000076890000-0x0000000076AA5000-memory.dmp

Filesize
2.1MB

Download
memory/2228-51-0x00007FFBEDF90000-0x00007FFBEE185000-memory.dmp

Filesize
2.0MB

Download
memory/2228-49-0x0000000002DB0000-0x00000000031B0000-memory.dmp

Filesize
4.0MB

Download
memory/6008-35-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download
memory/6008-40-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download
memory/6008-42-0x0000000005D60000-0x0000000006160000-memory.dmp

Filesize
4.0MB

Download
memory/6008-41-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download
memory/6008-46-0x0000000076890000-0x0000000076AA5000-memory.dmp

Filesize
2.1MB

Download
memory/6008-44-0x00007FFBEDF90000-0x00007FFBEE185000-memory.dmp

Filesize
2.0MB

Download
memory/6008-39-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download
memory/6008-43-0x0000000005D60000-0x0000000006160000-memory.dmp

Filesize
4.0MB

Download
memory/6008-37-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download
memory/6008-36-0x0000000004BE0000-0x0000000004C4D000-memory.dmp

Filesize
436KB

Download