rhadamanthys | 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
Size

938KB
MD5

9e64b65535e29ec152642d8bdcb22974
SHA1

5431aa7526ba193c0a92afffe2537bc54f51a0ba
SHA256

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
SHA512

f895c62431502fa92d36b5e0cb929b4957ca41f9253dadecd6a06153dc566e12a5d835a162f6aeb0e8ea1eb1fb9c65ab716f7c43faca0672aff37900c56b156e
SSDEEP

24576:cbSLx7bBqTC9oA414OYDsSyMZblh50gjuQk47blB7uFujRVeYr4c:GS79qK4cDs6q7QX7bl1u6LzMc

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://94.156.10.37:2036/efc85e6acdfc3a785/1evgkhav.3ltvh

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2696 created 1076	2696	Pleasure.pif	18

Executes dropped EXE 1 IoCs

pid	Process
2696	Pleasure.pif

Loads dropped DLL 1 IoCs

pid	Process
2164	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe
2256	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleasure.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2840	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2696	Pleasure.pif
2696	Pleasure.pif
2696	Pleasure.pif
2696	Pleasure.pif
2696	Pleasure.pif
2324	dialer.exe
2324	dialer.exe
2324	dialer.exe
2324	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2696	Pleasure.pif
2696	Pleasure.pif
2696	Pleasure.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2696	Pleasure.pif
2696	Pleasure.pif
2696	Pleasure.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2164	3052	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	30
PID 3052 wrote to memory of 2164	3052	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	30
PID 3052 wrote to memory of 2164	3052	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	30
PID 3052 wrote to memory of 2164	3052	6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe	30
PID 2164 wrote to memory of 2496	2164	cmd.exe	32
PID 2164 wrote to memory of 2496	2164	cmd.exe	32
PID 2164 wrote to memory of 2496	2164	cmd.exe	32
PID 2164 wrote to memory of 2496	2164	cmd.exe	32
PID 2164 wrote to memory of 1856	2164	cmd.exe	33
PID 2164 wrote to memory of 1856	2164	cmd.exe	33
PID 2164 wrote to memory of 1856	2164	cmd.exe	33
PID 2164 wrote to memory of 1856	2164	cmd.exe	33
PID 2164 wrote to memory of 2256	2164	cmd.exe	35
PID 2164 wrote to memory of 2256	2164	cmd.exe	35
PID 2164 wrote to memory of 2256	2164	cmd.exe	35
PID 2164 wrote to memory of 2256	2164	cmd.exe	35
PID 2164 wrote to memory of 604	2164	cmd.exe	36
PID 2164 wrote to memory of 604	2164	cmd.exe	36
PID 2164 wrote to memory of 604	2164	cmd.exe	36
PID 2164 wrote to memory of 604	2164	cmd.exe	36
PID 2164 wrote to memory of 2796	2164	cmd.exe	37
PID 2164 wrote to memory of 2796	2164	cmd.exe	37
PID 2164 wrote to memory of 2796	2164	cmd.exe	37
PID 2164 wrote to memory of 2796	2164	cmd.exe	37
PID 2164 wrote to memory of 2800	2164	cmd.exe	38
PID 2164 wrote to memory of 2800	2164	cmd.exe	38
PID 2164 wrote to memory of 2800	2164	cmd.exe	38
PID 2164 wrote to memory of 2800	2164	cmd.exe	38
PID 2164 wrote to memory of 2644	2164	cmd.exe	39
PID 2164 wrote to memory of 2644	2164	cmd.exe	39
PID 2164 wrote to memory of 2644	2164	cmd.exe	39
PID 2164 wrote to memory of 2644	2164	cmd.exe	39
PID 2164 wrote to memory of 2696	2164	cmd.exe	40
PID 2164 wrote to memory of 2696	2164	cmd.exe	40
PID 2164 wrote to memory of 2696	2164	cmd.exe	40
PID 2164 wrote to memory of 2696	2164	cmd.exe	40
PID 2164 wrote to memory of 2840	2164	cmd.exe	41
PID 2164 wrote to memory of 2840	2164	cmd.exe	41
PID 2164 wrote to memory of 2840	2164	cmd.exe	41
PID 2164 wrote to memory of 2840	2164	cmd.exe	41
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43
PID 2696 wrote to memory of 2324	2696	Pleasure.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1076
- C:\Users\Admin\AppData\Local\Temp\6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
  "C:\Users\Admin\AppData\Local\Temp\6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Scenes Scenes.bat && Scenes.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 334283
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AdditionUnitKoreanLn" Remembered
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Pitch + Twelve + Conditions + Venture + Pushing 334283\Q
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\334283\Pleasure.pif
      334283\Pleasure.pif 334283\Q
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2840
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\334283\Pleasure.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\334283\Q

Filesize
914KB

MD5
7535dacd1db48aaecbd143ac2e4383ff

SHA1
500d36d481a7fae9df2532f24df79266751cde93

SHA256
083f1026f00a8c883ba95759500774ed25ec8340a02073afdf80dd9bd2e544e4

SHA512
1afb6df2c3946aa021020c7a032d231631030952f0361dfad549d774857c33894361f4587686d995eebdd5d95619777e1c0cc7a044b942c23699d48fe58722e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Auckland

Filesize
74KB

MD5
9b4ad010dc092a4d7b7699e577390958

SHA1
d1b8c396b8e49c79ab605529b5fec82b6a506b79

SHA256
119a9c99de92ff7120d13728d4072621c9bdfb85d36facab811cf83e80b74fab

SHA512
8fd40e237b8b03abf309c78919dce5897a212b224a92b844226361d9e1ca5009028c0109375ac6290bc46f21840c7ab114234a9adb1cf0434fd40d90bc2d0290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cocks

Filesize
122KB

MD5
b9714867bc6e583009230599df277c2b

SHA1
504267f0b3b51522ee71ba300ce0370d59505b19

SHA256
ac07f0dfa71fa1b1026c7f0e2a3046414b98d07e2479ecf7078c575217ff456b

SHA512
575174fe8fbc0abc84b04b7957224dfbe974e22472a8e58eadcfd4dcd39989f43aa00aca3a3397d2dac78dc06786bbcc4b1db9fa6a9d9a3a2771b00bd5494f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Conditions

Filesize
215KB

MD5
9dd0467128c91617e43502cbc8b0c1e6

SHA1
113d0ad7a1941d8786625b1197b7e8f4bd401206

SHA256
957d74674e855e80e0cdaf147e27b52a02fd9fc4c52321aa5d99140ea54c22fc

SHA512
74f2f5e7b271145996df6ab791e8c336eed73ec9d2afc1cca72005e40ee47898e4d41774568fd2f62950555b41de57814262db21b4bab3e33fa5ca61100c5971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Japanese

Filesize
169KB

MD5
8447b70981dcb2bb39d095e9985d954a

SHA1
d01c0108e80a6c0e798903e87a53b2e1ef254620

SHA256
14eb95df77e971931661ebca90d3195e43648d27a7aff882409fe5bd47a515e4

SHA512
30a1a18c8b73e3277518493aa10eb247e56ba5b684d2349d625688d0a75e435e7d7dfa8e6c31fa4198c8c11c8a8ebfb570d1cf31db20e2850b96b3d0a5ec5c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lessons

Filesize
100KB

MD5
84ace9f7f9a3493073e3fab9cb9b90fb

SHA1
aac5be0f9a1ebd056e553251041e6e7466b187b1

SHA256
8c199bb3752164de1f809e533f9b55228ee64b55b4c838aa246cfc8989f873bc

SHA512
256038ac9b67b33787e394cd787be297d32692043184ea88ed95676e9096d3bb6161fe721e369bff3f732d1dafeed3eca5448195088f26bcb2479228da2469a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Master

Filesize
71KB

MD5
535e0993b8a71b832b27c39097da8b31

SHA1
d5c0c8a37622e6fe455b6f6654dbedc019f10389

SHA256
5dc66e813e39aaa932674af4b40aae95d9ef80fc00de939d7acb4ca9e0a9a945

SHA512
d0234cbeb6df861eb378006e8df22164ae1d6b891a26ea3b4d47a8144f8e04e67da66fbedbefd6135da9b732d2d72307a80f16d726fbea60647b928512be8167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pitch

Filesize
236KB

MD5
fabfb469e08a6a1e74285f668454d1a6

SHA1
d425707f875b08f148078d4f61701dc1864c4f43

SHA256
f9a73b798f5dd9133b44dab7dafd3a307fc28502a9d909cfa430cd90f19665e8

SHA512
efda2843221df36c7d523245283ff88356de7280054d95a9641d69735636ea5b8a0718d6c044f1666172eb1eb11d2e692cba62d78b5679b7655b2eb518708bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Publication

Filesize
94KB

MD5
906432d9dda34454d048883e0865c632

SHA1
8ff107a856f221e0900608b835dcbb69de5fdecc

SHA256
8a9e8d8720e27de614c0ffc3fd4207761cd5e07df11441d0357de45a9f3b396e

SHA512
7e50fc5bb6765a231d48366fde33a2ffe465b3677e11fd6a960c99ada7ecdf5dc74ecff124df18d272e840859b3186a4e442daed5134a12caf32770f329ac2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pushing

Filesize
50KB

MD5
471e80e5a83a78b2207ca980db84fb35

SHA1
10f508f334cd8dffd0b97d972b9061179ddb42f8

SHA256
affb25dd0fbd0516ea94f7a242b4457458af3385d57eabc53b75a4d1aa7bb828

SHA512
87edbaebf44066ffbb0cffe45dd0532d48254e25022b79894ff702408adc718314f3c20edfb197b880781ff06c4f678b991b97f309b7778a9b75e133b9c8a559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Remembered

Filesize
218B

MD5
a9161cabc486b999896b60a235427f7f

SHA1
40927b07b516314eb46745e0cd843bf7d8abeaf2

SHA256
d9645c520b048bdb1a7774c4d376149966eee672e0218fe28c76c76a903b4e58

SHA512
e669609a5d170b1f5d6f397e1828f3980a003c901b46c3385a21a1438f20df812066f722aa9c4eef010bc41571f26315fe95bc3719d34bddc89d72b215cda48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scenes

Filesize
15KB

MD5
e968549e1590f4d87f026f40231c0503

SHA1
64bb1b1df57209efdb29489024ab65c0f205895c

SHA256
37b4c4e81a6c7176e630fb0cf1a80f5935c405030c02e184a51d6c07f490956e

SHA512
f997a3c09196b38422c2142eb5ffadaa7575d44ba6ac498f99796be4866ddf7b73a6948fb5a501bb14d8346517ee2aa3830351ef0c32dd14c7c1405e1695f894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Speak

Filesize
161KB

MD5
7017f4ece055f6d7321764437f911b23

SHA1
33db2eb3a3d1daba3d1216c31ddacb45460bba78

SHA256
2850a0cf772db3e80e2714b3951e05db7eb181d4c5cfa2682d515738e06f6b72

SHA512
5d97fce71b28170325ad0257165418897fc163904ac25d324e81fd2be8e08a93701d56ebfab21f43e6e94086f94514b80fcb902c8f3d93430dad0f28e09e53cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Spectrum

Filesize
81KB

MD5
738da057ae796ca14e8506e15e5cc603

SHA1
823f5ad7957bc0d0dec36610ce695d8f5e641e54

SHA256
da17ae9e33f991657a53ff8425efa8f451069d2293c315ca7c93cb780e52c831

SHA512
d9859856a69626c510b06a7602b8b727cfd0a1f96d85d1c863d212f757ed1926dae1e7625f9ffac13289cc3abb80ad6ce7dda829ead4333b4e237ea1e25e689d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Twelve

Filesize
213KB

MD5
a20592f9c9f363a59627c5315675cd9b

SHA1
1018ab78595abfe0e82a498b74f1ad4cfe0dbb43

SHA256
e9a08f7197db7a358b3a30afa725229a4ed195f8212ec6d740425506afa03095

SHA512
0bad8356c2d7f54f1302587f5267d95e7d4951690514378f88b4c7e0c376a7d73a9ddcf1cdee29ee6ccf0c4c0f9e325535f31ae68a11895926daae736f4fac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Venture

Filesize
200KB

MD5
d0e6b3afaed008a391e30f3298d492dc

SHA1
3998ac9108de444c285f154ea068a9b2eab15732

SHA256
173cfdaeaa9117971a23720b31c84a3a97e9652c310b47a7418dbf0816c99493

SHA512
1f4d3dce84ea40d65bf96f9d6d2a76c9ca33d596f7bddf175250e921532de92d2aca6e1c63a83e1f5cb570bd82b86890e0812ac7a4a90b0a1c170700a2078408

Download Submit
memory/2324-57-0x0000000075290000-0x00000000752D7000-memory.dmp

Filesize
284KB

Download
memory/2324-55-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2324-53-0x0000000001BD0000-0x0000000001FD0000-memory.dmp

Filesize
4.0MB

Download
memory/2324-51-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2696-44-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download
memory/2696-45-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download
memory/2696-46-0x0000000005440000-0x0000000005840000-memory.dmp

Filesize
4.0MB

Download
memory/2696-47-0x0000000005440000-0x0000000005840000-memory.dmp

Filesize
4.0MB

Download
memory/2696-48-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2696-50-0x0000000075290000-0x00000000752D7000-memory.dmp

Filesize
284KB

Download
memory/2696-43-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download
memory/2696-41-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download
memory/2696-40-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download
memory/2696-39-0x0000000004200000-0x000000000426D000-memory.dmp

Filesize
436KB

Download