rhadamanthys | d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
Size

920KB
MD5

5b8a32a8aa43b0abbba8e540066a35ef
SHA1

b7dbf49dfa893e7aba4732ca3fd38452c3cd9c3e
SHA256

d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
SHA512

65cda09fbf398ec4dbea02b5a368dd6f76125670240a82c7e7e49c89ba99a894c5236faadb6784e74b6077f6834f48222d182ec8d224ea3518f9309162470136
SSDEEP

24576:5Njg/5WNrg4BubkHBKDrgRQDiQhceGrmhJiEFGfZmRGqEjh:n4Grg4BBHQPgRQthGChkEFAZVqA

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://5.42.65.27:4811/503b2b901476e7a26b7/s0orkm9k.o0amt

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2640 created 1212	2640	Oregon.pif	21

Executes dropped EXE 1 IoCs

pid	Process
2640	Oregon.pif

Loads dropped DLL 2 IoCs

pid	Process
2420	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
2832	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2716	tasklist.exe
2076	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oregon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3056	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3056	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2640	Oregon.pif
2640	Oregon.pif
2640	Oregon.pif
2640	Oregon.pif
2640	Oregon.pif
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe
1260	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeDebugPrivilege	2076	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2640	Oregon.pif
2640	Oregon.pif
2640	Oregon.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2640	Oregon.pif
2640	Oregon.pif
2640	Oregon.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2832	2420	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	30
PID 2420 wrote to memory of 2832	2420	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	30
PID 2420 wrote to memory of 2832	2420	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	30
PID 2420 wrote to memory of 2832	2420	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	30
PID 2832 wrote to memory of 2716	2832	cmd.exe	32
PID 2832 wrote to memory of 2716	2832	cmd.exe	32
PID 2832 wrote to memory of 2716	2832	cmd.exe	32
PID 2832 wrote to memory of 2716	2832	cmd.exe	32
PID 2832 wrote to memory of 2980	2832	cmd.exe	33
PID 2832 wrote to memory of 2980	2832	cmd.exe	33
PID 2832 wrote to memory of 2980	2832	cmd.exe	33
PID 2832 wrote to memory of 2980	2832	cmd.exe	33
PID 2832 wrote to memory of 2076	2832	cmd.exe	35
PID 2832 wrote to memory of 2076	2832	cmd.exe	35
PID 2832 wrote to memory of 2076	2832	cmd.exe	35
PID 2832 wrote to memory of 2076	2832	cmd.exe	35
PID 2832 wrote to memory of 2744	2832	cmd.exe	36
PID 2832 wrote to memory of 2744	2832	cmd.exe	36
PID 2832 wrote to memory of 2744	2832	cmd.exe	36
PID 2832 wrote to memory of 2744	2832	cmd.exe	36
PID 2832 wrote to memory of 2736	2832	cmd.exe	37
PID 2832 wrote to memory of 2736	2832	cmd.exe	37
PID 2832 wrote to memory of 2736	2832	cmd.exe	37
PID 2832 wrote to memory of 2736	2832	cmd.exe	37
PID 2832 wrote to memory of 2700	2832	cmd.exe	38
PID 2832 wrote to memory of 2700	2832	cmd.exe	38
PID 2832 wrote to memory of 2700	2832	cmd.exe	38
PID 2832 wrote to memory of 2700	2832	cmd.exe	38
PID 2832 wrote to memory of 2560	2832	cmd.exe	39
PID 2832 wrote to memory of 2560	2832	cmd.exe	39
PID 2832 wrote to memory of 2560	2832	cmd.exe	39
PID 2832 wrote to memory of 2560	2832	cmd.exe	39
PID 2832 wrote to memory of 2640	2832	cmd.exe	40
PID 2832 wrote to memory of 2640	2832	cmd.exe	40
PID 2832 wrote to memory of 2640	2832	cmd.exe	40
PID 2832 wrote to memory of 2640	2832	cmd.exe	40
PID 2832 wrote to memory of 3056	2832	cmd.exe	41
PID 2832 wrote to memory of 3056	2832	cmd.exe	41
PID 2832 wrote to memory of 3056	2832	cmd.exe	41
PID 2832 wrote to memory of 3056	2832	cmd.exe	41
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42
PID 2640 wrote to memory of 1260	2640	Oregon.pif	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
  "C:\Users\Admin\AppData\Local\Temp\d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Glossary Glossary.bat & Glossary.bat & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 7668
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Folks + Significantly + Wav + Mrna + Teacher + Container 7668\Oregon.pif
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Collins + Madagascar + Judges + Except 7668\b
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\7668\Oregon.pif
      7668\Oregon.pif 7668\b
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3056
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7668\b

Filesize
934KB

MD5
3058de71ef410deeaad62612e4fe1be2

SHA1
700234b3626e9ca26790b41f206a2fcd27f4bbe6

SHA256
e693e6ab18d1def5bedb7e30d2c9ef295fc107511362c8e90029e60ab3b713dc

SHA512
ab6bfe8ff1f27c8bd50529becd2167f0d962311d2021dd77b8dbb243e748a458ebe35f4cf73350172b014ce98ecced04f4b57206d15e822ec24df6d991ec92b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Collins

Filesize
292KB

MD5
bd51683b87240bf2620878653e32e784

SHA1
f87b8708406b1b52cae705c1127446fe28954f31

SHA256
c201f6ed1328c98493d23ca2223dac0d826b8116af07752cfb645ba462da65b9

SHA512
805e9fc339187e29b421c4ca21a375b4cad811c287be7b9cc79ca95e9ff9875f28d9d58fd6d22fdab6b751c83b13f71b27a75e5e342c8619b614d9df648642ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Container

Filesize
209KB

MD5
bcc1ac3b3f3e4ca7694a5fc7dffa1666

SHA1
7a2b26e4317107a503f67bf28fddacb3fd4e0efa

SHA256
847ef353658b3e8c587f8ac823a46c1c96f3c9858fcd89e17de60bf1bb816bdc

SHA512
a8961e419d57d1ea5facd3c52632c1854e7be4156c0f04e1b0c826e1e3373554a47fbc0fed841bc3e39abac1d5d89139acf605000ee11af64e57b09c5258e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Except

Filesize
105KB

MD5
e2ffc7330d80fc86bd5882f3cdacd845

SHA1
09f631d6d3bda6083c025f2274087894c6e60581

SHA256
d2f3de347fe4daf60be93005d2b2f471f4e000f428321e042b6cd6029fa1650f

SHA512
2d9c7bad602c58b1464c84e3f3547024865cc82229ec9ce8938f40a6dd0782d75231b25270c509203d62d5475ee31f7de76db096c6dbbb7b2d71f58dfd6a46e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folks

Filesize
149KB

MD5
92a41d13c79ce8eb843e8c6df2af3558

SHA1
5faaa98f537746b995042e2075d33ce7bdc4c7e0

SHA256
76d8ed1310911122e1dbe3efd25541f93e3828fe95ebf37cdeede710944f291e

SHA512
4623c951346f4049b79ffb43003b6ea1d09fcb542047c7b9ef55e212afbc093aea17e57b53cde723019c266e64bf7b3d40a2d89e8a80337ce709f6d9a7997254

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glossary

Filesize
11KB

MD5
1f2b8da5ec15d56ef0bbedab03d539f9

SHA1
e7da9dbbc358561cf288dff50f489beded357a4c

SHA256
53eccf903c1e18e3fe5e4ca92fbbc3903175556d768ffd3eeca795b61331de2c

SHA512
76853515bcdc18bb1d0da0e0d868d65303b664b371f78b0279b2d491a4eda80e25612e9a68e0c3e0a840dc0107c94ade98ec305b406f803c27646a41cb156a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judges

Filesize
269KB

MD5
0405a86aaf93b624c2239dbc7a8ffb33

SHA1
d30f8a1076c9ed9877fe0e2af532824b1c622d87

SHA256
3edd08d2b37436b4b938ab4af0084a5d254c25e3a94416b6665a9cbb26e9329f

SHA512
3c640d55f374458456a540eaff7b74efa64216d1de2d411ae57ac4e9779fe71cd6ca75070697cbd377789aaedf023abfe54add29b83a4abd8a60ac135abd977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madagascar

Filesize
268KB

MD5
60783d05878aded20a6e07442c446a61

SHA1
f098be49be7ab614efe7f105f4f21e2196a0b7c9

SHA256
e40ec516b80c4e6335685900c0951429a28c43e23a727aacb432436a941d9ab2

SHA512
f64adb6741dbd83766a1345b61c76549de347042055198395468ba6b512aae4b67cb03490d7dc29f98003129f4a5f995073ca9754c7fc9db14a4823e24cca721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mrna

Filesize
115KB

MD5
108be91c466215c28023004a5195e19b

SHA1
73e61199fd8a3651a7d62d33af9960fee067cab7

SHA256
c0aed63521e3c593b116c7504cb3b8f24744f3089a062cfa763339e2773d1e4f

SHA512
c9e43d9967843856c34bc4ef32b411c00327f2d4b8d279566a7ec7a11752b6fa3e78f55d29c7189b0835b201591b8667eb3ac83f56011d49f96ee22a63a09d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Significantly

Filesize
165KB

MD5
9d0dc90ed96b1e93bb5012893d82ae18

SHA1
9f833abf21ae9f70258ce6125528757a2a4a9946

SHA256
6c86e2a689e05c59b9363c86d336f5985606b5ebacdabcfb5807c68ba31301d3

SHA512
a596576f13ad864ecc63ea0bfb0bea8db02deb01cd6522c903fb278a6062c40bdd5a2c6c65b6b5b7d4874a930e24e5a58d0f30a7ca42c1d671b3015c80d5f270

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teacher

Filesize
143KB

MD5
b11f3283db36289ff48e3c6863cd1b72

SHA1
805165a7977f0094014c433513114399fec8d764

SHA256
641b4270311c311dbe17fd8a0004209fe51bd4d891e72e68622467c99db8f5ae

SHA512
2aab0c9da88d2ef4a7f5549a97a5082b7dc53fea03c1904a75a81bbaf1461513e7008a60e2165731998ffd803486d121f328fd0c417b46000a39c4ca959525a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wav

Filesize
143KB

MD5
d1cf436f3db0dcf11922050b62a40b99

SHA1
2456cb553611ade554482dd16dfe450178f31bf4

SHA256
ef9f462e027b957fd076db73ae6b133c5334f2d6e53ff2c98c8d88199eaa15ed

SHA512
104c636b6a0d1f3b9ff2edf425abd0dd4cdca5357a7c6a077065daeb302ee007adc9c6da0c1a2874323f1c0a3debc49af843ed3b4687922ab02b078887c16d8e

Download Submit
\Users\Admin\AppData\Local\Temp\7668\Oregon.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\nso159.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1260-47-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1260-52-0x0000000076CB0000-0x0000000076CF7000-memory.dmp

Filesize
284KB

Download
memory/1260-50-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1260-49-0x0000000001DC0000-0x00000000021C0000-memory.dmp

Filesize
4.0MB

Download
memory/2640-36-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download
memory/2640-41-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download
memory/2640-42-0x0000000004BE0000-0x0000000004FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2640-44-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/2640-43-0x0000000004BE0000-0x0000000004FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2640-46-0x0000000076CB0000-0x0000000076CF7000-memory.dmp

Filesize
284KB

Download
memory/2640-40-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download
memory/2640-39-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download
memory/2640-37-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download
memory/2640-35-0x0000000003B50000-0x0000000003BBD000-memory.dmp

Filesize
436KB

Download