rhadamanthys | d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd

Analysis

max time kernel
103s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
Size

920KB
MD5

5b8a32a8aa43b0abbba8e540066a35ef
SHA1

b7dbf49dfa893e7aba4732ca3fd38452c3cd9c3e
SHA256

d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
SHA512

65cda09fbf398ec4dbea02b5a368dd6f76125670240a82c7e7e49c89ba99a894c5236faadb6784e74b6077f6834f48222d182ec8d224ea3518f9309162470136
SSDEEP

24576:5Njg/5WNrg4BubkHBKDrgRQDiQhceGrmhJiEFGfZmRGqEjh:n4Grg4BBHQPgRQthGChkEFAZVqA

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://5.42.65.27:4811/503b2b901476e7a26b7/s0orkm9k.o0amt

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4836 created 2900	4836	Oregon.pif	49

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	Oregon.pif

Loads dropped DLL 1 IoCs

pid	Process
2260	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4084	tasklist.exe
4388	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1272	4836	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oregon.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2916	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2916	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif
1620	dialer.exe
1620	dialer.exe
1620	dialer.exe
1620	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	tasklist.exe
Token: SeDebugPrivilege	4388	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4836	Oregon.pif
4836	Oregon.pif
4836	Oregon.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4880	2260	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	88
PID 2260 wrote to memory of 4880	2260	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	88
PID 2260 wrote to memory of 4880	2260	d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe	88
PID 4880 wrote to memory of 4084	4880	cmd.exe	90
PID 4880 wrote to memory of 4084	4880	cmd.exe	90
PID 4880 wrote to memory of 4084	4880	cmd.exe	90
PID 4880 wrote to memory of 388	4880	cmd.exe	91
PID 4880 wrote to memory of 388	4880	cmd.exe	91
PID 4880 wrote to memory of 388	4880	cmd.exe	91
PID 4880 wrote to memory of 4388	4880	cmd.exe	94
PID 4880 wrote to memory of 4388	4880	cmd.exe	94
PID 4880 wrote to memory of 4388	4880	cmd.exe	94
PID 4880 wrote to memory of 3908	4880	cmd.exe	95
PID 4880 wrote to memory of 3908	4880	cmd.exe	95
PID 4880 wrote to memory of 3908	4880	cmd.exe	95
PID 4880 wrote to memory of 2340	4880	cmd.exe	96
PID 4880 wrote to memory of 2340	4880	cmd.exe	96
PID 4880 wrote to memory of 2340	4880	cmd.exe	96
PID 4880 wrote to memory of 676	4880	cmd.exe	97
PID 4880 wrote to memory of 676	4880	cmd.exe	97
PID 4880 wrote to memory of 676	4880	cmd.exe	97
PID 4880 wrote to memory of 1056	4880	cmd.exe	98
PID 4880 wrote to memory of 1056	4880	cmd.exe	98
PID 4880 wrote to memory of 1056	4880	cmd.exe	98
PID 4880 wrote to memory of 4836	4880	cmd.exe	99
PID 4880 wrote to memory of 4836	4880	cmd.exe	99
PID 4880 wrote to memory of 4836	4880	cmd.exe	99
PID 4880 wrote to memory of 2916	4880	cmd.exe	100
PID 4880 wrote to memory of 2916	4880	cmd.exe	100
PID 4880 wrote to memory of 2916	4880	cmd.exe	100
PID 4836 wrote to memory of 1620	4836	Oregon.pif	102
PID 4836 wrote to memory of 1620	4836	Oregon.pif	102
PID 4836 wrote to memory of 1620	4836	Oregon.pif	102
PID 4836 wrote to memory of 1620	4836	Oregon.pif	102
PID 4836 wrote to memory of 1620	4836	Oregon.pif	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2900
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1620

C:\Users\Admin\AppData\Local\Temp\d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe
"C:\Users\Admin\AppData\Local\Temp\d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Glossary Glossary.bat & Glossary.bat & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 7678
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Folks + Significantly + Wav + Mrna + Teacher + Container 7678\Oregon.pif
    3⤵
    - System Location Discovery: System Language Discovery
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Collins + Madagascar + Judges + Except 7678\b
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\7678\Oregon.pif
    7678\Oregon.pif 7678\b
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 896
      4⤵
      Program crash
      PID:1272
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4836 -ip 4836
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7678\Oregon.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7678\b

Filesize
934KB

MD5
3058de71ef410deeaad62612e4fe1be2

SHA1
700234b3626e9ca26790b41f206a2fcd27f4bbe6

SHA256
e693e6ab18d1def5bedb7e30d2c9ef295fc107511362c8e90029e60ab3b713dc

SHA512
ab6bfe8ff1f27c8bd50529becd2167f0d962311d2021dd77b8dbb243e748a458ebe35f4cf73350172b014ce98ecced04f4b57206d15e822ec24df6d991ec92b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Collins

Filesize
292KB

MD5
bd51683b87240bf2620878653e32e784

SHA1
f87b8708406b1b52cae705c1127446fe28954f31

SHA256
c201f6ed1328c98493d23ca2223dac0d826b8116af07752cfb645ba462da65b9

SHA512
805e9fc339187e29b421c4ca21a375b4cad811c287be7b9cc79ca95e9ff9875f28d9d58fd6d22fdab6b751c83b13f71b27a75e5e342c8619b614d9df648642ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Container

Filesize
209KB

MD5
bcc1ac3b3f3e4ca7694a5fc7dffa1666

SHA1
7a2b26e4317107a503f67bf28fddacb3fd4e0efa

SHA256
847ef353658b3e8c587f8ac823a46c1c96f3c9858fcd89e17de60bf1bb816bdc

SHA512
a8961e419d57d1ea5facd3c52632c1854e7be4156c0f04e1b0c826e1e3373554a47fbc0fed841bc3e39abac1d5d89139acf605000ee11af64e57b09c5258e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Except

Filesize
105KB

MD5
e2ffc7330d80fc86bd5882f3cdacd845

SHA1
09f631d6d3bda6083c025f2274087894c6e60581

SHA256
d2f3de347fe4daf60be93005d2b2f471f4e000f428321e042b6cd6029fa1650f

SHA512
2d9c7bad602c58b1464c84e3f3547024865cc82229ec9ce8938f40a6dd0782d75231b25270c509203d62d5475ee31f7de76db096c6dbbb7b2d71f58dfd6a46e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folks

Filesize
149KB

MD5
92a41d13c79ce8eb843e8c6df2af3558

SHA1
5faaa98f537746b995042e2075d33ce7bdc4c7e0

SHA256
76d8ed1310911122e1dbe3efd25541f93e3828fe95ebf37cdeede710944f291e

SHA512
4623c951346f4049b79ffb43003b6ea1d09fcb542047c7b9ef55e212afbc093aea17e57b53cde723019c266e64bf7b3d40a2d89e8a80337ce709f6d9a7997254

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glossary

Filesize
11KB

MD5
1f2b8da5ec15d56ef0bbedab03d539f9

SHA1
e7da9dbbc358561cf288dff50f489beded357a4c

SHA256
53eccf903c1e18e3fe5e4ca92fbbc3903175556d768ffd3eeca795b61331de2c

SHA512
76853515bcdc18bb1d0da0e0d868d65303b664b371f78b0279b2d491a4eda80e25612e9a68e0c3e0a840dc0107c94ade98ec305b406f803c27646a41cb156a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judges

Filesize
269KB

MD5
0405a86aaf93b624c2239dbc7a8ffb33

SHA1
d30f8a1076c9ed9877fe0e2af532824b1c622d87

SHA256
3edd08d2b37436b4b938ab4af0084a5d254c25e3a94416b6665a9cbb26e9329f

SHA512
3c640d55f374458456a540eaff7b74efa64216d1de2d411ae57ac4e9779fe71cd6ca75070697cbd377789aaedf023abfe54add29b83a4abd8a60ac135abd977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madagascar

Filesize
268KB

MD5
60783d05878aded20a6e07442c446a61

SHA1
f098be49be7ab614efe7f105f4f21e2196a0b7c9

SHA256
e40ec516b80c4e6335685900c0951429a28c43e23a727aacb432436a941d9ab2

SHA512
f64adb6741dbd83766a1345b61c76549de347042055198395468ba6b512aae4b67cb03490d7dc29f98003129f4a5f995073ca9754c7fc9db14a4823e24cca721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mrna

Filesize
115KB

MD5
108be91c466215c28023004a5195e19b

SHA1
73e61199fd8a3651a7d62d33af9960fee067cab7

SHA256
c0aed63521e3c593b116c7504cb3b8f24744f3089a062cfa763339e2773d1e4f

SHA512
c9e43d9967843856c34bc4ef32b411c00327f2d4b8d279566a7ec7a11752b6fa3e78f55d29c7189b0835b201591b8667eb3ac83f56011d49f96ee22a63a09d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Significantly

Filesize
165KB

MD5
9d0dc90ed96b1e93bb5012893d82ae18

SHA1
9f833abf21ae9f70258ce6125528757a2a4a9946

SHA256
6c86e2a689e05c59b9363c86d336f5985606b5ebacdabcfb5807c68ba31301d3

SHA512
a596576f13ad864ecc63ea0bfb0bea8db02deb01cd6522c903fb278a6062c40bdd5a2c6c65b6b5b7d4874a930e24e5a58d0f30a7ca42c1d671b3015c80d5f270

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teacher

Filesize
143KB

MD5
b11f3283db36289ff48e3c6863cd1b72

SHA1
805165a7977f0094014c433513114399fec8d764

SHA256
641b4270311c311dbe17fd8a0004209fe51bd4d891e72e68622467c99db8f5ae

SHA512
2aab0c9da88d2ef4a7f5549a97a5082b7dc53fea03c1904a75a81bbaf1461513e7008a60e2165731998ffd803486d121f328fd0c417b46000a39c4ca959525a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wav

Filesize
143KB

MD5
d1cf436f3db0dcf11922050b62a40b99

SHA1
2456cb553611ade554482dd16dfe450178f31bf4

SHA256
ef9f462e027b957fd076db73ae6b133c5334f2d6e53ff2c98c8d88199eaa15ed

SHA512
104c636b6a0d1f3b9ff2edf425abd0dd4cdca5357a7c6a077065daeb302ee007adc9c6da0c1a2874323f1c0a3debc49af843ed3b4687922ab02b078887c16d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8260.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1620-45-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/1620-50-0x0000000075D50000-0x0000000075F65000-memory.dmp

Filesize
2.1MB

Download
memory/1620-47-0x0000000002280000-0x0000000002680000-memory.dmp

Filesize
4.0MB

Download
memory/1620-48-0x00007FFF032D0000-0x00007FFF034C5000-memory.dmp

Filesize
2.0MB

Download
memory/4836-33-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download
memory/4836-37-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download
memory/4836-40-0x0000000005C10000-0x0000000006010000-memory.dmp

Filesize
4.0MB

Download
memory/4836-41-0x0000000005C10000-0x0000000006010000-memory.dmp

Filesize
4.0MB

Download
memory/4836-42-0x00007FFF032D0000-0x00007FFF034C5000-memory.dmp

Filesize
2.0MB

Download
memory/4836-44-0x0000000075D50000-0x0000000075F65000-memory.dmp

Filesize
2.1MB

Download
memory/4836-38-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download
memory/4836-35-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download
memory/4836-39-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download
memory/4836-34-0x0000000004A80000-0x0000000004AED000-memory.dmp

Filesize
436KB

Download