rhadamanthys | c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf

General

Target

c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe
Size

5.3MB
MD5

b2bcd5aa3fb1f30d2bc3be809f1a8257
SHA1

18357b3a7e36992017db6e135ed8dfe5b4c8f9f3
SHA256

c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf
SHA512

a3c80e9253b9b7cfb5d1728e3d7027c9f5707a69f9d448a515132c1b98c5538c033830b8c55005c5abe57a6ae98c04edc250048c784cc58ce331b551fbcc5034
SSDEEP

49152:HlGIkwGuftS2evmF2upFqOZTYT1u//2Yzwvvg3TPiD7sjk5E52/JI7INSbTANTMd:HsIULPEhSmLzwvc+E5UCIK6t8ozuL

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://192.30.242.19:9480/0c5934b7b50a019/0rl4l423.a2nct

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5704 created 2820	5704	BitLockerToGo.exe	50

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5216 set thread context of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4456	5704	WerFault.exe	100
5868	5704	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5704	BitLockerToGo.exe
5704	BitLockerToGo.exe
1924	openwith.exe
1924	openwith.exe
1924	openwith.exe
1924	openwith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5216 wrote to memory of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100
PID 5216 wrote to memory of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100
PID 5216 wrote to memory of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100
PID 5216 wrote to memory of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100
PID 5216 wrote to memory of 5704	5216	c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe	100
PID 5704 wrote to memory of 1924	5704	BitLockerToGo.exe	101
PID 5704 wrote to memory of 1924	5704	BitLockerToGo.exe	101
PID 5704 wrote to memory of 1924	5704	BitLockerToGo.exe	101
PID 5704 wrote to memory of 1924	5704	BitLockerToGo.exe	101
PID 5704 wrote to memory of 1924	5704	BitLockerToGo.exe	101

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2820
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

C:\Users\Admin\AppData\Local\Temp\c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe
"C:\Users\Admin\AppData\Local\Temp\c499af472f9d97ebdd5632dca625389913a87d4ddd552d1bdf08170a9e270caf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5216
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 432
    3⤵
    - Program crash
    PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 428
    3⤵
    - Program crash
    PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5704 -ip 5704
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5704 -ip 5704
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-18-0x0000000000E90000-0x0000000000E99000-memory.dmp

Filesize
36KB

Download
memory/1924-26-0x0000000002D80000-0x0000000003180000-memory.dmp

Filesize
4.0MB

Download
memory/1924-24-0x0000000002D80000-0x0000000003180000-memory.dmp

Filesize
4.0MB

Download
memory/1924-25-0x0000000077110000-0x0000000077325000-memory.dmp

Filesize
2.1MB

Download
memory/1924-22-0x00007FFD66970000-0x00007FFD66B65000-memory.dmp

Filesize
2.0MB

Download
memory/1924-21-0x0000000002D80000-0x0000000003180000-memory.dmp

Filesize
4.0MB

Download
memory/5216-5-0x00007FF7B6290000-0x00007FF7B6846000-memory.dmp

Filesize
5.7MB

Download
memory/5216-7-0x00007FF7B6290000-0x00007FF7B6846000-memory.dmp

Filesize
5.7MB

Download
memory/5216-0-0x00007FF7B6290000-0x00007FF7B6846000-memory.dmp

Filesize
5.7MB

Download
memory/5704-9-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/5704-17-0x0000000077110000-0x0000000077325000-memory.dmp

Filesize
2.1MB

Download
memory/5704-14-0x00007FFD66970000-0x00007FFD66B65000-memory.dmp

Filesize
2.0MB

Download
memory/5704-16-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5704-13-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5704-12-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5704-11-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download
memory/5704-10-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/5704-8-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/5704-6-0x0000000000720000-0x000000000079E000-memory.dmp

Filesize
504KB

Download
memory/5704-27-0x0000000003830000-0x0000000003C30000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing