rhadamanthys | 92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quanto.exe.bin.exe
Size

4.6MB
MD5

8903a3a26cd448747ae51dc64e359211
SHA1

198b3ea699183d292e95748300acc176773f6834
SHA256

92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603
SHA512

4cbaa5e0c267f39baa8f9e07d6c13563ce25b7c4f8ef474388588bf9868d56713ebc663eaecfdb134aadc6d2e8e3802dff10c3ba5f86f335b42d813ff066bc5b
SSDEEP

98304:MKaAh0jTZCMVjTec6LVdMi8SJblSEbWAj3FUn3v8n9VuIf9u3:/laRCMVa7dP82lSuzBkq/uIU3

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 3 IoCs

resource	yara_rule
behavioral1/memory/2532-53-0x0000000000400000-0x0000000000483000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2532-55-0x0000000000400000-0x0000000000483000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2532-63-0x0000000000400000-0x0000000000483000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2532 created 1208	2532	explorer.exe	21

Executes dropped EXE 3 IoCs

pid	Process
2584	quanto.exe.bin.exe
2256	WiseTurbo.exe
2088	WiseTurbo.exe

Loads dropped DLL 6 IoCs

pid	Process
2568	quanto.exe.bin.exe
2584	quanto.exe.bin.exe
2584	quanto.exe.bin.exe
2256	WiseTurbo.exe
2256	WiseTurbo.exe
2088	WiseTurbo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2940	2088	WiseTurbo.exe	33

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quanto.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quanto.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiseTurbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiseTurbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2256	WiseTurbo.exe
2088	WiseTurbo.exe
2088	WiseTurbo.exe
2940	cmd.exe
2940	cmd.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2532	explorer.exe
2996	dialer.exe
2996	dialer.exe
2996	dialer.exe
2996	dialer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2088	WiseTurbo.exe
2940	cmd.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2584	2568	quanto.exe.bin.exe	30
PID 2568 wrote to memory of 2584	2568	quanto.exe.bin.exe	30
PID 2568 wrote to memory of 2584	2568	quanto.exe.bin.exe	30
PID 2568 wrote to memory of 2584	2568	quanto.exe.bin.exe	30
PID 2584 wrote to memory of 2256	2584	quanto.exe.bin.exe	31
PID 2584 wrote to memory of 2256	2584	quanto.exe.bin.exe	31
PID 2584 wrote to memory of 2256	2584	quanto.exe.bin.exe	31
PID 2584 wrote to memory of 2256	2584	quanto.exe.bin.exe	31
PID 2256 wrote to memory of 2088	2256	WiseTurbo.exe	32
PID 2256 wrote to memory of 2088	2256	WiseTurbo.exe	32
PID 2256 wrote to memory of 2088	2256	WiseTurbo.exe	32
PID 2256 wrote to memory of 2088	2256	WiseTurbo.exe	32
PID 2088 wrote to memory of 2940	2088	WiseTurbo.exe	33
PID 2088 wrote to memory of 2940	2088	WiseTurbo.exe	33
PID 2088 wrote to memory of 2940	2088	WiseTurbo.exe	33
PID 2088 wrote to memory of 2940	2088	WiseTurbo.exe	33
PID 2088 wrote to memory of 2940	2088	WiseTurbo.exe	33
PID 2940 wrote to memory of 2532	2940	cmd.exe	36
PID 2940 wrote to memory of 2532	2940	cmd.exe	36
PID 2940 wrote to memory of 2532	2940	cmd.exe	36
PID 2940 wrote to memory of 2532	2940	cmd.exe	36
PID 2940 wrote to memory of 2532	2940	cmd.exe	36
PID 2532 wrote to memory of 2996	2532	explorer.exe	37
PID 2532 wrote to memory of 2996	2532	explorer.exe	37
PID 2532 wrote to memory of 2996	2532	explorer.exe	37
PID 2532 wrote to memory of 2996	2532	explorer.exe	37
PID 2532 wrote to memory of 2996	2532	explorer.exe	37
PID 2532 wrote to memory of 2996	2532	explorer.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\TEMP\{994111C7-F179-4CFA-9C16-18C1B96D3FA0}\.cr\quanto.exe.bin.exe
    "C:\Windows\TEMP\{994111C7-F179-4CFA-9C16-18C1B96D3FA0}\.cr\quanto.exe.bin.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\quanto.exe.bin.exe" -burn.filehandle.attached=216 -burn.filehandle.self=212
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\TEMP\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\WiseTurbo.exe
      C:\Windows\TEMP\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\WiseTurbo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exe
        
        C:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2532
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\687e87fc

Filesize
1.1MB

MD5
0b2b1e7d040137462b4643f9d3e96cdb

SHA1
e69c4409e5660bfcfc6b95e8fab7ccf2e27537e9

SHA256
160b18b2e4cf5632b39e4d6248d17f43e05ba8e26bb7e176a5e94ff4e1e2ae95

SHA512
9eb131424fc8b2341f3f10c0e54ea947dad466bc86454f4a6e309878cf4f558724531f1009c02fb579bc5e84bd81d8d89687b065a6b088fabc7c9679a54d9f66

Download Submit
C:\Windows\TEMP\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\lilt.iso

Filesize
863KB

MD5
0905b3ca4c3989e8dd6222736ae3a151

SHA1
bee40c368333c70272b3f0c60cd0ae3383f909d8

SHA256
1672e7fa812259cf9ffb95bb24ebd6139fc40381a4f34267b5955f96b549ee20

SHA512
2e1da1157d0b774688c658bc711480b6950d3c98ef5deb64899f4d6bf9d93f0465a7cb53c23019ce2e1f60c9c24f41728411ff781ff5a2366a4d9841bfbbb68e

Download Submit
C:\Windows\Temp\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\caftan.bmp

Filesize
67KB

MD5
bd42648e3937a646fc2e5b71614a499e

SHA1
1d8bb75712dda9b26a035c8abfc96e6e1c182ba3

SHA256
406557b203253097558ce7b29367628a5e079667eba1c96aa5cfbc1da7159a4d

SHA512
c11f12036a35d3ef0b0acd00dd298caf146bbcc5435c4bf21f7c6b642e458b8e756652099da8b5e4eb40cb2293c2cae2bfc6dfbb63496edf7a7bb98b9cf50dab

Download Submit
\Windows\Temp\{994111C7-F179-4CFA-9C16-18C1B96D3FA0}\.cr\quanto.exe.bin.exe

Filesize
4.5MB

MD5
c785d6c4511b8577ab1a17de6452f063

SHA1
7f7dc6e303d7ae0bf9ed48da70b1dc1bfe408305

SHA256
42019eb9f6c1c9420ef67e323139047ef07e9c14dc0ee109126cfa24ebbdfba7

SHA512
d767fcf9211b92685f41529b5842f8bef46d61a45549923f6a176f0d08b45c0d77099913df5adc8a506d35e14f9c51b05be68f7756d8d67d7ca79385dcef2130

Download Submit
\Windows\Temp\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\Precursor.dll

Filesize
203KB

MD5
edd36228f691d9528e7a4a99ae237d0b

SHA1
90c234e0a27bffc9414e49743648f249e467287e

SHA256
a2c80f88af00d526b10c3b18c8403ff5ac6353ea229ed86c441303b6a6f9fcba

SHA512
30a4882a30255ca7869eb631ec56e0fbee5090cdad634efc0145d0e211082576ea8e3b9031a5a05b56513faf8849c21f2f890606dc6650820507c289aada87ad

Download Submit
\Windows\Temp\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\WiseTurbo.exe

Filesize
8.7MB

MD5
1f166f5c76eb155d44dd1bf160f37a6a

SHA1
cd6f7aa931d3193023f2e23a1f2716516ca3708c

SHA256
2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

SHA512
38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

Download Submit
\Windows\Temp\{A35BFBA8-27DD-4DFE-90A8-1F3B086CC8F9}\.ba\sqlite3.dll

Filesize
891KB

MD5
f18535f3edbc5a948cbe169b32532cd4

SHA1
54575320f198626ef74f08b17022671e05c09df0

SHA256
72b214770043bce3c69b35803f8c83bb04cd88561af4571ce5c13b68ce9f38f6

SHA512
2f4322043f55406772e6b16bc97e1c94c4f537ae6d8a238535a50717b7cb2eaa5ea1a7bd5fd184ffa6f1cf54e88f5a9128c51f77eb6b4a5d1368e6dd9737ddef

Download Submit
memory/2088-41-0x0000000000400000-0x0000000000D48000-memory.dmp

Filesize
9.3MB

Download
memory/2088-46-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/2088-39-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/2088-40-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2256-23-0x0000000074A40000-0x0000000074BB4000-memory.dmp

Filesize
1.5MB

Download
memory/2256-33-0x0000000000400000-0x0000000000D48000-memory.dmp

Filesize
9.3MB

Download
memory/2256-24-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2532-61-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2532-53-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2532-54-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2532-55-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2532-57-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2532-58-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2532-63-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2940-51-0x0000000074950000-0x0000000074AC4000-memory.dmp

Filesize
1.5MB

Download
memory/2940-50-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2996-62-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2996-68-0x0000000076670000-0x00000000766B7000-memory.dmp

Filesize
284KB

Download
memory/2996-66-0x0000000077B60000-0x0000000077D09000-memory.dmp

Filesize
1.7MB

Download
memory/2996-65-0x0000000001C20000-0x0000000002020000-memory.dmp

Filesize
4.0MB

Download