rhadamanthys | 92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

General

Target

92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
Size

4.6MB
MD5

8903a3a26cd448747ae51dc64e359211
SHA1

198b3ea699183d292e95748300acc176773f6834
SHA256

92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603
SHA512

4cbaa5e0c267f39baa8f9e07d6c13563ce25b7c4f8ef474388588bf9868d56713ebc663eaecfdb134aadc6d2e8e3802dff10c3ba5f86f335b42d813ff066bc5b
SSDEEP

98304:MKaAh0jTZCMVjTec6LVdMi8SJblSEbWAj3FUn3v8n9VuIf9u3:/laRCMVa7dP82lSuzBkq/uIU3

Score

10^/10

Malware Config

Signatures

Detects Rhadamanthys payload 3 IoCs

resource	yara_rule
behavioral2/memory/6024-47-0x0000000000A80000-0x0000000000B03000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/6024-49-0x0000000000A80000-0x0000000000B03000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/6024-59-0x0000000000A80000-0x0000000000B03000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6024 created 2872	6024	explorer.exe	49

Executes dropped EXE 3 IoCs

pid	Process
2852	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
540	WiseTurbo.exe
4152	WiseTurbo.exe

Loads dropped DLL 3 IoCs

pid	Process
2852	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
540	WiseTurbo.exe
4152	WiseTurbo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 4624	4152	WiseTurbo.exe	94

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiseTurbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiseTurbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
540	WiseTurbo.exe
4152	WiseTurbo.exe
4152	WiseTurbo.exe
4624	cmd.exe
4624	cmd.exe
6024	explorer.exe
6024	explorer.exe
6024	explorer.exe
6024	explorer.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe
2948	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4152	WiseTurbo.exe
4624	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5692 wrote to memory of 2852	5692	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	88
PID 5692 wrote to memory of 2852	5692	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	88
PID 5692 wrote to memory of 2852	5692	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	88
PID 2852 wrote to memory of 540	2852	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	91
PID 2852 wrote to memory of 540	2852	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	91
PID 2852 wrote to memory of 540	2852	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe	91
PID 540 wrote to memory of 4152	540	WiseTurbo.exe	93
PID 540 wrote to memory of 4152	540	WiseTurbo.exe	93
PID 540 wrote to memory of 4152	540	WiseTurbo.exe	93
PID 4152 wrote to memory of 4624	4152	WiseTurbo.exe	94
PID 4152 wrote to memory of 4624	4152	WiseTurbo.exe	94
PID 4152 wrote to memory of 4624	4152	WiseTurbo.exe	94
PID 4152 wrote to memory of 4624	4152	WiseTurbo.exe	94
PID 4624 wrote to memory of 6024	4624	cmd.exe	107
PID 4624 wrote to memory of 6024	4624	cmd.exe	107
PID 4624 wrote to memory of 6024	4624	cmd.exe	107
PID 4624 wrote to memory of 6024	4624	cmd.exe	107
PID 6024 wrote to memory of 2948	6024	explorer.exe	108
PID 6024 wrote to memory of 2948	6024	explorer.exe	108
PID 6024 wrote to memory of 2948	6024	explorer.exe	108
PID 6024 wrote to memory of 2948	6024	explorer.exe	108
PID 6024 wrote to memory of 2948	6024	explorer.exe	108

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2872
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Users\Admin\AppData\Local\Temp\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
"C:\Users\Admin\AppData\Local\Temp\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5692
- C:\Windows\TEMP\{E415D1B3-34CF-49C6-B748-E90163C2C29A}\.cr\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe
  "C:\Windows\TEMP\{E415D1B3-34CF-49C6-B748-E90163C2C29A}\.cr\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe" -burn.filehandle.attached=648 -burn.filehandle.self=636
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\TEMP\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\WiseTurbo.exe
    C:\Windows\TEMP\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\WiseTurbo.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exe
      C:\Users\Admin\AppData\Roaming\serverAuth\WiseTurbo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\93552ef

Filesize
1.1MB

MD5
c0bec792bb3efcea1bcd2a086d282316

SHA1
e8cff2969fb91eb0e10d71ae8200eee1cb0754cc

SHA256
e5ed05383c3b0bd011a85522a35b6bb8a417f251135d57a0bf833ac7cf4c34df

SHA512
fc3734b7ec3621a63b9b49ade31873641a84c054a6a4290932d09605beb71113199bc2a657b2d224fa478ff8d7a868636d29f047095d9290449595628f48ee96

Download Submit
C:\Windows\TEMP\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\lilt.iso

Filesize
863KB

MD5
0905b3ca4c3989e8dd6222736ae3a151

SHA1
bee40c368333c70272b3f0c60cd0ae3383f909d8

SHA256
1672e7fa812259cf9ffb95bb24ebd6139fc40381a4f34267b5955f96b549ee20

SHA512
2e1da1157d0b774688c658bc711480b6950d3c98ef5deb64899f4d6bf9d93f0465a7cb53c23019ce2e1f60c9c24f41728411ff781ff5a2366a4d9841bfbbb68e

Download Submit
C:\Windows\TEMP\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\sqlite3.dll

Filesize
891KB

MD5
f18535f3edbc5a948cbe169b32532cd4

SHA1
54575320f198626ef74f08b17022671e05c09df0

SHA256
72b214770043bce3c69b35803f8c83bb04cd88561af4571ce5c13b68ce9f38f6

SHA512
2f4322043f55406772e6b16bc97e1c94c4f537ae6d8a238535a50717b7cb2eaa5ea1a7bd5fd184ffa6f1cf54e88f5a9128c51f77eb6b4a5d1368e6dd9737ddef

Download Submit
C:\Windows\Temp\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\Precursor.dll

Filesize
203KB

MD5
edd36228f691d9528e7a4a99ae237d0b

SHA1
90c234e0a27bffc9414e49743648f249e467287e

SHA256
a2c80f88af00d526b10c3b18c8403ff5ac6353ea229ed86c441303b6a6f9fcba

SHA512
30a4882a30255ca7869eb631ec56e0fbee5090cdad634efc0145d0e211082576ea8e3b9031a5a05b56513faf8849c21f2f890606dc6650820507c289aada87ad

Download Submit
C:\Windows\Temp\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\WiseTurbo.exe

Filesize
8.7MB

MD5
1f166f5c76eb155d44dd1bf160f37a6a

SHA1
cd6f7aa931d3193023f2e23a1f2716516ca3708c

SHA256
2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

SHA512
38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

Download Submit
C:\Windows\Temp\{42AB2A42-4902-4B11-BC65-0CE1260DEF2E}\.ba\caftan.bmp

Filesize
67KB

MD5
bd42648e3937a646fc2e5b71614a499e

SHA1
1d8bb75712dda9b26a035c8abfc96e6e1c182ba3

SHA256
406557b203253097558ce7b29367628a5e079667eba1c96aa5cfbc1da7159a4d

SHA512
c11f12036a35d3ef0b0acd00dd298caf146bbcc5435c4bf21f7c6b642e458b8e756652099da8b5e4eb40cb2293c2cae2bfc6dfbb63496edf7a7bb98b9cf50dab

Download Submit
C:\Windows\Temp\{E415D1B3-34CF-49C6-B748-E90163C2C29A}\.cr\92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603.exe

Filesize
4.5MB

MD5
c785d6c4511b8577ab1a17de6452f063

SHA1
7f7dc6e303d7ae0bf9ed48da70b1dc1bfe408305

SHA256
42019eb9f6c1c9420ef67e323139047ef07e9c14dc0ee109126cfa24ebbdfba7

SHA512
d767fcf9211b92685f41529b5842f8bef46d61a45549923f6a176f0d08b45c0d77099913df5adc8a506d35e14f9c51b05be68f7756d8d67d7ca79385dcef2130

Download Submit
memory/540-19-0x0000000073820000-0x000000007399B000-memory.dmp

Filesize
1.5MB

Download
memory/540-28-0x0000000000400000-0x0000000000D48000-memory.dmp

Filesize
9.3MB

Download
memory/540-20-0x00007FF98CE10000-0x00007FF98D005000-memory.dmp

Filesize
2.0MB

Download
memory/2948-63-0x00000000766D0000-0x00000000768E5000-memory.dmp

Filesize
2.1MB

Download
memory/2948-61-0x00007FF98CE10000-0x00007FF98D005000-memory.dmp

Filesize
2.0MB

Download
memory/2948-60-0x0000000001600000-0x0000000001A00000-memory.dmp

Filesize
4.0MB

Download
memory/2948-56-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/4152-40-0x0000000073820000-0x000000007399B000-memory.dmp

Filesize
1.5MB

Download
memory/4152-35-0x0000000000400000-0x0000000000D48000-memory.dmp

Filesize
9.3MB

Download
memory/4152-34-0x00007FF98CE10000-0x00007FF98D005000-memory.dmp

Filesize
2.0MB

Download
memory/4152-33-0x0000000073820000-0x000000007399B000-memory.dmp

Filesize
1.5MB

Download
memory/4624-45-0x0000000073820000-0x000000007399B000-memory.dmp

Filesize
1.5MB

Download
memory/4624-44-0x00007FF98CE10000-0x00007FF98D005000-memory.dmp

Filesize
2.0MB

Download
memory/6024-47-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download
memory/6024-48-0x00007FF98CE10000-0x00007FF98D005000-memory.dmp

Filesize
2.0MB

Download
memory/6024-49-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download
memory/6024-51-0x0000000002FC0000-0x00000000033C0000-memory.dmp

Filesize
4.0MB

Download
memory/6024-52-0x0000000002FC0000-0x00000000033C0000-memory.dmp

Filesize
4.0MB

Download
memory/6024-55-0x00000000766D0000-0x00000000768E5000-memory.dmp

Filesize
2.1MB

Download
memory/6024-59-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing