rhadamanthys | 143a401d4b53578aaa517cefbf94997c9862c58b87de79eb2d00b203cbbf7ad8

General

Target

Deushack.exe
Size

35.9MB
MD5

5c968b2507b72eb3c15b11eac7f8e852
SHA1

9d88d858047f2e6153c7b7c4dbb9bf0674ec6929
SHA256

143a401d4b53578aaa517cefbf94997c9862c58b87de79eb2d00b203cbbf7ad8
SHA512

69282d30afcadb5e9e3d57e59a84bdabfd0a9988e97a9dd674a857f5d3f8035af084f0b62d0cf8d6c6c0bfaccbb9a554dc994e7990f2d4b676a88dfdbf9c1c2b
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfb:fMguj8Q4VfvNqFTrYa

Score

10^/10

rhadamanthys defense_evasion discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral1/memory/1896-26-0x0000000000400000-0x0000000000522000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1896 created 2640	1896	MSBuild.exe	44

Downloads MZ/PE file 1 IoCs

flow	pid	Process
16	1496	Discord.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	Discord.exe
4352	2PXRHBX2.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4352 set thread context of 1896	4352	2PXRHBX2.exe	105

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
1896	MSBuild.exe
1896	MSBuild.exe
1896	MSBuild.exe
1896	MSBuild.exe
3960	fontdrvhost.exe
3960	fontdrvhost.exe
3960	fontdrvhost.exe
3960	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	Discord.exe
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 2704	3984	Deushack.exe	94
PID 3984 wrote to memory of 2704	3984	Deushack.exe	94
PID 2704 wrote to memory of 1496	2704	cmd.exe	95
PID 2704 wrote to memory of 1496	2704	cmd.exe	95
PID 1496 wrote to memory of 2836	1496	Discord.exe	97
PID 1496 wrote to memory of 2836	1496	Discord.exe	97
PID 1496 wrote to memory of 4100	1496	Discord.exe	99
PID 1496 wrote to memory of 4100	1496	Discord.exe	99
PID 4100 wrote to memory of 4352	4100	cmd.exe	101
PID 4100 wrote to memory of 4352	4100	cmd.exe	101
PID 4352 wrote to memory of 3644	4352	2PXRHBX2.exe	104
PID 4352 wrote to memory of 3644	4352	2PXRHBX2.exe	104
PID 4352 wrote to memory of 3644	4352	2PXRHBX2.exe	104
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 4352 wrote to memory of 1896	4352	2PXRHBX2.exe	105
PID 1896 wrote to memory of 3960	1896	MSBuild.exe	106
PID 1896 wrote to memory of 3960	1896	MSBuild.exe	106
PID 1896 wrote to memory of 3960	1896	MSBuild.exe	106
PID 1896 wrote to memory of 3960	1896	MSBuild.exe	106
PID 1896 wrote to memory of 3960	1896	MSBuild.exe	106

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3960

C:\Users\Admin\AppData\Local\Temp\Deushack.exe
"C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\UpdaterService\Discord.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\UpdaterService\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\UpdaterService\Discord.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFMAeQBzAHQAZQBtAEwAbwBnAHMAJwA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\SystemLogs\2PXRHBX2.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Users\Admin\AppData\Local\SystemLogs\2PXRHBX2.exe
        
        "C:\Users\Admin\AppData\Local\SystemLogs\2PXRHBX2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SystemLogs\2PXRHBX2.exe

Filesize
3.2MB

MD5
989a61c1043f1267095a8bb396500830

SHA1
235d3eb42c6c66d71777d927a42ba4db33c205a4

SHA256
bfe8a764e4c82d2cb74a80df209069295fb85b2e458eee2ea3b2bf8da55bb363

SHA512
491275f8f5c76a0a9793265b9b8fbb591058920e3c9936396677dd4215dcadd8a594fd4f428991371a768a97270d04c633e46d6e82bfed5623caa7f9cf65c6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpdaterService\Discord.exe

Filesize
7KB

MD5
a46b45489799bdc265a0d66c1bbaa374

SHA1
58bdd58c9fa884da0ce7e469f41d20e338175083

SHA256
88fce138c5a8010178facb5b724c198c8d7e539d9a9e60a949fcff9df82c4743

SHA512
97abb207c41f6172ce45dcba0f18914fdda7af35740cbc369a2f9d3c0fbfdb6561542bcac6c83316ee881d09239f61d1b68d7f6fb67d7ca0b3cc4fa460689dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wgqvm14.r1l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1496-5-0x00007FFF7F393000-0x00007FFF7F395000-memory.dmp

Filesize
8KB

Download
memory/1496-6-0x000002854B800000-0x000002854B808000-memory.dmp

Filesize
32KB

Download
memory/1496-7-0x00007FFF7F390000-0x00007FFF7FE51000-memory.dmp

Filesize
10.8MB

Download
memory/1496-22-0x00007FFF7F390000-0x00007FFF7FE51000-memory.dmp

Filesize
10.8MB

Download
memory/1896-26-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1896-27-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/1896-28-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/1896-29-0x0000000005500000-0x0000000005900000-memory.dmp

Filesize
4.0MB

Download
memory/1896-30-0x0000000005500000-0x0000000005900000-memory.dmp

Filesize
4.0MB

Download
memory/1896-31-0x00007FFF9F390000-0x00007FFF9F585000-memory.dmp

Filesize
2.0MB

Download
memory/1896-33-0x0000000076C00000-0x0000000076E15000-memory.dmp

Filesize
2.1MB

Download
memory/2836-10-0x0000016CEDFA0000-0x0000016CEDFC2000-memory.dmp

Filesize
136KB

Download
memory/3960-34-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/3960-37-0x0000000000BD0000-0x0000000000FD0000-memory.dmp

Filesize
4.0MB

Download
memory/3960-38-0x00007FFF9F390000-0x00007FFF9F585000-memory.dmp

Filesize
2.0MB

Download
memory/3960-40-0x0000000076C00000-0x0000000076E15000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing