rhadamanthys | ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc

Analysis

max time kernel
195s
max time network
260s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-06-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
Size

1.7MB
MD5

4363d52fe7027df2212ad2b3333ebaf9
SHA1

beac1fc8c012a28cb9f38f6e4296278543048fcf
SHA256

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc
SHA512

bb5bcb9f7b42d370b86ad7d4c16605d9bf755fd2291a70716facc2aa62baf45aabf068882c413334332af5819a97c9c4d7703edb9ec84edd8e87c57bab36acee
SSDEEP

24576:ZMm5SH6MIl3LkGDhsmD/U0wA77v+M0yYvh3J9oeVaEJyqH2ai519He:ZMm5Lnl7kSUEXvAyUh3J9oeVaEk5rHe

Score

10^/10

rhadamanthys spyware stealer

Malware Config

Signatures

Detects DLL dropped by Raspberry Robin. 2 IoCs

Raspberry Robin.

Processes:

resource	yara_rule
behavioral2/memory/3712-32-0x0000000073B50000-0x0000000073D12000-memory.dmp	Raspberry_Robin_DLL_MAY_2022
behavioral2/memory/4512-38-0x0000000073B50000-0x0000000073D12000-memory.dmp	Raspberry_Robin_DLL_MAY_2022

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AddInProcess32.exe

description pid process target process

PID 3712 created 3108 3712 AddInProcess32.exe sihost.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	pid	process	target process
PID 3712 created 3108	3712	AddInProcess32.exe	sihost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exeAddInProcess32.exe

description	pid	process	target process
PID 3580 set thread context of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 set thread context of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3920 set thread context of 2132	3920	AddInProcess32.exe	InstallUtil.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2268 3712 WerFault.exe AddInProcess32.exe
3916 3712 WerFault.exe AddInProcess32.exe

pid	pid_target	process	target process
2268	3712	WerFault.exe	AddInProcess32.exe
3916	3712	WerFault.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exeAddInProcess32.exeAddInProcess32.exedialer.exeInstallUtil.exe

pid	process
3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
3920	AddInProcess32.exe
3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
3920	AddInProcess32.exe
3712	AddInProcess32.exe
3712	AddInProcess32.exe
4512	dialer.exe
4512	dialer.exe
4512	dialer.exe
4512	dialer.exe
2132	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exeAddInProcess32.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
Token: SeDebugPrivilege	3920	AddInProcess32.exe
Token: SeDebugPrivilege	2132	InstallUtil.exe
Token: SeBackupPrivilege	2132	InstallUtil.exe
Token: SeSecurityPrivilege	2132	InstallUtil.exe
Token: SeSecurityPrivilege	2132	InstallUtil.exe
Token: SeSecurityPrivilege	2132	InstallUtil.exe
Token: SeSecurityPrivilege	2132	InstallUtil.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exeAddInProcess32.exeAddInProcess32.exe

description	pid	process	target process
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3920	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 1548	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3580 wrote to memory of 3712	3580	ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe	AddInProcess32.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3920 wrote to memory of 2132	3920	AddInProcess32.exe	InstallUtil.exe
PID 3712 wrote to memory of 4512	3712	AddInProcess32.exe	dialer.exe
PID 3712 wrote to memory of 4512	3712	AddInProcess32.exe	dialer.exe
PID 3712 wrote to memory of 4512	3712	AddInProcess32.exe	dialer.exe
PID 3712 wrote to memory of 4512	3712	AddInProcess32.exe	dialer.exe
PID 3712 wrote to memory of 4512	3712	AddInProcess32.exe	dialer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:3108

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Users\Admin\AppData\Local\Temp\ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe
"C:\Users\Admin\AppData\Local\Temp\ff7284f443ac1839a20dff816f93f2f7e09a3c3e50cf9b8d479c620fc282ddcc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 516
3⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 500
3⤵
- Program crash
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-48-0x000000000A730000-0x000000000AC5C000-memory.dmp

Filesize
5.2MB

Download
memory/2132-40-0x0000000008680000-0x000000000878A000-memory.dmp

Filesize
1.0MB

Download
memory/2132-25-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2132-41-0x00000000085C0000-0x00000000085D2000-memory.dmp

Filesize
72KB

Download
memory/2132-42-0x0000000008620000-0x000000000865E000-memory.dmp

Filesize
248KB

Download
memory/2132-43-0x0000000008790000-0x00000000087DB000-memory.dmp

Filesize
300KB

Download
memory/2132-39-0x0000000008AF0000-0x00000000090F6000-memory.dmp

Filesize
6.0MB

Download
memory/2132-44-0x0000000008920000-0x0000000008986000-memory.dmp

Filesize
408KB

Download
memory/2132-45-0x0000000009280000-0x00000000092F6000-memory.dmp

Filesize
472KB

Download
memory/2132-46-0x0000000008AD0000-0x0000000008AEE000-memory.dmp

Filesize
120KB

Download
memory/2132-47-0x000000000A030000-0x000000000A1F2000-memory.dmp

Filesize
1.8MB

Download
memory/3580-6-0x0000000006360000-0x00000000063A4000-memory.dmp

Filesize
272KB

Download
memory/3580-18-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-10-0x00000000731BE000-0x00000000731BF000-memory.dmp

Filesize
4KB

Download
memory/3580-14-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-9-0x0000000009E60000-0x0000000009E66000-memory.dmp

Filesize
24KB

Download
memory/3580-8-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/3580-7-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/3580-11-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-5-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-4-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/3580-3-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/3580-0-0x00000000731BE000-0x00000000731BF000-memory.dmp

Filesize
4KB

Download
memory/3580-24-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3580-2-0x0000000005960000-0x0000000005E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3580-1-0x0000000000A10000-0x0000000000BC0000-memory.dmp

Filesize
1.7MB

Download
memory/3712-22-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3712-28-0x0000000003CF0000-0x00000000040F0000-memory.dmp

Filesize
4.0MB

Download
memory/3712-30-0x00007FF89F3E0000-0x00007FF89F5BB000-memory.dmp

Filesize
1.9MB

Download
memory/3712-32-0x0000000073B50000-0x0000000073D12000-memory.dmp

Filesize
1.8MB

Download
memory/3712-29-0x0000000003CF0000-0x00000000040F0000-memory.dmp

Filesize
4.0MB

Download
memory/3712-21-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3920-17-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-27-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-20-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-19-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-16-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-15-0x00000000731B0000-0x000000007389E000-memory.dmp

Filesize
6.9MB

Download
memory/3920-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3920-12-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4512-38-0x0000000073B50000-0x0000000073D12000-memory.dmp

Filesize
1.8MB

Download
memory/4512-36-0x00007FF89F3E0000-0x00007FF89F5BB000-memory.dmp

Filesize
1.9MB

Download
memory/4512-35-0x00000000043E0000-0x00000000047E0000-memory.dmp

Filesize
4.0MB

Download
memory/4512-33-0x00000000028D0000-0x00000000028D9000-memory.dmp

Filesize
36KB

Download