Rhadamanthys is a rising infostealer whose core architecture mirrors Hidden Bee, evolving through a family of custom executable formats (NS, RS, HS, XS) and multi-stage in-memory loading. The report analyzes format design, shared techniques, converters to reconstruct PE, and cross-process data sharing via virtual filesystems and named mappings. #Rhadamanthys #HiddenBee
Keypoints
- Rhadamanthys shows strong overlap with Hidden Bee in custom executable formats and practices like in-memory operation and steganography.
- The article details Hidden Bee formats (NE/NS) and Rhadamanthys formats (RS/HS/XS), including how each is loaded, mapped, and reconstructed into PE files.
- Stage progression and modularity rise over time, with Stage 1 loaders, Stage 2 RS/HS, and Stage 3 XS/XS2 components downloaded from C2s.
- AMSI evasion (AMSI bypass) and Heaven’s Gate are used to enable cross-architecture loading of 64-bit modules from a 32-bit process.
- Data sharing via named mappings and virtual filesystems (e.g., !Rex) support cross-process communication and modular loading.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Lua scripts – Brief description: Rhadamanthys uses Lua scripts for its modular payloads. Quote: “Rhadamanthys can run LUA scripts.”
- [T1057] Process Discovery – Enumerating processes to evade analysis – Brief description: The XS/Stage 1 loader enumerates processes to detect analysis tools. Quote: “enumerating running processes and comparing them against the list of known analysis tools.”
- [T1562.001] Impair Defenses – AMSI bypass patch – Brief description: The Stage 1/loader includes a patch implementing AMSI bypass. Quote: “a patch responsible for AMSI bypass.”
- [T1105] Ingress Tool Transfer – Downloading stages from C2 – Brief description: The loader downloads subsequent stages from the C2. Quote: “downloading the next stage” / “connecting to the C2 and downloading the next stage.”
- [T1027.001] Obfuscated/Compressed Files and Information – RC4/XOR and import-name obfuscation – Brief description: RC4 encrypted config and XOR-based deobfuscation; imports are loaded via checksums. Quote: “The RC4-encrypted block is decrypted” and “import names are replaced by checksums.”
- [T1003] Credential Dumping – KeePass credentials extraction – Brief description: KeePassHax.dll dumps KeePass credentials. Quote: “KeePassHax.dll is another .NET executable, responsible for dumping KeePass credentials.”
- [T1036] Masquerading – Disguised NSIS installer DLL – Brief description: A DLL is disguised as an NSIS installer component. Quote: “disguised as a DLL related to NSIS installers.”
Indicators of Compromise
- [Hash] File hash – Stage 1 packed sample and subsequent stages; 39e60dbcfa3401c2568f8ef27cf97a83d16fdbd43ecf61c3be565ee4e7b9092e, bd694e981db5fba281c306dc622a1c5ee0dd02efc29ef792a2100989042f0158
- [Hash] Stage 2 main module and RS/HS samples; 3ecb1f99328a188d1369eb491338788b9ddeba6c038f0c14de275ee7ab96694b, 3aa34d44946b4405cd6fc85c735ae2b405d597a5ab018a6c46177f4e1b86d11a
- [Hash] XS/XS2 variants; 0c0753affec66ea02d4e93ced63f95e6c535dc7d7afb7fcd7e75a49764fbef0d
- [File Name] ua.txt – a list of user-agents used in package deployment
- [File Name] prepare.bin – Stage 2/XS shellcode stub in the package