Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Sigma rule (View on GitHub)
1title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
2id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
3status: test
4description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
5references:
6 - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
7 - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
8 - https://www.joesandbox.com/analysis/790122/0/html
9 - https://twitter.com/anfam17/status/1607477672057208835
10author: TropChaud
11date: 2023-01-26
12modified: 2023-02-05
13tags:
14 - attack.defense-evasion
15 - attack.t1218.011
16 - detection.emerging-threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_rundll32:
22 - OriginalFileName: 'RUNDLL32.EXE'
23 - Image|endswith: '\rundll32.exe'
24 selection_dll:
25 CommandLine|contains: 'nsis_uns'
26 selection_export_function:
27 CommandLine|contains: 'PrintUIEntry'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
-
CRIL analyzes Rhadamanthys Stealer, a new strain of malware spread via Google Ads to steal users' sensitive information.
Read More -
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- Equation Group DLL_U Export Function Load
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Fireball Archer Install