Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Sigma rule (View on GitHub)
1title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
2id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
3status: test
4description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
5references:
6 - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
7 - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
8 - https://www.joesandbox.com/analysis/790122/0/html
9 - https://twitter.com/anfam17/status/1607477672057208835
10author: TropChaud
11date: 2023-01-26
12modified: 2023-02-05
13tags:
14 - attack.defense-evasion
15 - attack.t1218.011
16 - detection.emerging-threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_rundll32:
22 - OriginalFileName: 'RUNDLL32.EXE'
23 - Image|endswith: '\rundll32.exe'
24 selection_dll:
25 CommandLine|contains: 'nsis_uns'
26 selection_export_function:
27 CommandLine|contains: 'PrintUIEntry'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
-
Rhadamanthys stealer is spreading through Google Ads, putting users at risk. Learn how this malware works and how to protect your systems from this emerging threat.
Read More -
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- Equation Group DLL_U Export Function Load
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Fireball Archer Install