Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Sigma rule (View on GitHub)
1title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
2id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
3status: test
4description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
5references:
6 - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
7 - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
8 - https://www.joesandbox.com/analysis/790122/0/html
9 - https://twitter.com/anfam17/status/1607477672057208835
10author: TropChaud
11date: 2023/01/26
12modified: 2023/02/05
13tags:
14 - attack.defense_evasion
15 - attack.t1218.011
16 - detection.emerging_threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_rundll32:
22 - OriginalFileName: 'RUNDLL32.EXE'
23 - Image|endswith: '\rundll32.exe'
24 selection_dll:
25 CommandLine|contains: 'nsis_uns'
26 selection_export_function:
27 CommandLine|contains: 'PrintUIEntry'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- NotPetya Ransomware Activity
- Equation Group DLL_U Export Function Load
- Potential Emotet Rundll32 Execution
- Sofacy Trojan Loader Activity
- Potential Bumblebee Remote Thread Creation