Rhadamanthys Stealer Module Launch Via Rundll32.EXE

    Monday, August 19, 2024 In: Threat Research Print

    Date: 08/19/2024

    Severity: Medium

    Summary

    The "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" refers to a cyber attack method where a malicious software, known as a "stealer" module, is executed using the `rundll32.exe` system utility. This utility, which is typically used to run DLL files, is exploited by attackers to execute malicious code hidden within DLLs. The Rhadamanthys stealer module is designed to steal sensitive information from an infected system, such as login credentials and other personal data. The use of `rundll32.exe` helps the malware avoid detection by blending in with legitimate system processes.

    Indicators of Compromise (IOC) List

    OriginalFileName

    ‘RUNDLL32.EXE’

    Image

    '\rundll32.exe’

    CommandLine

    'nsis_uns'

    'PrintUIEntry'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((((resourcename in ("Sysmon") AND eventtype = "1") AND originalfilename = "RUNDLL32.EXE") AND image = "\rundll32.exe") AND commandline in ("nsis_uns", "PrintUIEntry"))

    Detection Query 2

    ((((Technologygroup = "EDR" ) AND originalfilename = "RUNDLL32.EXE") AND image = "\rundll32.exe") AND commandline in ("nsis_uns", "PrintUIEntry"))

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.