Dancing With Shellcodes: Analyzing Rhadamanthys Stealer

Threat Background

Rhadamanthys
  1. PART 1: The Dropper
    - Unpacking mechanism: getting to the first shellcode
    - Shellcode execution via Callback
    - Investigating the first shellcode
    - Fixing functions statically: Defining functions
    - Fixing functions statically: Defining code
    - Fixing the shellcode: Rebase the address
    - Shellcode functionality
    - Summarize the first shellcode
  2. PART 2: The second shellcode aka Rhadamanthys loader
    - Evasion technique: Multiple Anti-Analysis
    - Evasion technique: Manipulate exception handling
    - Evasion technique: Avoiding error messages
    - Evasion technique: Creating Mutex and impersonating a legitimate
    - Evasion technique: Unhooking API calls
    - Config Decryption
    - Network
    - Loader’s goal
  3. PART 3: The Nsis module- The Rhadamanthys stealer
    - Nsis loader
    - Rhadamanthys stealer capabilities
    - Resolving APIs dynamically
    - Evasion technique: Check and possibly manipulate AVAST’s AMSI-related modules

The Dropper

The dropper
Check ASLR

Unpacking mechanism: getting to the first shellcode

Blob
Creating new heap
  1. sub_406A28 - this function is responsible for returning an address containing the data to be written.
  2. sub_408528 - a wrapper of memcpy
Decrypting the shellcode
Decrypting the shellcode
Decrypting the shellcode
Decrypting the shellcode
Assign the shellcode address

Shellcode execution via Callback

  1. The function sub_405728 is responsible to invoke the API call ImmEnumInputContext
  2. sub_405728 receives as a parameter function named sub_407228 which is just a wrapper for another function that jumps to the shellcode address
  3. The final result is that ImmEnumInputContext will get the address of the shellcode in its second argument “lpfn” and will execute it.
ImmEnumInputcontext function in Microsoft documentation
Shellcode execution
Shellcode entry point

Investigating the first shellcode

  1. Dump the entire allocated buffer and run it in Blobrunner[5]
  2. Continue with the code dynamically (because why not?)
  1. Right click on the address of the shellcode and click “Follow in Memory Map”
Going to the memory map
Dumping the shellcode

Fixing the shellcode: Defining functions

Defining functions
Defining functions
Defining functions
Defining functions

Fixing the shellcode: Defining code

Defining as code
  1. Mark the data
  2. Right click
  3. Click on “Undefine”
Defining as code
Defining as code
Defining as code
Defining as code
Defining as function
Defining as code and defining as function
Function bar

Fixing the shellcode: Rebase the address

  1. Go to Edit
  2. Segments
  3. Rebase program
Rebase
Rebase
Rebase

Shellcode functionality

  1. sub_450000 just jumps to sub_450028
  2. sub_450028 jump jumps to sub_45029E
Shellcode functionality
Get kernel32 address
  1. Kernel32 address
  2. Hashes
  3. An array that holds 4 functions
Hashing function
Decrypting data
shellcode functionality
copy function
copied data
Jump to another shellcode

Summarize the first shellcode

Shellcode functionality
Second shellcode decryption

The second shellcode aka Rhadamanthys loader

Evasion Technique: Multiple Anti-Analysis

Anti-analysis checks
Anti-analysis checks
Anti-analysis checks
Anti-analysis checks

Evasion Technique: Manipulate Exception Handling

  1. A pointer to the next SEH record
  2. A pointer to the function that contains the code to deal with the error
Getting ZwQueryInformationProcess
Iterating in KiUserExceptionDispatcher
Patch KiUserExceptionDispatcher
KiUserExceptionDispatcher after the patch
_except_handler3
Manipulating the SEH

Evasion Technique: Avoiding error message

  1. SEM_NOOPENFILEERRORBOX - The system does not display the critical-error-handler message box. Instead, the system sends the error to the calling process.
  2. SEM_NOGPFAULTERRORBOX — The system does not display the Windows Error Reporting dialog.
  3. SEM_FAILCRITICALERRORS — The OpenFile function does not display a message box when it fails to find a file. Instead, the error is returned to the caller.
setErrorMode

Evasion Technique: Creating Mutex and impersonating a legitimate

Creating Mutex

Evasion Technique: Disabling hooks

Check for hooks
Check for hooks
Check for hooks
Disable hooks
  1. User32.dll
  2. Advapi32.dll
  3. Ole32.dll
Check for hooks in other DLLs
Check for hooks logic

Config Decryption

Config decryption
Config decryption
Config decryption

Network

  1. The default language using GetUserDefaultLangID
  2. The Locale using GetLocaleInfoW
Collect information about the machine
Set the User-Agent
Network activity
Getting ConnectEx
Send & Recieve data
  1. Set a breakpoint at the address where WSASend is being executed.
  2. Follow in dump the address of the second parameter aka lpBuffers
  3. This buffer is a WSABUF structure, and its second parameter is a pointer to the actual buffer that is sent to the C2.
  4. To see it, just follow in dump
Observing data send to the C2
Observing data send to the C2

Loader’s goal

  1. The loader will download a DLL from the C2
  2. Write it to the disk with the name of nsis_uns[xxxxxx].dll
  3. Spawn Rundll32 to execute the DLL with the export function “PrintUIEntry” which is a name of a legitimate export function of the printui.dll.
Loader goal

NSIS Module: The Rhadamanthys stealer

  1. A loader (the Nsis module before unpacking)
  2. The actual stealer

NSIS Loader

Nsis module command
Nsis loader low detection rate
Loader main goal

Rhadamanthys stealer capabilities

Stealing KeePass passwords

Keepass

Usage of SQLite

Sqlite

Target multiple browsers

  1. Coc CoC
  2. Pale Moon
  3. Sleipnir5
  4. Opera
  5. Chrome
  6. Twinkstar
  7. Firefox
  8. Edge
Browsers

Target OpenVPN

OpenVPN

Target steam accounts

Valve

Target FileZilla passwords

  1. recentservers.xml
  2. sitemanager.xml
FileZilla

Target CoreFTP

CoreFTP

Target Discord

Discord

Collecting Telegram data

Telegram

Collecting information from various email

  1. Foxmail
  2. Outlook
  3. The BAT
Emails

Extracting web credentials using Vaultcli functions

Vault activity

Target WinSCP

WinSCP

Target CryptoCurrency entities

  1. Dogecoin
  2. Litecoin
  3. Monero
  4. Qtum
  5. Armory
  6. Bytecoin
  7. Binance
  8. Electron
  9. Solar waller
  10. Zap
  11. WalletWasabi
  12. Zcash
  13. Ronin
  14. Avana
  15. OKX
Crypto
Querying registry keys for digital coming entities from Joe[

Resolving APIs dynamically

Dynamic resolving

Evasion technique: Modify and possibly manipulate AVAST modules

Check AVAST’s AMSI-related DLLs
  1. avamsicli.dll
  2. amsi.dll
  3. AmsiScanString
  4. AmsiScanBuffer
  5. EtwEventWrite

Rhadamanthys files

References

--

--

Malware Researcher & Threat Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store