Rhadamanthys Stealer Module Launch Via Rundll32.EXE

Rule Info

Name
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Author
TropChaud
Description
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Reference
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
Date
2023-01-26 00:00:00
Modified
2023-02-05 00:00:00
Id
5cdbc2e8-86dd-43df-9a1a-200d4745fba5
Tags
attack.defense_evasion attack.t1218.011 detection.emerging_threats DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5cdbc2e8-86dd-43df-9a1a-200d4745fba5

Rule History

Author
Title
Date
Commit
github-actions[bot]
chore: promote older rules status from `experimental` to `test` (#4651)
2024-01-01
c3fe2da99
frack113
Update tags
2023-06-20
8c5dba374
Nasreddine Bencherchali
chore: move rules to new folders (#4205)
2023-05-02
637d61088
Nasreddine Bencherchali
feat: more fixes and updates
2023-02-05
68f0833cb
Nasreddine Bencherchali
fix: typo in the description
2023-01-27
c9d29d5bd
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-01-27
6325e75d4
IntelScott
Create proc_creation_win_rhadamanthys_dll_launch.yml
2023-01-26
6a954b6d0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022