Overview

overview

10

Static

static

3

Moon Spoof...er.exe

windows7-x64

10

Moon Spoof...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Moon Spoofer.zip

  • Size

    212KB

  • Sample

    240609-ynwx7sfa54

  • MD5

    058f74a97a6cfe0e58c84165a6d6c370

  • SHA1

    acd45a01760d109f5c21eea813d99cfa0e4ed4fb

  • SHA256

    a52919133d8f4bf31890c9a4801c946c3e9f162302092c2660b6d93d836f5dd8

  • SHA512

    69eff070b860ec8e98c335a76be560adceba586a460265dce392f2c928e3f8111832f9ee5969691a1050b15485ca56beec75ffcd007f3922a7eddda2c17aa4b4

  • SSDEEP

    6144:XIFHnNtSAJXT7VBsj60FmVDCjTggc6vk7lTqLEw4kNFN5kT3rHaqACp1qiWXcl4U:YHNwAJPkj60FmVDQc6vC

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/FUCKOFFNIGGA/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar

Targets

    • Target

      Moon Spoofer/Moon Spoofer/Spoofer.exe

    • Size

      7KB

    • MD5

      960d70161f0ac1ddd8093955446bdcbc

    • SHA1

      5943c81939f9b43228e2fe2f65e90c54660ae47f

    • SHA256

      31e6573e37d06a71b3025c0e9ed4901093ed5262bc60bbbdf7ce1ed28ebb021a

    • SHA512

      8f3f6091fb3d09d4cdb0f9540bbbc2de0562dd5bb77c8446db49f274be7b173cbc0aa24206e25838cc6b6c6578440c0ecfd1a17acc94c50ebd014cbe16617c14

    • SSDEEP

      192:+9yqvjp73xsznGjcJr9emxan6mUqlwc6nYZKvkV/9dXq:+9Jv1dOnGjcJrQmxan6m/ec6nYZSkV/2

    Score
    10/10
    executionrhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks