Overview

overview

10

Static

static

1

meteor-cli....6.jar

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    meteor-client-0.5.6.jar

  • Size

    4.3MB

  • Sample

    240614-yk5e6stbrc

  • MD5

    aeb72058322874fdd27ff6a756833ca1

  • SHA1

    708afcdc073b4da7cbc4f2730a9f4aec301a0192

  • SHA256

    0058cfe2b24392bb6d84a7cbae10c66ecadfcef47b31e7fa5ad0e8f0b4f71c99

  • SHA512

    81f204fba4b377b171c3d9ac290707808bac1a7d8cf6f955e568d3eec0ef740428cce24c6a7bddaff17f7c6f383ad3694064c55c4dee2b95c50132fb13df78bd

  • SSDEEP

    98304:RM2SKrU1EdVTWClwpcBb0ugFxA0aT7gCNh50kKxES20:RM2uuZWClwgbrWAhxKxg0

Score
10/10
rhadamanthysdiscoveryevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Targets

    • Target

      meteor-client-0.5.6.jar

    • Size

      4.3MB

    • MD5

      aeb72058322874fdd27ff6a756833ca1

    • SHA1

      708afcdc073b4da7cbc4f2730a9f4aec301a0192

    • SHA256

      0058cfe2b24392bb6d84a7cbae10c66ecadfcef47b31e7fa5ad0e8f0b4f71c99

    • SHA512

      81f204fba4b377b171c3d9ac290707808bac1a7d8cf6f955e568d3eec0ef740428cce24c6a7bddaff17f7c6f383ad3694064c55c4dee2b95c50132fb13df78bd

    • SSDEEP

      98304:RM2SKrU1EdVTWClwpcBb0ugFxA0aT7gCNh50kKxES20:RM2uuZWClwgbrWAhxKxg0

    Score
    10/10
    rhadamanthysdiscoveryevasionexecutionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks