rhadamanthys | 7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846 | Triage

Submit
Reports

Overview

overview

Static

static

3

Crown.zip

windows7-x64

1

Crown.zip

windows10-2004-x64

1

Launcher.exe

windows7-x64

Launcher.exe

windows10-2004-x64

eventlog_provider.dll

windows7-x64

1

eventlog_provider.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

Sharing

General

Target

Crown.zip
Size

223KB
Sample

240615-w252xszgpf
MD5

bb3dd9f35a450af1a16a952d1067598c
SHA1

3f767ab4470bf57ca7f7a4cc69b92a8bebe4d30a
SHA256

7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846
SHA512

ec785e7b41a08243aeb699b790ea26b4572b41e1a310446cee36eb015973761aebbf3a2d07a842c0a75a4d87c00704e080ba66106cc8d5d703cd35ea88c25278
SSDEEP

6144:ao3qVoa1c03t+FcKvKitzLIjcJmA98sXIpl4:VqJek9+zsjc4A9JXIpl4

Score

10^/10

rhadamanthys evasion execution persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Crown.zip

Resource

win7-20231129-en

windows7-x64

0 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Crown.zip

Resource

win10v2004-20240508-en

windows10-2004-x64

0 signatures

1800 seconds

Behavioral task

behavioral3

Sample

Launcher.exe

Resource

win7-20240221-en

windows7-x64

6 signatures

1800 seconds

Behavioral task

behavioral4

Sample

Launcher.exe

Resource

win10v2004-20240611-en

rhadamanthys evasion execution persistence stealer

windows10-2004-x64

30 signatures

1800 seconds

Behavioral task

behavioral5

Sample

eventlog_provider.dll

Resource

win7-20240221-en

windows7-x64

0 signatures

1800 seconds

Behavioral task

behavioral6

Sample

eventlog_provider.dll

Resource

win10v2004-20240611-en

windows10-2004-x64

0 signatures

1800 seconds

Behavioral task

behavioral7

Sample

libEGL.dll

Resource

win7-20240508-en

windows7-x64

1 signatures

1800 seconds

Behavioral task

behavioral8

Sample

libEGL.dll

Resource

win10v2004-20240611-en

windows10-2004-x64

0 signatures

1800 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Targets

- Target
  
  Crown.zip
- Size
  
  223KB
- MD5
  
  bb3dd9f35a450af1a16a952d1067598c
- SHA1
  
  3f767ab4470bf57ca7f7a4cc69b92a8bebe4d30a
- SHA256
  
  7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846
- SHA512
  
  ec785e7b41a08243aeb699b790ea26b4572b41e1a310446cee36eb015973761aebbf3a2d07a842c0a75a4d87c00704e080ba66106cc8d5d703cd35ea88c25278
- SSDEEP
  
  6144:ao3qVoa1c03t+FcKvKitzLIjcJmA98sXIpl4:VqJek9+zsjc4A9JXIpl4
Score

1^/10
behavioral1 behavioral2
- Target
  
  Launcher.exe
- Size
  
  7KB
- MD5
  
  b5e479d3926b22b59926050c29c4e761
- SHA1
  
  a456cc6993d12abe6c44f2d453d7ae5da2029e24
- SHA256
  
  fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
- SHA512
  
  09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
- SSDEEP
  
  192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score

10^/10

execution rhadamanthys evasion persistence stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  eventlog_provider.dll
- Size
  
  16KB
- MD5
  
  81e54afe77273c3092ae03e1230bc6c6
- SHA1
  
  1247931bdc95bcaf6ffc5c2b3b0971c9362eccd1
- SHA256
  
  88bcda3da0b1af70c3aa710bb8cf52b337e5a251392f1dd905a3e7617d253a55
- SHA512
  
  5193f05c164003425843f2fb0297ae71ef6407aa95f3f4d5e8aee0ce4f15e184d05e1af05c3233b24a5951fa6edd737fac846273503e247677c35a74077db62c
- SSDEEP
  
  384:6eXNaiSEIYi6yrkiONBAM+o/8E9VF0NyhB:6+s1Yi6yBONBAMxkE
Score

1^/10
behavioral5 behavioral6
- Target
  
  libEGL.dll
- Size
  
  469KB
- MD5
  
  2a568dc1f848b2948dfd90c8ebeb58c6
- SHA1
  
  e765ca8946ce091651c6722c650d9ad5edfeb5d5
- SHA256
  
  c00285c0174024739997898e98444deb4cbfe6b571cca69ca3bf8e5ab3ea5bbe
- SHA512
  
  a6ce4ead89933d32ea24766f887655ee5894ef1813faf97ebb2191a775488ba2fd77bcb4aedefc273ef85f5a93a9a5dd3d35b213a52d95b0cc4111708d9fcee5
- SSDEEP
  
  3072:4kgdNXYPuSHGjFXVYbAQSIoU8w1Z5iErbFdWE7D6i/wZJothADZX+Lcq7gv+xt4f:47Vl/HxUniSbFdH1/wXFufMG9x2qPz
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Process Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

rhadamanthysevasionexecutionpersistencestealer

behavioral5

behavioral6

behavioral7

behavioral8

© 2018-2024

Terms | Privacy