Overview

overview

10

Static

static

3

__x64___se...ep.dll

windows10-2004-x64

1

__x64___se...fm.dll

windows10-2004-x64

1

__x64___se...sh.dll

windows10-2004-x64

1

__x64___se...is.dll

windows10-2004-x64

1

__x64___se...is.dll

windows10-2004-x64

1

__x64___se...er.dll

windows10-2004-x64

1

__x64___se...it.dll

windows10-2004-x64

1

__x64___se...ui.dll

windows10-2004-x64

1

__x64___se...el.dll

windows10-2004-x64

1

__x64___se...nd.dll

windows10-2004-x64

1

__x64___se...eg.dll

windows10-2004-x64

1

__x64___se...vc.dll

windows10-2004-x64

1

__x64___se...ip.dll

windows10-2004-x64

8

__x64___se...or.dll

windows10-2004-x64

1

__x64___se...um.dll

windows10-2004-x64

1

__x64___se...ui.dll

windows10-2004-x64

1

__x64___se...up.msi

windows7-x64

6

__x64___se...up.msi

windows10-2004-x64

10

__x64___se...PS.dll

windows10-2004-x64

1

__x64___se...pi.dll

windows10-2004-x64

1

__x64___se...vc.dll

windows10-2004-x64

1

__x64___se...ge.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    __x64___setup___x32__.zip

  • Size

    25.3MB

  • Sample

    240615-wdz6rstajq

  • MD5

    1cc8e4170179934a59233f34c2af53b6

  • SHA1

    ff7f2eee6e96476eeb9452a93550e6e84e35b98d

  • SHA256

    7e69827061badbc60857da82492217ba76ed14d71711d4587ce44b9545081976

  • SHA512

    1a0dcbf046462e68b8315296ca3b7bc5402e4385cbbd34a15d6b12262927e710f3f3fcfa54368f65a89040b49826f9e91478392b71c5129bb00918af0e55055a

  • SSDEEP

    786432:AlAlm7z66t7lRdL/QfDBRWxcp9s/W4p3voj+tCSqOQRO:9lU3tBHI3Wxrpf+SqHE

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://opensun.monster/25053.bs64

Targets

    • Target

      __x64___setup___x32__/TapiSysprep/TapiSysprep.dll

    • Size

      13KB

    • MD5

      960f26b09aa9002e0e1fb05a0f10f78c

    • SHA1

      c578efa3870517ef5d7994081331a084bada01a1

    • SHA256

      dea8d882f6492786d680ae5d94f6f107b072aed8e6ca4f968725d9752cd12d60

    • SHA512

      7c1af5de3e8f1b60e02188720943d3da0de71de030d3e648b9dfc10b871fe13c73c41225556839ff4bcbff53adf71aa5cfd69fdae0a892cbbc3599cc0518f7d6

    • SSDEEP

      192:/VWqpdfXRVpTkTdCk3gpKghDk8aFl0HvWOopbW:/VJpdfuTfgpqpYvWOabW

    Score
    1/10
    behavioral1

    • Target

      __x64___setup___x32__/TapiSysprep/netprofm.dll

    • Size

      225KB

    • MD5

      77f52e2dd1dc997e6c533748d9f095f4

    • SHA1

      39d72d89d0e88a5ff718dc318b391c258fd53509

    • SHA256

      7fb531ef8583d7942efcf16d586b17e1424b548a2894ac0b6541291b38e250ce

    • SHA512

      00fd5dc4a1d5d5f2bb39387cc26732fb3c370fc211887ea5df76636229c3be1d2baa46f30b732d5ea70da3e1821e4407a019437cc22bb87fac7766f2601e6b31

    • SSDEEP

      3072:5pZaAxmzQ6U7RLmruZ8qBhrzZ4eXYWtQyE7D9Wr02kqvXkTtcbz0Z7:rpIzQXLCuZ8qBhCUPlXkTt4Q

    Score
    1/10
    behavioral2

    • Target

      __x64___setup___x32__/TapiSysprep/rpcnsh.dll

    • Size

      33KB

    • MD5

      c5adbe46703a1db31a0c6ab7245f2da6

    • SHA1

      4cc8c03ed4b9ffc2566815954771f782b922b651

    • SHA256

      bff0b93f9071a867d514d6de196e1368f655bcf54d4fc1623ee043cdb1cdbd77

    • SHA512

      d73821a2dca2c2f3dbef5939053d00cd89f34b437e82f0077395c8b22ac297980514241c1b5c321c2765c0aaa5c12bd0ec6460a55bc6426d2064b6f147aea085

    • SSDEEP

      384:gJDA9T8UqV2bojUJvlPmMka1+02C6BkZNAM9xUFt2QiVbzBxBH/5eauCVvT0n1rg:L8U9FwE1+00BuPA45t1xZl9VvghJa

    Score
    1/10
    behavioral3

    • Target

      __x64___setup___x32__/TapiSysprep/socialapis.dll

    • Size

      142KB

    • MD5

      d2c1d58bf9c0240e742e10969839ef53

    • SHA1

      f67e87b2e53c712ecfb0472a2c6ee6234f1f828a

    • SHA256

      387008f345ca655f9380a3e2e0ec1929a08a9bb8b452532ad2924173c5c24f2f

    • SHA512

      eae61aa14836498ef3d7de5c824ad4a4de1557d077a371242a6d1a7b12a53880d3e2e6159a3f6f8bda1ad1b069d9768c9780b92a28fcf51403aee5839fcf1b25

    • SSDEEP

      1536:6zZVvrXuv37p7cz3rEe5upcWmoBGOa2XXE19Mh/INEUSMWI0+EYBWUu7yd853RDZ:6HkWT0JTGOa2XXE192IVr100eyW5RDZ

    Score
    1/10
    behavioral4

    • Target

      __x64___setup___x32__/acledit/BluetoothApis.dll

    • Size

      197KB

    • MD5

      4d94b748f43986885ab86ff33fad6f6a

    • SHA1

      8dd07387fde4d86a1fbf2128826aa32f31d3a561

    • SHA256

      ca8e99e2961492b4a0cea897aa0d4b451fdc4671ace1241395b0ae4558dc5c3a

    • SHA512

      b18feab6966c394d613258c1a1a1b72fada218d6a0c6115800a0a2dd71534987ad5a9ea447d24e11746669ed58d9b8b6447e28aeacfcb2d1659c5e0f1c787aee

    • SSDEEP

      3072:SE6FBbgcOp7AMD8KJIpHM24R/VT+8OLoP4xQ0BwwvHF3:J6FBkcOpDDt4MttVTxOLK4hwwvH

    Score
    1/10
    behavioral5

    • Target

      __x64___setup___x32__/acledit/DevDispItemProvider.dll

    • Size

      119KB

    • MD5

      8d7ab1b071c1fb54edf629ce81acfd02

    • SHA1

      4d81ace706e5f86b9400190708124a28e341039a

    • SHA256

      d02ffd9efea43662b759c4862ddf378415acadbf16686e7efa56bb6449292b16

    • SHA512

      714b3046a016a7a84b18757d31172657b6ff8c8ab3e241a539723af696199dba9759883e445c44455012e7260a77c76a45c4d3319c22e2bc0866f1d1185abc86

    • SSDEEP

      1536:4vzHnzVRxidEI6muDDkTY3dMIm9x38zoR47JLrYEZ9AA8oo3XlrflK/Qox3SwPy5:gzHnEGdm9Zv47JLrYQ1CwPJS

    Score
    1/10
    behavioral6

    • Target

      __x64___setup___x32__/acledit/acledit.dll

    • Size

      11KB

    • MD5

      7c2b65e0756e0dc59e0be5d9efd25da0

    • SHA1

      f6303b5239dd8bd5153e7f7c3593cad714462373

    • SHA256

      b89c8b36a4af02d835dc07b7a905e1a3f95308aac92f614810dd69eb71d9fffb

    • SHA512

      3c76acd4f5963bd3ad7a14449dab8bd16e4bb6f8df01070d3907398be65be56935c8cf204fc1d47c12ce1eb5eacebc098845c6d4543189455c75f18d638f0cfa

    • SSDEEP

      96:lYEn2RqMoqNGINrOp2Q96GOGZgmPlx2sVN2est7hnlCdCEW1YTWw9:iE2Qt8/9hGOG7L2WUNhnlgPW2TW

    Score
    1/10
    behavioral7

    • Target

      __x64___setup___x32__/acledit/printui.dll

    • Size

      740KB

    • MD5

      39e595bd7e4e9afdb4bcd27eb7b3ca8f

    • SHA1

      db8021fc9ab1dbc39e5153afc0425cd58d3a3f66

    • SHA256

      286eb60f563a077a85fd4844f6454742f76761d8c1d348e202d589ebc001390d

    • SHA512

      461609324bf8685202a5fada589f3aa42bcbbc1b4e3fbae17d624ef50f68db69dabf9c0d6d2ab0beba4cc378b0647dfe13f097f25c92fdb465093d0dc26f0f7e

    • SSDEEP

      12288:68M6Cyn6YfWO7rs7ViwP7JOoRlkCg+wXKwrEe0JwsngNTp2ShQZxy:68zCXbOP6ViwP7JOKVx4b0JCNTkS8

    Score
    1/10
    behavioral8

    • Target

      __x64___setup___x32__/dsreg/dcntel.dll

    • Size

      768KB

    • MD5

      34a0c0ceee88cc435a273253cac4ec07

    • SHA1

      bf66c56aecbf52d26435ae2c85129a909dc6a8a7

    • SHA256

      86eabe6da51fcf15428fd945492e27075721e3d857c987fe1a830a0f6f7dd4c6

    • SHA512

      2f5d69938cfedcf5b3c5edabf181f3cdb9525e1604ec5ed262407217ad8c18dcd6e649d5ade95c9535809527a5a0c83de6f2cf9859b4dbb7047d2e86d502e1e9

    • SSDEEP

      24576:LHo2SKj92XYJWOKMs8cPbM1TjRQX1cs2vbF:Lr3yM1s2vbF

    Score
    1/10
    behavioral9

    • Target

      __x64___setup___x32__/dsreg/dsound.dll

    • Size

      601KB

    • MD5

      e6a43513ff267eaf7a112f94a403a5a5

    • SHA1

      83f7c1ab98eac5164c9ea1ef6f78a84e55d1bc35

    • SHA256

      7e7d1d2e2dca3d228a4a1c6a33885096cc884281a69963670851aa51cf093d1c

    • SHA512

      b5b6e594e812eb59e356c145fee898437310f7f8eb3b3ae29dcce7c69b031f81bb6689f0b69d32a092c98dafaaa26dee4c75af6cbb6b04102829a9f1e21104a5

    • SSDEEP

      12288:cyoaj7w9oRy7KL+J0vam7sKNpx15sW/azNQNkplGc:cyoaj7ZRyEvaQ/2CmX

    Score
    1/10
    behavioral10

    • Target

      __x64___setup___x32__/dsreg/dsreg.dll

    • Size

      1.3MB

    • MD5

      5b6c5c26411cd43954f844d4fb4c7052

    • SHA1

      25ae08d1ba263dc838032e0167c90a2fb99dec67

    • SHA256

      c07f170f5e59e35778067b9681c7fe31c0155a031e699777857cf034c9bcdda8

    • SHA512

      813e13e5cd9553dca3dacd1d0d4c1d33370cf50ed3b8c7e335e0d08a3dd5b4a1e4897b1efbc94f83aa6657b17fe9a435ff24e72afea65ed94145cdd0197f049a

    • SSDEEP

      24576:YRVIRLu0lcAE/VOJg85uTtsGxOOfaJJ3ASAVZOxgAR6sFcp8qdtyuPW0iEpbL7eC:YRVT0TUOq85uTtJx9WdUSGeKQlW6ix

    Score
    1/10
    behavioral11

    • Target

      __x64___setup___x32__/dsreg/sensrsvc.dll

    • Size

      177KB

    • MD5

      0bcffad6f3b180dd60c941b01768f733

    • SHA1

      38208d521a1b1d93bd278d44f3cf86243e5a6081

    • SHA256

      a0b73c1bf636f14504b69606999287b6fe148c958a4f6e31e9022ff129a048e0

    • SHA512

      1cc351de4ce989a3a760fd9289fa265da4fb6b4b6dec037757c971698637ea46ffa5aae2a6e7b27774d79faa459fcf8d6fa80fade18f7437bd490b4058573627

    • SSDEEP

      3072:7DVv4LAk756j4WlWM+ks7VKqTbykTXqIFWMcgiurms+alt:F4LAKVWgM+EqykTXncur5

    Score
    1/10
    behavioral12

    • Target

      __x64___setup___x32__/pcwum/AppxSip.dll

    • Size

      268KB

    • MD5

      577dbb84e03e995d507840258c52913f

    • SHA1

      cb1d426d26a3e966d29a6a28f94ed5273c21d759

    • SHA256

      c8ed0608c107745d56fcdf34cac855602c65dc1a612c173f4057cbd30fbf2058

    • SHA512

      90263941720d4498cfe588ecc7c713f04ce2431722b918859c555041be1823ace5163306c3e273e92fde0d472b3bb494acc37b26982a269116b64ed13aa396cf

    • SSDEEP

      6144:cTXUiOy2C35UKI+EqJNLo/AKjJIcLIT9mAD:cTkFy2aI+FLSHjJIcsR

    Score
    8/10

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    behavioral13

    • Target

      __x64___setup___x32__/pcwum/asferror.dll

    • Size

      2KB

    • MD5

      095f83f3a59c1fe3f0fe09b83fcb61bb

    • SHA1

      53150630afd41a9f79a6c8ad283d26da7901d502

    • SHA256

      f19af37f7a6df8bf1d1d75ad7207f2398facf275230a158c0ed16431b7d95e09

    • SHA512

      7dcdb173f8f3e201ed5070f4802d44d70e580fd2cb60a9a74e8de005b86ab3b3204e9a3221ebbe64892d02232aab884fd5bba89af02cbc49f11fa77f4ef019c9

    Score
    1/10
    behavioral14

    • Target

      __x64___setup___x32__/pcwum/pcwum.dll

    • Size

      22KB

    • MD5

      642d98f94f04a764b0fd6ed931ff6bb3

    • SHA1

      8ae640ca0f07db4c23c3e07b12270337a921e33f

    • SHA256

      e72268a93a94b68b749c146d02918635440ff8440c64bd939d9fc5f9a62e0a36

    • SHA512

      ee9afb4504ffb47637960c450cef71c63e5b2de47aae1263230de3eb1f8604b47eccbde958261ffe014a564749816a1e7d72672ac3256e0693df49b6c97b2e94

    • SSDEEP

      384:pWYGKlPRPSxncPF3WZ1WNhKvpdm15hRYD1IDBRJtZifl/zdi/iy:r7PRPSxBx48I1P21y

    Score
    1/10
    behavioral15

    • Target

      __x64___setup___x32__/pcwum/pdhui.dll

    • Size

      61KB

    • MD5

      2b0e1517dbb0e067d82fe2d47c372a8e

    • SHA1

      67a80548f78cab22cf81b93f3181d689c44b26e3

    • SHA256

      6cb757959ab8200999ae91a0ccab15967fa1ed101c90de195e26397b6ef6c070

    • SHA512

      576b9b8d47736939ca99adbb831758addc55e85d875f5ddfd8a5e633f58f5786b00a020f0017582e3545f110a6b730d1025685cfeec024aa837efe8f8caf48c5

    • SSDEEP

      1536:7rLxh5fUGpp05BqxFGRqg8qAAjGJIBF+qU2:7r7pUGp058xNN4jGJIBF+qz

    Score
    1/10
    behavioral16

    • Target

      __x64___setup___x32__/setup.msi

    • Size

      24.5MB

    • MD5

      0bd85ea206276e8e5d6ea143c5cb8330

    • SHA1

      75079d986324ff1d4150bf00fd10ea73f43d0a76

    • SHA256

      8bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602

    • SHA512

      6ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192

    • SSDEEP

      786432:zDMcQi4FgSUZGaQ5MHnPa4lJQJU8P8uBsTaxsn:zDMQ4KMaQqvu04On

    Score
    10/10
    executionrhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      __x64___setup___x32__/wcimage/SEMgrPS.dll

    • Size

      40KB

    • MD5

      76e12d39f82567db28b132e245d9e3ce

    • SHA1

      53cbd54614b8e21e78096d32ddebf0771b359c37

    • SHA256

      5edd09d2a2e2e03ac2fa7db4c7b9f4ee300c696534788dbedaf9cee617a97ab1

    • SHA512

      62de3ef3caf4997e0f1b02f5805a5da757c7506dcf5e6f93ed9870b6a53858dd24f588700dc2e6cd1d524291fb0fe1968169a52c53e9253244f7ebd633b89f4a

    • SSDEEP

      384:tASguFmJEqu2MZ3RDil1jt9exCUF9n10jaTANQ+1Lxdprb4Y75WRkWmmca9pa:KK9JbyFUF910GANQ+1pgYg

    Score
    1/10
    behavioral19

    • Target

      __x64___setup___x32__/wcimage/SensorsApi.dll

    • Size

      407KB

    • MD5

      e5d1e8fbabdbe5c74777d0ac4c426506

    • SHA1

      bba47a9e25b32320cd1936423dbf926864bf90fd

    • SHA256

      349eced0b6eeb7d3ace7259a93d30ebc2823b128be409a87a712709af9bb140c

    • SHA512

      3a0f2ba991de7c3fe7af13bdf0c3edb0c847185f51731dfe28bfbe6eeaa3e0ce5346af833b950f39a46bd4d021ede71224a90592519af6d1667a8ef064c02fdc

    • SSDEEP

      6144:xzEG0WxoKAQTrfBvjF8VcYGNfelNz2TgYlQhgppm739UL20KcG8ZKXvSCoV:xzEGTW3Q3FZ8ONo2TnlJppmznmK

    Score
    1/10
    behavioral20

    • Target

      __x64___setup___x32__/wcimage/netprofmsvc.dll

    • Size

      982KB

    • MD5

      279099d020eef78ea58acfb29e9c7bce

    • SHA1

      ad5d6f9b8852aa6d67972c426f0b17c83adf5142

    • SHA256

      45901d087e5c6f36734b2c15a6a89bc699e0b7c78dc64cdc158a0fa9bc2426b8

    • SHA512

      660d99d474d40aa7c74da97ac620f4ad1ff16c00513bcc4ecc892d66395247bf99ff6a2d658930a6eb81563b98c6243c1b306fe449538b359fa232c9de35b32f

    • SSDEEP

      24576:hYn3DqOlLb1rdnArqhE38N7k8V4buY5AvGubu:hKthrdaq+R82buY5AvGub

    Score
    1/10
    behavioral21

    • Target

      __x64___setup___x32__/wcimage/wcimage.dll

    • Size

      133KB

    • MD5

      15f2604eea46c00e3b11c50ae6fad557

    • SHA1

      c498e3c70d008f7ab7dee2326bc4c7106070e58b

    • SHA256

      39562e3973e08f78a4289b0120dd411c8e02afe40544ebc75515ddcf0673ccd2

    • SHA512

      f921965e5b2f32a69e29d2e0b1acd6cf0720cf59cb9035d89db6ce9d6486ad83eb5c3eb5b7073767a8cea501859e2a9579d1705406b551098f3dee8d96b65f7b

    • SSDEEP

      3072:uQc03QjzlDpfC3+uDQGQAOzu2IpdOcLpy:uQTqDp63px5fL

    Score
    1/10
    behavioral22

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks