rhadamanthys

General

Target

Crown.zip
Size

223KB
Sample

240615-xk8l6a1flf
MD5

bb3dd9f35a450af1a16a952d1067598c
SHA1

3f767ab4470bf57ca7f7a4cc69b92a8bebe4d30a
SHA256

7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846
SHA512

ec785e7b41a08243aeb699b790ea26b4572b41e1a310446cee36eb015973761aebbf3a2d07a842c0a75a4d87c00704e080ba66106cc8d5d703cd35ea88c25278
SSDEEP

6144:ao3qVoa1c03t+FcKvKitzLIjcJmA98sXIpl4:VqJek9+zsjc4A9JXIpl4

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Targets

- Target
  
  Crown.zip
- Size
  
  223KB
- MD5
  
  bb3dd9f35a450af1a16a952d1067598c
- SHA1
  
  3f767ab4470bf57ca7f7a4cc69b92a8bebe4d30a
- SHA256
  
  7234b080bdcea32573730ff1a6f7e17985ccd2d2743b3b9a4da5d30c0cfda846
- SHA512
  
  ec785e7b41a08243aeb699b790ea26b4572b41e1a310446cee36eb015973761aebbf3a2d07a842c0a75a4d87c00704e080ba66106cc8d5d703cd35ea88c25278
- SSDEEP
  
  6144:ao3qVoa1c03t+FcKvKitzLIjcJmA98sXIpl4:VqJek9+zsjc4A9JXIpl4
Score

10^/10

rhadamanthys evasion execution persistence stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Launcher.exe
- Size
  
  7KB
- MD5
  
  b5e479d3926b22b59926050c29c4e761
- SHA1
  
  a456cc6993d12abe6c44f2d453d7ae5da2029e24
- SHA256
  
  fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
- SHA512
  
  09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
- SSDEEP
  
  192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score

10^/10

execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4