General
-
Target
Loader-InstallerS(1).zip
-
Size
16.4MB
-
Sample
240616-gpc32swdqj
-
MD5
d66daf854b0507663115b4915b27cea5
-
SHA1
786aa73915340292bd68c3f1641cd2ed2ba61398
-
SHA256
faaec99b094508562b983e03b3a3c8a2eb9ef86787ad4ff6ddbcb44ebf045e29
-
SHA512
ad705c71229ba6319b5afc506f620ddc9cde0f884dfe6b2a5910b8fa39ce4c6d8766b16a44c794ea3d45614c1a0cb58ea4bed0b1b3a80179f388162994d3c749
-
SSDEEP
393216:mkDOnOfis1FYW2f5gqQJT1h1/JbmIOOPRSAgZzcUTdYVrUM7UjbIH9n:HyOKUEQJT1hhJi3ZwUTK4HIH9n
Malware Config
Targets
-
-
Target
Loader-InstallerS(1).zip
-
Size
16.4MB
-
MD5
d66daf854b0507663115b4915b27cea5
-
SHA1
786aa73915340292bd68c3f1641cd2ed2ba61398
-
SHA256
faaec99b094508562b983e03b3a3c8a2eb9ef86787ad4ff6ddbcb44ebf045e29
-
SHA512
ad705c71229ba6319b5afc506f620ddc9cde0f884dfe6b2a5910b8fa39ce4c6d8766b16a44c794ea3d45614c1a0cb58ea4bed0b1b3a80179f388162994d3c749
-
SSDEEP
393216:mkDOnOfis1FYW2f5gqQJT1h1/JbmIOOPRSAgZzcUTdYVrUM7UjbIH9n:HyOKUEQJT1hhJi3ZwUTK4HIH9n
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
3.0/Microsoft.Management.OData.dll
-
Size
132KB
-
MD5
137a867ee3bb8d6cf3ddd69b2520fe5e
-
SHA1
a5af1607a829d36fde81bd863dac2bf0e523e867
-
SHA256
cc1d3ef2d5ce0a4c52f1487cf32e2626cb12d5a872e02b6fa639ae02db69d5e0
-
SHA512
f4a0293464e133fb33eaa70afd49b13380604efd1d507d79c2a428f2dda18756141867dbfcb0c0266549dcc5dc6ba43456b6e80e509b08e9105cebbba61d5762
-
SSDEEP
1536:kXIAb3/Uz5nsVppWcSvoZrZb4AfXvYeThLlep2ms5hkaO:kX125nph64mXvJTh0pJs7ka
Score1/10 -
-
-
Target
Loader-InstallerS.exe
-
Size
53.9MB
-
MD5
b77cb5cc9b4e6736cda5ff00c0f5a08e
-
SHA1
260e4ee9ed739d832ac17eafcaa92f3f185b2f1e
-
SHA256
1bb7c20561889b564cd2bf5bc677eae14d3d0da506961bfae9da0bee0b452bb8
-
SHA512
e848e3d37ce4ede008a2760419977965d57298fc0aac239cf5025b28b2db49eb3592fe2f2d5b102fdd28788bd43a5584efc7d6928aae104296931eec516b9f9b
-
SSDEEP
393216:7xzEt9N8m2t9itYvJHMLjfAsqUZrZSh8XlmOy:7xzESFtyYlXsqUZ9dlK
Score8/10-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
-
-
Target
Management.OData.dll
-
Size
132KB
-
MD5
137a867ee3bb8d6cf3ddd69b2520fe5e
-
SHA1
a5af1607a829d36fde81bd863dac2bf0e523e867
-
SHA256
cc1d3ef2d5ce0a4c52f1487cf32e2626cb12d5a872e02b6fa639ae02db69d5e0
-
SHA512
f4a0293464e133fb33eaa70afd49b13380604efd1d507d79c2a428f2dda18756141867dbfcb0c0266549dcc5dc6ba43456b6e80e509b08e9105cebbba61d5762
-
SSDEEP
1536:kXIAb3/Uz5nsVppWcSvoZrZb4AfXvYeThLlep2ms5hkaO:kX125nph64mXvJTh0pJs7ka
Score1/10 -
-
-
Target
Read it to me.txt
-
Size
637B
-
MD5
63039ea52b96b6c0354eca7196c1c93f
-
SHA1
76b013def08a47c2b9cdddd9c991b4c9cc7fcb73
-
SHA256
ab1efb123feeac5171f3613e694d81277d43a74554e943c1619a1e32cd8de16f
-
SHA512
04b7c81882802c0573640c3462256ffc62603fd49f84ca4cff01ed8bf05d5e90f19a3b5bd09b2c2d896f6eaa01d46e8a9dd5a5ba58d5c1f4e446b2afc49cf9f5
Score1/10 -
-
-
Target
System.Management.Automation.dll
-
Size
1.5MB
-
MD5
49103fa6f05e99c39db0d18ddafcf7db
-
SHA1
ed6194296dbe99d9c02f21ce0855f45d3539b590
-
SHA256
910b7bf88de4af5719b919f80281f65582ee67b1437364e5c33db6047abb700e
-
SHA512
9dbd68c626c809a1be5d7c21f3535e5bf0cdde08a09402e856a07389dee3973529fd0fe41fc2e3dafd2531488828216f13659fa754589713a5eda5c47b7ed026
-
SSDEEP
49152:48+61AEw4T7+a56qXKzqqvXcSGukSaxPGSMVYLM:Oj
Score1/10 -
-
-
Target
srmlib.dll
-
Size
97KB
-
MD5
f08905d60df43d0852b1174638d27ecf
-
SHA1
2ded79a654a033c67f074ea954df6adca02cd5cd
-
SHA256
1d5557349e8c33d1dba85fe52ca02ce216eaf77b1caad81f3fb483f5634bb6e9
-
SHA512
6c853dc39946b7cb276ea6ce9359b1844ab05b563fc85176c1d36f9ee8152dbc3fc9a3e06effbfb66b80eababf889fc5bf038cdf9c3f7df143016ebc7c7b6c0a
-
SSDEEP
1536:22wnWFZ2PzARLJirsqyGwvCTp+t7WKo8KJ0mVzB:Rwn6J8sqxw7+jF
Score1/10 -
-
-
Target
wabimp.dll
-
Size
42KB
-
MD5
fd5791592f821f419276dc41041370f5
-
SHA1
529345646ace85659476f487b6c41eb3254edbb0
-
SHA256
db6b4ed4561e8730fda614ae1d213d5ba452353ac06f3c4bd1d896ea1668fa93
-
SHA512
5f92345c676438930b974c6a702e9129f1398477f28c9d320bf94b4626ec564066d32d287f2d28a2b8cdacb5d6d5722910c75b8bf4d59edfc6866242865551c6
-
SSDEEP
768:fegDSnBBghmExnQKwYh1uCEkbDLkYleUCIOqaKTsKGDcW:GgDSBBg0ExQKfhb3ST5KoKMc
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
5Scheduled Task/Job
1