Overview

overview

10

Static

static

3

__x64___se...up.msi

windows7-x64

6

__x64___se...up.msi

windows10-2004-x64

10

__x64___se...up.msi

windows11-21h2-x64

6

Resubmissions

23-06-2024 14:14

240623-rj8ymsxdnn 10

17-06-2024 16:58

240617-vg68tazhkm 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    __x64___setup___x32__.zip

  • Size

    26.2MB

  • Sample

    240617-vg68tazhkm

  • MD5

    e5a83ba069f873253b132ec3ec166c24

  • SHA1

    1e4ce10856435de93df2d95b128672bf5e97f449

  • SHA256

    d1a0115f4afe30d9a973cb18bf95d34b67b2d548b4d49989fd0e36399dc562d0

  • SHA512

    8650c791c1b5cd3e22cb94d73e001aa7f832ab860882fbeccce79aa684b4940886d36d86c73ce9df7febf9f072edba7fa1a2762aac5f35c52d451791d03b0828

  • SSDEEP

    786432:V7lANnpo2nHaN04j/Qpv3p2MmSg3jcUXQR6:s1po2n14DU3GZ3wUAU

Score
10/10
rhadamanthysexecutionstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://opensun.monster/25053.bs64

Targets

    • Target

      __x64___setup___x32__/setup.msi

    • Size

      25.2MB

    • MD5

      9e10d740b32cd15a4fb9a947f911b924

    • SHA1

      6ed60f2f79f986cbf4cc6ab1076522b9c762c272

    • SHA256

      ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a

    • SHA512

      d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08

    • SSDEEP

      393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

    Score
    10/10
    rhadamanthysexecutionstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks