rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

__x64___setup___x32__.zip
Size

26.0MB
Sample

240619-rdbqys1hje
MD5

834495947f826a32ec96ba9c4bb9ecfa
SHA1

f5e122c0f5e8fb25189fdaf7667c620f5154bf24
SHA256

d634a0cccedb8877e4f6e2dd9d59975f6a8dfcd767c75c478f2d7a97cd3469ef
SHA512

3b9f713122426ddf78ad8ee1550e7ff9ae6e3f41e473c9a99e84735f001f523213b4b069b3dfeb3d1c60d324e38b41bddf1d2850efc677ce5f9571d246630c92
SSDEEP

786432:k2dKy4NXj3zLVoPkc6w51UrcL2kpVFBO7PIUqM:PONXj3/Vmb51YQ2kpVFY7PItM

Score

10^/10

Malware Config

Targets

- Target
  
  AppxSip/AppxSip.dll
- Size
  
  268KB
- MD5
  
  577dbb84e03e995d507840258c52913f
- SHA1
  
  cb1d426d26a3e966d29a6a28f94ed5273c21d759
- SHA256
  
  c8ed0608c107745d56fcdf34cac855602c65dc1a612c173f4057cbd30fbf2058
- SHA512
  
  90263941720d4498cfe588ecc7c713f04ce2431722b918859c555041be1823ace5163306c3e273e92fde0d472b3bb494acc37b26982a269116b64ed13aa396cf
- SSDEEP
  
  6144:cTXUiOy2C35UKI+EqJNLo/AKjJIcLIT9mAD:cTkFy2aI+FLSHjJIcsR
Score

8^/10
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
behavioral1
- Target
  
  AppxSip/MSVidCtl.dll
- Size
  
  3.3MB
- MD5
  
  6a93c400f7d5bcf8799c0506531f7d12
- SHA1
  
  f8ecd93adfc87ae76970656bd15af3a960a83428
- SHA256
  
  6679297f7e7f17ef37f48fa25f070d78e76324d167aa8b961d85327321e58754
- SHA512
  
  209476a382bce5b53762b52c5b9f3f1bcb0d1f3b3763d1c8aa3ed6c1af838d4b442ffd7a40eb851a6c36a462031ee5fda5617dae5348426f7de3ef73b2aaec6d
- SSDEEP
  
  49152:GRVfgoQrkv0BzBQLW6Ki8gT3lZhrnxySgnpO91MmIusURfvxmtdl:GRVfgoQrkv0BVi8gT3r9xyS1jzfvx
Score

1^/10
behavioral2
- Target
  
  AppxSip/deploymentcsps.dll
- Size
  
  76KB
- MD5
  
  1d6dffb182135656f682353bf01d3bf1
- SHA1
  
  e6a1c4915364e4ce5bb90b51b38dbb45007dbd2b
- SHA256
  
  d3ecce1709057d83119d2fc9295848dc096ebf682aea0e9bda49e31bd5397fda
- SHA512
  
  754a746b08074db21cf72d1b3b9574ba75b7c893ea4cdbf8cddfbd7ffe206005172e5acc4bcfd125e88226bab5a60334572a0722167eb93b7f4d73e7b7b364b8
- SSDEEP
  
  1536:ecB5LC+IF7VPfLhS4eq/PblCVouzRh/DWb+7xAib8CCRhl5glvNtr:ecBEpPg6zkVouz7Da+2ib8CCRP56L
Score

5^/10
- Drops file in System32 directory
behavioral3
- Target
  
  AppxSip/devenum.dll
- Size
  
  108KB
- MD5
  
  13dc564be50b850d4ba18d8b28ed7802
- SHA1
  
  17e703b95bd1ba6beeacb498d4494494e14b7266
- SHA256
  
  d4c23365d6c16ed6be52fe620742c1fde00d2cb14c3844c7e633b2a251c4c39d
- SHA512
  
  145da4efdeb0e710e0116462f957d2083c7ad3ee47269fdd853145a1f37ec37b888ad2a585f5965b61525a8848488ae4903eca7550208cda664b5fab9084ced6
- SSDEEP
  
  1536:W0s0VKB22Wola4XD1HKVxY+e1DxJjdAeWH3z4OmFeTNvM3mBG52hhvzrDQdRC3am:lOBDJKVuaeWHjtmITNSmBG5Ghvbh
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral4
- Target
  
  SEMgrPS/SEMgrPS.dll
- Size
  
  40KB
- MD5
  
  76e12d39f82567db28b132e245d9e3ce
- SHA1
  
  53cbd54614b8e21e78096d32ddebf0771b359c37
- SHA256
  
  5edd09d2a2e2e03ac2fa7db4c7b9f4ee300c696534788dbedaf9cee617a97ab1
- SHA512
  
  62de3ef3caf4997e0f1b02f5805a5da757c7506dcf5e6f93ed9870b6a53858dd24f588700dc2e6cd1d524291fb0fe1968169a52c53e9253244f7ebd633b89f4a
- SSDEEP
  
  384:tASguFmJEqu2MZ3RDil1jt9exCUF9n10jaTANQ+1Lxdprb4Y75WRkWmmca9pa:KK9JbyFUF910GANQ+1pgYg
Score

1^/10
behavioral5
- Target
  
  SEMgrPS/SensorsApi.dll
- Size
  
  407KB
- MD5
  
  e5d1e8fbabdbe5c74777d0ac4c426506
- SHA1
  
  bba47a9e25b32320cd1936423dbf926864bf90fd
- SHA256
  
  349eced0b6eeb7d3ace7259a93d30ebc2823b128be409a87a712709af9bb140c
- SHA512
  
  3a0f2ba991de7c3fe7af13bdf0c3edb0c847185f51731dfe28bfbe6eeaa3e0ce5346af833b950f39a46bd4d021ede71224a90592519af6d1667a8ef064c02fdc
- SSDEEP
  
  6144:xzEG0WxoKAQTrfBvjF8VcYGNfelNz2TgYlQhgppm739UL20KcG8ZKXvSCoV:xzEGTW3Q3FZ8ONo2TnlJppmznmK
Score

1^/10
behavioral6
- Target
  
  SEMgrPS/netprofmsvc.dll
- Size
  
  982KB
- MD5
  
  279099d020eef78ea58acfb29e9c7bce
- SHA1
  
  ad5d6f9b8852aa6d67972c426f0b17c83adf5142
- SHA256
  
  45901d087e5c6f36734b2c15a6a89bc699e0b7c78dc64cdc158a0fa9bc2426b8
- SHA512
  
  660d99d474d40aa7c74da97ac620f4ad1ff16c00513bcc4ecc892d66395247bf99ff6a2d658930a6eb81563b98c6243c1b306fe449538b359fa232c9de35b32f
- SSDEEP
  
  24576:hYn3DqOlLb1rdnArqhE38N7k8V4buY5AvGubu:hKthrdaq+R82buY5AvGub
Score

1^/10
behavioral7
- Target
  
  SEMgrPS/wcimage.dll
- Size
  
  133KB
- MD5
  
  15f2604eea46c00e3b11c50ae6fad557
- SHA1
  
  c498e3c70d008f7ab7dee2326bc4c7106070e58b
- SHA256
  
  39562e3973e08f78a4289b0120dd411c8e02afe40544ebc75515ddcf0673ccd2
- SHA512
  
  f921965e5b2f32a69e29d2e0b1acd6cf0720cf59cb9035d89db6ce9d6486ad83eb5c3eb5b7073767a8cea501859e2a9579d1705406b551098f3dee8d96b65f7b
- SSDEEP
  
  3072:uQc03QjzlDpfC3+uDQGQAOzu2IpdOcLpy:uQTqDp63px5fL
Score

1^/10
behavioral8
- Target
  
  dsreg/dcntel.dll
- Size
  
  768KB
- MD5
  
  34a0c0ceee88cc435a273253cac4ec07
- SHA1
  
  bf66c56aecbf52d26435ae2c85129a909dc6a8a7
- SHA256
  
  86eabe6da51fcf15428fd945492e27075721e3d857c987fe1a830a0f6f7dd4c6
- SHA512
  
  2f5d69938cfedcf5b3c5edabf181f3cdb9525e1604ec5ed262407217ad8c18dcd6e649d5ade95c9535809527a5a0c83de6f2cf9859b4dbb7047d2e86d502e1e9
- SSDEEP
  
  24576:LHo2SKj92XYJWOKMs8cPbM1TjRQX1cs2vbF:Lr3yM1s2vbF
Score

1^/10
behavioral9
- Target
  
  dsreg/dsound.dll
- Size
  
  601KB
- MD5
  
  e6a43513ff267eaf7a112f94a403a5a5
- SHA1
  
  83f7c1ab98eac5164c9ea1ef6f78a84e55d1bc35
- SHA256
  
  7e7d1d2e2dca3d228a4a1c6a33885096cc884281a69963670851aa51cf093d1c
- SHA512
  
  b5b6e594e812eb59e356c145fee898437310f7f8eb3b3ae29dcce7c69b031f81bb6689f0b69d32a092c98dafaaa26dee4c75af6cbb6b04102829a9f1e21104a5
- SSDEEP
  
  12288:cyoaj7w9oRy7KL+J0vam7sKNpx15sW/azNQNkplGc:cyoaj7ZRyEvaQ/2CmX
Score

1^/10
behavioral10
- Target
  
  dsreg/dsreg.dll
- Size
  
  1.3MB
- MD5
  
  5b6c5c26411cd43954f844d4fb4c7052
- SHA1
  
  25ae08d1ba263dc838032e0167c90a2fb99dec67
- SHA256
  
  c07f170f5e59e35778067b9681c7fe31c0155a031e699777857cf034c9bcdda8
- SHA512
  
  813e13e5cd9553dca3dacd1d0d4c1d33370cf50ed3b8c7e335e0d08a3dd5b4a1e4897b1efbc94f83aa6657b17fe9a435ff24e72afea65ed94145cdd0197f049a
- SSDEEP
  
  24576:YRVIRLu0lcAE/VOJg85uTtsGxOOfaJJ3ASAVZOxgAR6sFcp8qdtyuPW0iEpbL7eC:YRVT0TUOq85uTtJx9WdUSGeKQlW6ix
Score

1^/10
behavioral11
- Target
  
  dsreg/sensrsvc.dll
- Size
  
  177KB
- MD5
  
  0bcffad6f3b180dd60c941b01768f733
- SHA1
  
  38208d521a1b1d93bd278d44f3cf86243e5a6081
- SHA256
  
  a0b73c1bf636f14504b69606999287b6fe148c958a4f6e31e9022ff129a048e0
- SHA512
  
  1cc351de4ce989a3a760fd9289fa265da4fb6b4b6dec037757c971698637ea46ffa5aae2a6e7b27774d79faa459fcf8d6fa80fade18f7437bd490b4058573627
- SSDEEP
  
  3072:7DVv4LAk756j4WlWM+ks7VKqTbykTXqIFWMcgiurms+alt:F4LAKVWgM+EqykTXncur5
Score

1^/10
behavioral12
- Target
  
  netprofm/TapiSysprep.dll
- Size
  
  13KB
- MD5
  
  960f26b09aa9002e0e1fb05a0f10f78c
- SHA1
  
  c578efa3870517ef5d7994081331a084bada01a1
- SHA256
  
  dea8d882f6492786d680ae5d94f6f107b072aed8e6ca4f968725d9752cd12d60
- SHA512
  
  7c1af5de3e8f1b60e02188720943d3da0de71de030d3e648b9dfc10b871fe13c73c41225556839ff4bcbff53adf71aa5cfd69fdae0a892cbbc3599cc0518f7d6
- SSDEEP
  
  192:/VWqpdfXRVpTkTdCk3gpKghDk8aFl0HvWOopbW:/VJpdfuTfgpqpYvWOabW
Score

1^/10
behavioral13
- Target
  
  netprofm/netprofm.dll
- Size
  
  225KB
- MD5
  
  77f52e2dd1dc997e6c533748d9f095f4
- SHA1
  
  39d72d89d0e88a5ff718dc318b391c258fd53509
- SHA256
  
  7fb531ef8583d7942efcf16d586b17e1424b548a2894ac0b6541291b38e250ce
- SHA512
  
  00fd5dc4a1d5d5f2bb39387cc26732fb3c370fc211887ea5df76636229c3be1d2baa46f30b732d5ea70da3e1821e4407a019437cc22bb87fac7766f2601e6b31
- SSDEEP
  
  3072:5pZaAxmzQ6U7RLmruZ8qBhrzZ4eXYWtQyE7D9Wr02kqvXkTtcbz0Z7:rpIzQXLCuZ8qBhCUPlXkTt4Q
Score

1^/10
behavioral14
- Target
  
  netprofm/rpcnsh.dll
- Size
  
  33KB
- MD5
  
  c5adbe46703a1db31a0c6ab7245f2da6
- SHA1
  
  4cc8c03ed4b9ffc2566815954771f782b922b651
- SHA256
  
  bff0b93f9071a867d514d6de196e1368f655bcf54d4fc1623ee043cdb1cdbd77
- SHA512
  
  d73821a2dca2c2f3dbef5939053d00cd89f34b437e82f0077395c8b22ac297980514241c1b5c321c2765c0aaa5c12bd0ec6460a55bc6426d2064b6f147aea085
- SSDEEP
  
  384:gJDA9T8UqV2bojUJvlPmMka1+02C6BkZNAM9xUFt2QiVbzBxBH/5eauCVvT0n1rg:L8U9FwE1+00BuPA45t1xZl9VvghJa
Score

1^/10
behavioral15
- Target
  
  netprofm/socialapis.dll
- Size
  
  142KB
- MD5
  
  d2c1d58bf9c0240e742e10969839ef53
- SHA1
  
  f67e87b2e53c712ecfb0472a2c6ee6234f1f828a
- SHA256
  
  387008f345ca655f9380a3e2e0ec1929a08a9bb8b452532ad2924173c5c24f2f
- SHA512
  
  eae61aa14836498ef3d7de5c824ad4a4de1557d077a371242a6d1a7b12a53880d3e2e6159a3f6f8bda1ad1b069d9768c9780b92a28fcf51403aee5839fcf1b25
- SSDEEP
  
  1536:6zZVvrXuv37p7cz3rEe5upcWmoBGOa2XXE19Mh/INEUSMWI0+EYBWUu7yd853RDZ:6HkWT0JTGOa2XXE192IVr100eyW5RDZ
Score

1^/10
behavioral16
- Target
  
  pcwum/AppxSip.dll
- Size
  
  268KB
- MD5
  
  577dbb84e03e995d507840258c52913f
- SHA1
  
  cb1d426d26a3e966d29a6a28f94ed5273c21d759
- SHA256
  
  c8ed0608c107745d56fcdf34cac855602c65dc1a612c173f4057cbd30fbf2058
- SHA512
  
  90263941720d4498cfe588ecc7c713f04ce2431722b918859c555041be1823ace5163306c3e273e92fde0d472b3bb494acc37b26982a269116b64ed13aa396cf
- SSDEEP
  
  6144:cTXUiOy2C35UKI+EqJNLo/AKjJIcLIT9mAD:cTkFy2aI+FLSHjJIcsR
Score

8^/10
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
behavioral17
- Target
  
  pcwum/asferror.dll
- Size
  
  2KB
- MD5
  
  095f83f3a59c1fe3f0fe09b83fcb61bb
- SHA1
  
  53150630afd41a9f79a6c8ad283d26da7901d502
- SHA256
  
  f19af37f7a6df8bf1d1d75ad7207f2398facf275230a158c0ed16431b7d95e09
- SHA512
  
  7dcdb173f8f3e201ed5070f4802d44d70e580fd2cb60a9a74e8de005b86ab3b3204e9a3221ebbe64892d02232aab884fd5bba89af02cbc49f11fa77f4ef019c9
Score

1^/10
behavioral18
- Target
  
  pcwum/pcwum.dll
- Size
  
  22KB
- MD5
  
  642d98f94f04a764b0fd6ed931ff6bb3
- SHA1
  
  8ae640ca0f07db4c23c3e07b12270337a921e33f
- SHA256
  
  e72268a93a94b68b749c146d02918635440ff8440c64bd939d9fc5f9a62e0a36
- SHA512
  
  ee9afb4504ffb47637960c450cef71c63e5b2de47aae1263230de3eb1f8604b47eccbde958261ffe014a564749816a1e7d72672ac3256e0693df49b6c97b2e94
- SSDEEP
  
  384:pWYGKlPRPSxncPF3WZ1WNhKvpdm15hRYD1IDBRJtZifl/zdi/iy:r7PRPSxBx48I1P21y
Score

1^/10
behavioral19
- Target
  
  pcwum/pdhui.dll
- Size
  
  61KB
- MD5
  
  2b0e1517dbb0e067d82fe2d47c372a8e
- SHA1
  
  67a80548f78cab22cf81b93f3181d689c44b26e3
- SHA256
  
  6cb757959ab8200999ae91a0ccab15967fa1ed101c90de195e26397b6ef6c070
- SHA512
  
  576b9b8d47736939ca99adbb831758addc55e85d875f5ddfd8a5e633f58f5786b00a020f0017582e3545f110a6b730d1025685cfeec024aa837efe8f8caf48c5
- SSDEEP
  
  1536:7rLxh5fUGpp05BqxFGRqg8qAAjGJIBF+qU2:7r7pUGp058xNN4jGJIBF+qz
Score

1^/10
behavioral20
- Target
  
  setup.msi
- Size
  
  25.2MB
- MD5
  
  97fe02652a163aa97ecede3d2c89aab6
- SHA1
  
  927aba81a9f802c73ce0806ce0afc9cd914f879f
- SHA256
  
  64b93fbe2402bcdec46248a164485e12e2800df091a5708fe8741cf446105036
- SHA512
  
  3dd59ceabd2c4b07c9a4d0561ceea16bc1a52cd91ccaf852597fe63726c617c40c0433b2710035b9c3467d156ace859978d138f71f01087c92033b9c0b5391d8
- SSDEEP
  
  393216:F+wLUMdp4/HgS9q/FmxTgWHx9N4b9jR+7NE1nX7nyRs9cRfxn8XGQUigBJ:F+5MdEHbgFmxsWR9Ni9N+RE1XC82Qi
Score

10^/10

rhadamanthys persistence privilege_escalation stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Targets

Manipulates Digital Signatures

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

Manipulates Digital Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21