General
-
Target
Skript.zip
-
Size
1.5MB
-
Sample
240622-1d2rtavdpg
-
MD5
986fd66f8c320eebe167f8a9521314a8
-
SHA1
9e3667ba7755e4db66f99586556f75697ad3a17e
-
SHA256
a7edd49ec36552504d0b7940037e79de8f9918e0271ba96bad47076cb24f7ee1
-
SHA512
808eade52347e0c52b43e44934cb793d7310de773bfc5e3e3aea3164c99e33fc30af2c55b98471324cc6f1c5c107eb0995637e14700b1361a422befe63beea09
-
SSDEEP
49152:yDfI3cSHjRIA9pX8wgibL6Jt1xH6tUhhCF:yDfRyb52JjxH2F
Static task
static1
Behavioral task
behavioral1
Sample
Launcher.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Launcher.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
dxil.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
mojo_core.dll
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
mojo_core.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar
Targets
-
-
Target
Launcher.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
dxil.dll
-
Size
1.4MB
-
MD5
cb72bef6ce55aa7c9e3a09bd105dca33
-
SHA1
d48336e1c8215ccf71a758f2ff7e5913342ea229
-
SHA256
47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893
-
SHA512
c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0
-
SSDEEP
24576:LCfhbh3v3mtZDiAQeWj26k41ob2nrZ1rqpegQDJqoZtp22GkmgA9u808jQPEdkr1:LCfhbh3v3mtEAQrW41obCraeRhy9ou6r
Score1/10 -
-
-
Target
mojo_core.dll
-
Size
1.9MB
-
MD5
e338245ec63c4881d446e81bf2e6b9be
-
SHA1
9ed5ff2c4bbb43a41fed37a65f5b691ddcbc63b0
-
SHA256
c8f24b72f72aeacd060e67a76a5c71145cde5b4527b3ec87c5c4d36cae8e076e
-
SHA512
f3768a97f646e31fd2206bc658a24e4f39f18a4a625699d700d43a27299a946840e404df78b0e0f149c9a013a7e60dd5adaf452c4a0a4db5525ad738e4c22798
-
SSDEEP
49152:XN5EwqPeGTxMdbqDb0fmKMEYcwYj75Bvaw:PIabqDEMEd
Score1/10 -