rhadamanthys

Resubmissions

22-06-2024 16:58

240622-vgsenazcmn 10

22-06-2024 16:01

240622-tgg39axgml 10

Sharing

Copy URL

Twitter E-mail

General

Target

NcCrack-Loader.zip
Size

12.8MB
Sample

240622-tgg39axgml
MD5

18e398f15f5f2adbc5c0d8481f8a5100
SHA1

8f092c32b221ff1256e079cbc5ff606cffc0ff09
SHA256

380e7634606079bda646b9254ee41e4382b66d893023edbfa95d00f0dd8fb8a1
SHA512

c1825c7de4cba4e01a0d5d7a1c9b851f3d5467dc90623d26f9287467327c15959158ffb3ab776a4c24a5084b4b25e509978e2d88e9b1b7499fb25d8580fd0058
SSDEEP

393216:PQdfQ2QnNgnxIvrbNOGcPHaNH1C7z7mI26Bkjf+OugZFdw4V16gvp:POfQ/Ngx6oGt1C7fw6BPg5T1FR

Score

10^/10

Malware Config

Targets

- Target
  
  Driver.dll
- Size
  
  685KB
- MD5
  
  081d9558bbb7adce142da153b2d5577a
- SHA1
  
  7d0ad03fbda1c24f883116b940717e596073ae96
- SHA256
  
  b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
- SHA512
  
  2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
- SSDEEP
  
  12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score

1^/10
behavioral1
- Target
  
  NcCrack Loader.exe
- Size
  
  54.0MB
- MD5
  
  7da9f4a912992fb26434573d65a1a0fc
- SHA1
  
  39a8bef04bc19ed39567039dd054174f5a6bfd1b
- SHA256
  
  060de3b4cf3056f24de882b4408020cee0510cb1ff0e5007c621bc98e5b4bdf3
- SHA512
  
  503d03b6b6654bcc1fd5a8dd6e0660bec06ac416509a6d5583cfd42168eae6adf2360f87a7b325140d4bcf430c799be1efce41c9763b992f9ac79f0a028bc445
- SSDEEP
  
  196608:Is6PAGLjQoTUlr/t/COz17LUU27lSalE8neeyh0f7Z+o3nPKAcfM2e1:IdPAGHXmztE0D8neewqZ+jS
Score

10^/10

rhadamanthys discovery evasion execution persistence privilege_escalation stealer trojan
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral2