Overview

overview

10

Static

static

3

VapeV4.exe

windows7-x64

10

VapeV4.exe

windows10-2004-x64

10

plugin.dll

windows7-x64

1

plugin.dll

windows10-2004-x64

1

regger.dll

windows7-x64

1

regger.dll

windows10-2004-x64

1

vapev4.dll

windows10-2004-x64

1

vapex64.dll

windows7-x64

1

vapex64.dll

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VapeV4.rar

  • Size

    9.6MB

  • Sample

    240622-wa339axaqb

  • MD5

    1b937d4e64ce2792412bca97c5417c44

  • SHA1

    bb9c746919757b056359e24e687962a803084c68

  • SHA256

    9ea18640384e5461abb96c654b40198b5a56021256bb86dff86040a71653cd2d

  • SHA512

    bdab21cc123cb77bc1fce52c1b90ea745aa5a89fd39e48c55ccda5503efabbe35d3c91565c3dbbc194ad6944a1df3ce4d542b93435b927bbf94e5185d8f63e61

  • SSDEEP

    196608:PiwBJWlqqnfLenbxB3M6iFM26Fdb2R5pZ+qirlELQAnKX7qJrdf7is0:PilLuC6iibYXZ+BF4Kud2x

Score
10/10
rhadamanthysevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Targets

    • Target

      VapeV4.exe

    • Size

      7KB

    • MD5

      b5e479d3926b22b59926050c29c4e761

    • SHA1

      a456cc6993d12abe6c44f2d453d7ae5da2029e24

    • SHA256

      fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

    • SHA512

      09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

    • SSDEEP

      192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

    Score
    10/10
    executionrhadamanthysevasionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      plugin.dll

    • Size

      121KB

    • MD5

      0dea1240e52375e2cd6c6056720da5f8

    • SHA1

      37a4a277e51727e5fb6384760c19baf207aeffba

    • SHA256

      f22f279160e0a9979d311f4ae64b29f6cf480dbca488b9977810d5b6d770b482

    • SHA512

      1e12e2c7c90bd75c060b073aa47e406733a7a196a2f2785c902acb968090b5b083d15280404757d06d67c43bd2e4a608fe45d9d4ebc743e861d1f28715442abf

    • SSDEEP

      3072:KJB7frfe/i1+evBJA9CZQ1CLXAtpFrpqpqpvKINZwwcrP8cx:KJhrfe/i5pXy1CeKp

    Score
    1/10
    behavioral3behavioral4

    • Target

      regger.dll

    • Size

      20.8MB

    • MD5

      74f676688f0ce73468828a733eef1ae2

    • SHA1

      66fc9924eafea64c7466760cba06b471bf135532

    • SHA256

      1638c1a8486ec32a826a1e414e92dcb8c7c7c1668d071d97ba767c6a96b53b37

    • SHA512

      455e1847743e7d289bcbba9b72015ac85fce1444b914ad59ffd7b0209604b50c018abddf472a000d205ed7c0d80a48ded56c886b7adf153733aef7cd36ab09cb

    • SSDEEP

      393216:5sor/VKSqhURirPtV+mW7zpfa2k4ZMmsMBGl/5:5NB84ZMmsMIl/

    Score
    1/10
    behavioral5behavioral6

    • Target

      vapev4.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    1/10
    behavioral7

    • Target

      vapex64.dll

    • Size

      1.2MB

    • MD5

      9e8d0c3657240a19225f0dcc5ee67e66

    • SHA1

      ac10e50ad6893094e34ef5ad6adfa4af1693550a

    • SHA256

      bd9710b72dab2913d92731ee96904b22a43a178664c9b7b60bd41f3c04738900

    • SHA512

      a0a5b2ec05b8d9e997a21d8d60d793c247bc8f59ef742e01373687884813d3dd20786dde36bb6cedd2c6ac1fc11bbee049cf01fb725ec25c67590bf0f4ab3de2

    • SSDEEP

      24576:oPws+up2wxVNNMV6QIMYExzfAqo0IfX1e:oPws+jwxbN+63fsjLIte

    Score
    1/10
    behavioral8behavioral9

    • Target

      vk_swiftshader.dll

    • Size

      4.9MB

    • MD5

      183c887b6d1268d583740312d0852fea

    • SHA1

      a33b881d863a8e8e808d6ddb906b8f8c8c348138

    • SHA256

      2fb5bd2897fa99ca5dcf2d45830a07755d30d6d8cc3751d80be28cbd90226030

    • SHA512

      372c1b95613b3273a374f6f025b36717b4fff9b18a30a6ab97df92c5e9b615dcada7660c12d77a19960ff63f2b9078937cc2c75ed60d3a7361e455ad150a9fda

    • SSDEEP

      49152:ynQMZsIbvKss+W3QXTvxcz/hDDuaqoKgCkE636GOmHdKDRxVop26ArW80WHBC+4y:2QM7SQ6ufnHXYGnokh

    Score
    1/10
    behavioral10behavioral11

    • Target

      vulkan-1.dll

    • Size

      933KB

    • MD5

      e43b12cf3c7a21a5c50d3c7b4f88ab04

    • SHA1

      79664cf6cfb23c3e78361f817bac1440e6c7fe41

    • SHA256

      a73ef0a1dc0578cf64e856dc9461ba135bd742f3d5f60713e4d645e17533e9c9

    • SHA512

      656841544adf4fac2abde64bd62bc9392e76178797e81f73a13af05f84e6f51ad83aba1320a2af17e910bc3eb35c40ef9ba386f36ebd443ac04acefc10dc0248

    • SSDEEP

      24576:57SR7TmAl/bFPmGDsfNy6Z5WiDYsH56g3P0zAk7LZIOayz:57A/bFPmH86Z5WiDYsH56g3P0zAk7LE

    Score
    1/10
    behavioral12behavioral13

MITRE ATT&CK Matrix

Tasks