Overview

overview

10

Static

static

3

Loader.rar

windows10-2004-x64

1

Loader/Ant...sabler

windows10-2004-x64

1

Loader/Gam...Inject

windows10-2004-x64

1

Loader/Gam...meMenu

windows10-2004-x64

1

Loader/Gam...Status

windows10-2004-x64

1

Loader/GameDetect

windows10-2004-x64

1

Loader/Launcher.dll

windows10-2004-x64

1

Loader/Loader.exe

windows10-2004-x64

10

Loader/Upd...pdater

windows10-2004-x64

1

Loader/Upd...eb.xml

windows10-2004-x64

1

Loader/config

windows10-2004-x64

1

Loader/mainf.dll

windows10-2004-x64

1

Loader/mco...ig.xml

windows10-2004-x64

1

Resubmissions

23-06-2024 19:34

240623-yac8yazcph 3

23-06-2024 19:33

240623-x9rd6szcne 10

23-06-2024 19:32

240623-x895wstbkr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.rar

  • Size

    3.8MB

  • Sample

    240623-x895wstbkr

  • MD5

    6708336a25163b73dd47bc09f57818fa

  • SHA1

    36a31642c5f77cba5c4c0de905063e0b033a4986

  • SHA256

    b1ee03942664668e5e21997036234359542ee889c8d51e2699cbe6c8727cd19d

  • SHA512

    34e8f4913a393f71032699b32deb65103268b72e830ca870003a117a0c4a9bd7d4fb2e60cb520788fbffc08ec6cb9b189d93995d5f93e864befe89cf7946cbf1

  • SSDEEP

    98304:Z+Vnp8HuN4umIeUr8A6dIoYzMl+/lHOlmvLYdZEyt:speulevALXZlI8GZEyt

Score
10/10
rhadamanthysevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/k34gk349g34g3/56j56j5j56j/raw/0f83a68fcbec53d90c5d0c17a582d7652b840e57/lemon.rar

Targets

    • Target

      Loader.rar

    • Size

      3.8MB

    • MD5

      6708336a25163b73dd47bc09f57818fa

    • SHA1

      36a31642c5f77cba5c4c0de905063e0b033a4986

    • SHA256

      b1ee03942664668e5e21997036234359542ee889c8d51e2699cbe6c8727cd19d

    • SHA512

      34e8f4913a393f71032699b32deb65103268b72e830ca870003a117a0c4a9bd7d4fb2e60cb520788fbffc08ec6cb9b189d93995d5f93e864befe89cf7946cbf1

    • SSDEEP

      98304:Z+Vnp8HuN4umIeUr8A6dIoYzMl+/lHOlmvLYdZEyt:speulevALXZlI8GZEyt

    Score
    1/10
    behavioral1

    • Target

      Loader/AntiCheatDisabler

    • Size

      46KB

    • MD5

      78a863e6527f834bcc0dc45d02498b0a

    • SHA1

      ea796fe3def4bd029ce6251a8632652070a167b3

    • SHA256

      30e89298feca3221f7cdec9d9b32aba9afb1e1168127a57908780c9aab9119fd

    • SHA512

      f6d264549e35c299e3249a5ee2c6346a4eb9b48db2b675c9f15cd6648b7ed9243ad7cb723f17a5f61a897b684ed1a7bd06e18123c2cff582bc6450ce669aec07

    • SSDEEP

      96:YCvrPTDLBFSMt1m9ccUaErr89ojoKp8MRncHSHAam6b6uKj7iRzikZAj/SKUpLC6:5vjTBFSG1jprvppI+R28KqxWNM9H

    Score
    1/10
    behavioral2

    • Target

      Loader/GameCheck/GameInject

    • Size

      7.2MB

    • MD5

      5871217d110c938f360f7533cb92a1c2

    • SHA1

      4d8427275d3d12937da05ff0b880e728f3d0654d

    • SHA256

      ec2fcec991f3fb4cf5f8ee9129d48f32a7a70f333a4d327da7c772a34cdb3354

    • SHA512

      ee700f68c8dddcc18719c6059be3186030cfc8f85c0ba6188cfa5286d8636dd8187e49871b481960f8598ba5b8097a52520ee59d856876578365ad977b0f9237

    • SSDEEP

      49152:ODCUyixT3awjfpK7BSb/DQzUdjkpg/lMryonu6g6i+:OLyix1jlbtdjkpg/lMryonu6zi+

    Score
    1/10
    behavioral3

    • Target

      Loader/GameCheck/GameMenu

    • Size

      6.4MB

    • MD5

      d718183c1f1365c4de6f7d31d3648d10

    • SHA1

      4b0c771fd40acce43b2a33e14e7b847137e435dc

    • SHA256

      a09167275f3a149ac370e4fd28c6fe1c55bca9b701c7b3a7cda35d22362fce22

    • SHA512

      201e30d6e9ccc540802b8527cb0ca567c6c0c53180bb93e3d702fb79ccdddf50cf30b993eddfc486490e3afde435af177a88a3f5ce090e0870ce105f88619b73

    • SSDEEP

      49152:ZxayPRWefI0YnXQUd50BO8gbR2vlkaJ4:Zfp78bR2vlkaJ4

    Score
    1/10
    behavioral4

    • Target

      Loader/GameCheck/GameStatus

    • Size

      2.8MB

    • MD5

      6d7becc35d0605a0dd4cf36df667c694

    • SHA1

      9e69411ef50861a9211636cde6edf699c1bb5bb2

    • SHA256

      d1e870fd02ccf8563b6d63ca0b0a0f80e6b62e84e5cfa605c52383b40430adff

    • SHA512

      54a878ee4111c078fc49b1ed63ae060c80e0df72ad6d55809f71858898a3ba69362d86ee8016e03d6aaafd8e6dba94611f4f02e9ac0d4be02372f922d848dcfa

    • SSDEEP

      12288:G32ft6XMPpEgYNlNgaK2VGx/GPcn8hzH+UzY3CZ+Jt:G7XM4zEv/GHhL+UzY3CZ4

    Score
    1/10
    behavioral5

    • Target

      Loader/GameDetect

    • Size

      50KB

    • MD5

      635e144281e7cd5ba14c3eb6d56ab8e3

    • SHA1

      615cd0ccc38ad932361fb88bb2d023332655b73d

    • SHA256

      dcf29deaeff990760c131b3f23690f853ae86553f5824f0e03630ba0b6b587f9

    • SHA512

      d72b6d7bcd8238ca085175ecb778c608dc0451947878be5de83486670b094f726829158a94fee00e587d5bd48f2f2f1e396b20b6983f49902664f0ed73d8251f

    • SSDEEP

      768:3a3CBVz70ua2oR0ZWHC3grdmn4P+3nkvc4bnQ:3Nts2oR0ZWHC3grdmn4P+3nkvc4b

    Score
    1/10
    behavioral6

    • Target

      Loader/Launcher.dll

    • Size

      7.5MB

    • MD5

      cbb81f28c5a509e4f7e3e44bc7da74f8

    • SHA1

      47145f07bc7d0083d3bd13a9da44bac740952029

    • SHA256

      413bf9c2cff6fe7b97eae199683df7f6d648fad4c25cb6d0b7dce335eb69edba

    • SHA512

      bc863ebb2f5fd66f342be8befb49889dd275adb15cff95ed378e185190091589c8d1d7a8902ca889a7b2af81588c731bfa0a930f074fecadd9b47a082966079c

    • SSDEEP

      98304:koD5geAsEDKN0xOLy2MsmCkQejop7PGXleggxF:kfD/mexOLy0GoNPGXledT

    Score
    1/10
    behavioral7

    • Target

      Loader/Loader.exe

    • Size

      7KB

    • MD5

      b5e479d3926b22b59926050c29c4e761

    • SHA1

      a456cc6993d12abe6c44f2d453d7ae5da2029e24

    • SHA256

      fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

    • SHA512

      09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

    • SSDEEP

      192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

    Score
    10/10
    rhadamanthysevasionexecutionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      Loader/Updater/Updater

    • Size

      1.5MB

    • MD5

      1064406f3c6ce03a3b1f85a82d094677

    • SHA1

      025a6e945c1f77bb9654f87e575348016eeca5e0

    • SHA256

      ac53d02e96c1c588bc6149255ab6fa15d505d087d1f727e488b0727ca528fa24

    • SHA512

      febd5e559fdac077f365f89439890e9466a5c96ac214326f9eac7151ab202cf6e6af9b375873c68e3d01319826dedc6a921cef78ca36edb75d5f7024b62b4789

    • SSDEEP

      6144:s0rZM7ZAS77S2kkvUnmFuOA0LlgZxeeWlSuO24rZGIroF0WPq1s03JnShahc6lSb:sf7Z3/UnmRL+ZxglSpHUL305Shaba5

    Score
    1/10
    behavioral9

    • Target

      Loader/Updater/web.config

    • Size

      18KB

    • MD5

      b127480ee9f0b8dab6a3f73ad79dd332

    • SHA1

      7d776d730cbd253564713f36573dd8366782788c

    • SHA256

      f1a6416eeedd9d040387fd85dcf7d6e074b6644c6829d08be220ff9fc32efb31

    • SHA512

      00ddca43ad38127cf71477810c46617fc2ccdc33f197e26ba761151107eff701fec2caa51e43575fb5b4fbc11f640f525ba70b6b3e97811cecabc63773492401

    • SSDEEP

      384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwahst/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJX91Xbi

    Score
    1/10
    behavioral10

    • Target

      Loader/config

    • Size

      3KB

    • MD5

      67611b783439b35abfe05a97413bba46

    • SHA1

      52795ffda8b88701793acc05e87897bdba99a633

    • SHA256

      5776169973a26a387b8b3e5c0f2301a7ab9a6dd7c7d3efa22a96abc47fbf8662

    • SHA512

      046dc9fe5cb46bea23668eb0d9742d32ddad30a6ee85c20839b68cb022f9e2ae6a38b87b9e267edb152b29420e3d169348cd9d3bcd4a7c7d82b3d50ac24b4748

    Score
    1/10
    behavioral11

    • Target

      Loader/mainf.dll

    • Size

      6KB

    • MD5

      dfbad6728654395df7cdc4626686bdd7

    • SHA1

      63686f523d7b4bf33c6184ce7d870fa326ce4bba

    • SHA256

      ba7ee4cc8044c4aeac2c9b698a32a6d01020097e14730abc7040cd9f0ee0608c

    • SHA512

      e2ff8afcd090adc2a846152fa5f0055ade47b8d9a19e6d2ff1f20092b987db98729388142f56af716b8dc659e66188ecfa4ba35b55353e7636a58a78c7ce6abd

    • SSDEEP

      96:VUttOfbCgQSbvu/r8NfrHkuixR+0NGUA5ATvHV+f4zUh:V6FgGr8B2R+0M1+rV+Qg

    Score
    1/10
    behavioral12

    • Target

      Loader/mconfig/config.xml

    • Size

      25KB

    • MD5

      f34b330f20dce1bdcce9058fca287099

    • SHA1

      936520d5bb5c00a1985d7a4c4f0ef763a9031862

    • SHA256

      0c56e34c69124510fa8c19e7b4c2ca6c1c4ff460ae19f798dd0ca035809e396d

    • SHA512

      d6d4a8321eb44c117755a41a2590296be86a0568d27a5347f9d7f32f2d151d8f7e169675c83faed2dab5ad0f8d81858f8cd1167e439cd4bff7e68c243e3544fd

    • SSDEEP

      192:Bt074zTxASaKp3T7pJsPpPT8B13eeaVonGdEBMmhVbeyeTfWDBzmAwdavahmhNIa:LAMDp35JyPCCu96yJwgag

    Score
    1/10
    behavioral13

MITRE ATT&CK Matrix

Tasks