General
-
Target
main.py
-
Size
111KB
-
Sample
240624-2m8gdsygkp
-
MD5
74e88b3a5e1a99f8da4bb70196118a2a
-
SHA1
6fe34053ff448ffb53c9b09d5ba62c6561dc8b25
-
SHA256
6ed72b789e722b398defd07bd4bd88b390f788128c20938bb72c8ddb93efee55
-
SHA512
d06927ee30219346bc9557d6b5e5c56329e4d293b150361103df679763d70857284f51398d33fec9e2c2a4ed901896bb2d01b38d237aa568bd2bd988b51ecff8
-
SSDEEP
3072:p6ZDuGpHazDq5SRsKj1HcXoNFi66sCowjrMrhps7xw:p6ZDuGpHazD5sKFcXofV6sCoErMrhpsS
Static task
static1
Behavioral task
behavioral1
Sample
main.py
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
main.py
Resource
win10v2004-20240611-en
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
lumma
https://backcreammykiel.shop/api
Targets
-
-
Target
main.py
-
Size
111KB
-
MD5
74e88b3a5e1a99f8da4bb70196118a2a
-
SHA1
6fe34053ff448ffb53c9b09d5ba62c6561dc8b25
-
SHA256
6ed72b789e722b398defd07bd4bd88b390f788128c20938bb72c8ddb93efee55
-
SHA512
d06927ee30219346bc9557d6b5e5c56329e4d293b150361103df679763d70857284f51398d33fec9e2c2a4ed901896bb2d01b38d237aa568bd2bd988b51ecff8
-
SSDEEP
3072:p6ZDuGpHazDq5SRsKj1HcXoNFi66sCowjrMrhps7xw:p6ZDuGpHazD5sKFcXofV6sCoErMrhpsS
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-