rhadamanthys | c0a431da531032202fbad12b852d441638214b288103f3584252f23491ca36f7 | Triage

Submit
Reports

Overview

overview

Static

static

1

setup.msi

windows10-2004-x64

Sharing

General

Target

setup.msi
Size

25.2MB
Sample

240624-pn9pmasbmc
MD5

933b86e4ec5b91c804b278b6cb6a87a8
SHA1

d1f4019db27e98d0830013355a2a2c74d4804be4
SHA256

c0a431da531032202fbad12b852d441638214b288103f3584252f23491ca36f7
SHA512

f463e1422251a9795d2e89774e9785970cfd41ee85fda72c3d7216beb53b6a9c37d5152d733942fa834d3662c32e0df5cf9d791534479167863dc01ab1629030
SSDEEP

393216:w+wfUM9W/NReJ2eTLtnOQY2xbEZ1BacivCTvMETonoDpoDp1dXSIpDIj/t:w+ZM0/NRVWLtntY2eZ1BacrvKoDqQpz

Score

10^/10

rhadamanthys execution persistence privilege_escalation stealer

Static task

static1

Behavioral task

behavioral1

Sample

setup.msi

Resource

win10v2004-20240611-en

rhadamanthys execution persistence privilege_escalation stealer

windows10-2004-x64

16 signatures

1800 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://gotry-gotry.com/2306s1.bs64

Targets

- Target
  
  setup.msi
- Size
  
  25.2MB
- MD5
  
  933b86e4ec5b91c804b278b6cb6a87a8
- SHA1
  
  d1f4019db27e98d0830013355a2a2c74d4804be4
- SHA256
  
  c0a431da531032202fbad12b852d441638214b288103f3584252f23491ca36f7
- SHA512
  
  f463e1422251a9795d2e89774e9785970cfd41ee85fda72c3d7216beb53b6a9c37d5152d733942fa834d3662c32e0df5cf9d791534479167863dc01ab1629030
- SSDEEP
  
  393216:w+wfUM9W/NReJ2eTLtnOQY2xbEZ1BacivCTvMETonoDpoDp1dXSIpDIj/t:w+ZM0/NRVWLtntY2eZ1BacrvKoDqQpz
Score

10^/10

rhadamanthys execution persistence privilege_escalation stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

rhadamanthysexecutionpersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy