rhadamanthys | f548d1ad81af9ffb56e07ae96aef96702160d06a84db8802679686ef2b51d85e | Triage

Submit
Reports

Overview

overview

Static

static

3

setup.msi

windows10-1703-x64

setup.msi

windows10-2004-x64

Sharing

General

Target

x64__installer___x32__.zip
Size

26.6MB
Sample

240624-rkm3kazcln
MD5

951895db4798737e96a7b22f0451ef01
SHA1

2c9727632f4bfd3eda91b3fdd689ad53cfaae925
SHA256

f548d1ad81af9ffb56e07ae96aef96702160d06a84db8802679686ef2b51d85e
SHA512

82e6d3898bd5504e5f9aefbc2ea373468f217cff5d651db24c3ef84cae6ffb35d14700d11dab758661b114c8c4a674974efbb1bd31b4abf47af13591c88cb178
SSDEEP

393216:q/eG13sFOO/XnV5ZN5JNCyvmgrfB6rX9wAH8owLrgY+HhHgSIrA/d0FuIxi:qxrO/9N52yvmcJ6rXTcvL8wA/CXxi

Score

10^/10

rhadamanthys execution persistence privilege_escalation spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

setup.msi

Resource

win10-20240404-en

execution persistence privilege_escalation spyware

windows10-1703-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

setup.msi

Resource

win10v2004-20240611-en

rhadamanthys execution persistence privilege_escalation stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://gotry-gotry.com/2306s1.bs64

Targets

- Target
  
  setup.msi
- Size
  
  25.2MB
- MD5
  
  be2a13cfa57db16d3f654c5e444c360b
- SHA1
  
  7f45d2a4debbbca678cc5c300c59af01ca197bca
- SHA256
  
  b086cb6063a6fe194342b3dbe7639aebab02513305c95a914d052e87b54e0523
- SHA512
  
  978f4fb1e9df0785bbcd2734d4a7b32d3acab4a215075f0860ccc879bf65714e2c6eabba41ee7c38c0394a9a08b60757544034b21c336c2a3f233a411744953e
- SSDEEP
  
  786432:++aMGdE4CF4EgcHxa3pS58g0nfZ3AOnr:++aMGrCKEg+xwS5MGOr
Score

10^/10

execution persistence privilege_escalation spyware rhadamanthys stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

executionpersistenceprivilege_escalationspyware

behavioral2

rhadamanthysexecutionpersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy