Overview

overview

10

Static

static

3

RedEngine.7z

windows7-x64

3

RedEngine.7z

windows10-2004-x64

3

RedEngine/...er.exe

windows7-x64

10

RedEngine/...er.exe

windows10-2004-x64

10

RedEngine/libEGL.dll

windows7-x64

1

RedEngine/libEGL.dll

windows10-2004-x64

1

RedEngine/...v2.dll

windows7-x64

1

RedEngine/...v2.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RedEngine.7z

  • Size

    2.1MB

  • Sample

    240625-npv27axbrf

  • MD5

    f23bd725bb53925599f4be868442b6c9

  • SHA1

    f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2

  • SHA256

    c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258

  • SHA512

    2b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184

  • SSDEEP

    49152:K0DnX8iIxVA3ooy+ZwawT1o1SU6cCxD+f7bGSFJw7iIehWD3u70xeHR:vDX8iI4Yoy+cK/lvsOInru70AR

Score
10/10
rhadamanthysevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/pancek61111111111111/raw

Targets

    • Target

      RedEngine.7z

    • Size

      2.1MB

    • MD5

      f23bd725bb53925599f4be868442b6c9

    • SHA1

      f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2

    • SHA256

      c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258

    • SHA512

      2b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184

    • SSDEEP

      49152:K0DnX8iIxVA3ooy+ZwawT1o1SU6cCxD+f7bGSFJw7iIehWD3u70xeHR:vDX8iI4Yoy+cK/lvsOInru70AR

    Score
    3/10
    behavioral1behavioral2

    • Target

      RedEngine/Launcher.exe

    • Size

      7KB

    • MD5

      eee2a79d3170f463e9697ddb8b97d41e

    • SHA1

      818c82b1743c91f423c92742b54355b2058ff417

    • SHA256

      a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41

    • SHA512

      139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea

    • SSDEEP

      192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM

    Score
    10/10
    executionrhadamanthysevasionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      RedEngine/libEGL.dll

    • Size

      469KB

    • MD5

      2a568dc1f848b2948dfd90c8ebeb58c6

    • SHA1

      e765ca8946ce091651c6722c650d9ad5edfeb5d5

    • SHA256

      c00285c0174024739997898e98444deb4cbfe6b571cca69ca3bf8e5ab3ea5bbe

    • SHA512

      a6ce4ead89933d32ea24766f887655ee5894ef1813faf97ebb2191a775488ba2fd77bcb4aedefc273ef85f5a93a9a5dd3d35b213a52d95b0cc4111708d9fcee5

    • SSDEEP

      3072:4kgdNXYPuSHGjFXVYbAQSIoU8w1Z5iErbFdWE7D6i/wZJothADZX+Lcq7gv+xt4f:47Vl/HxUniSbFdH1/wXFufMG9x2qPz

    Score
    1/10
    behavioral5behavioral6

    • Target

      RedEngine/libGLESv2.dll

    • Size

      7.2MB

    • MD5

      5afc7b4ae2a76fa9a2b740734ef9f9f7

    • SHA1

      fb7d539a77883ee2ad2036c0243ef9acb49132ab

    • SHA256

      9168eac79d66301f49c8b2d501e8ea79b52f6b3f8b4e6aac06348fe24bf845d6

    • SHA512

      132ed0e481192f31e5aedde4f4386beac099c8ce86778b097b98cbd7ada6e7fcf15cda271b0ec07bab4edbb9429937ea9aae139d6ba7b74a4f4238471d8ea773

    • SSDEEP

      98304:vD+WTl1xDfbWziTwMPdkUqqXyXm3C/0+:vDTnxezkPqqiCC/

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Matrix

Tasks