rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

RedEngine.7z
Size

2.1MB
Sample

240625-nqt7aazhkp
MD5

f23bd725bb53925599f4be868442b6c9
SHA1

f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2
SHA256

c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258
SHA512

2b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184
SSDEEP

49152:K0DnX8iIxVA3ooy+ZwawT1o1SU6cCxD+f7bGSFJw7iIehWD3u70xeHR:vDX8iI4Yoy+cK/lvsOInru70AR

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Targets

- Target
  
  RedEngine.7z
- Size
  
  2.1MB
- MD5
  
  f23bd725bb53925599f4be868442b6c9
- SHA1
  
  f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2
- SHA256
  
  c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258
- SHA512
  
  2b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184
- SSDEEP
  
  49152:K0DnX8iIxVA3ooy+ZwawT1o1SU6cCxD+f7bGSFJw7iIehWD3u70xeHR:vDX8iI4Yoy+cK/lvsOInru70AR
Score

10^/10

rhadamanthys discovery evasion execution persistence privilege_escalation stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Tasks

static1

Score

3^/10

behavioral1

rhadamanthysdiscoveryevasionexecutionpersistenceprivilege_escalationstealer

Score

10^/10

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1