General
-
Target
Freedom.7z
-
Size
2.1MB
-
Sample
240627-rbnmqsxaqm
-
MD5
3484fa587896326fee15d2a316856743
-
SHA1
31b56645eafdfd0e0dccc639f8d68889fa05b126
-
SHA256
c8a5706670148888bd448afb81461174e3fce66526bdba523ae56639c15edf0f
-
SHA512
42a229241538b795c8bad686ab33afa415adc36c25c27464123907ef97a4dfe4fad136575c9d5c976d4c8405b3af28f2ee52c5019f4e536ba42a1bace5ebea59
-
SSDEEP
49152:TLmNQ09ZffRR6fC2+t9oV7TZgPj4CFKSlcRlUUCULthCaIXzwK3r5JyRH9uv:TLmW0Lf3Q+t9i79gPjFJcXnLCa+n3aHE
Static task
static1
Behavioral task
behavioral1
Sample
Freedom/Freedom.exe
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
Freedom/d3dcompiler_47.dll
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
Freedom/dxil.dll
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
Freedom/vulkan-1.dll
Resource
win11-20240419-en
Malware Config
Extracted
https://rentry.org/pancek61111111111111/raw
Targets
-
-
Target
Freedom/Freedom.exe
-
Size
8KB
-
MD5
4fbb04c9e3aa983cbfc4980a7b5b7041
-
SHA1
34aeca658462e638521bc384a4935251678a9a78
-
SHA256
24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731
-
SHA512
615534039ad97fea8c881656a53b6b0ead41e3770e0a3f3cd38052585dc5a102ab25b824c59c3142b75f6b62e56ff46ab981e27c889ded28a5cc2884581863bc
-
SSDEEP
192:Gh9Lz2jG4pFMYqLDQ1bhxZzzzhGjcJr9emxan6+UqawcTnYPvkVNxdpD:Gh9Liy4kLDQHtGjcJrQmxan6+/xcTnYg
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Creates new service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Freedom/d3dcompiler_47.dll
-
Size
4.7MB
-
MD5
2191e768cc2e19009dad20dc999135a3
-
SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a
-
SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
-
SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
-
SSDEEP
49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score1/10 -
-
-
Target
Freedom/dxil.dll
-
Size
1.4MB
-
MD5
cb72bef6ce55aa7c9e3a09bd105dca33
-
SHA1
d48336e1c8215ccf71a758f2ff7e5913342ea229
-
SHA256
47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893
-
SHA512
c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0
-
SSDEEP
24576:LCfhbh3v3mtZDiAQeWj26k41ob2nrZ1rqpegQDJqoZtp22GkmgA9u808jQPEdkr1:LCfhbh3v3mtEAQrW41obCraeRhy9ou6r
Score1/10 -
-
-
Target
Freedom/vulkan-1.dll
-
Size
933KB
-
MD5
e43b12cf3c7a21a5c50d3c7b4f88ab04
-
SHA1
79664cf6cfb23c3e78361f817bac1440e6c7fe41
-
SHA256
a73ef0a1dc0578cf64e856dc9461ba135bd742f3d5f60713e4d645e17533e9c9
-
SHA512
656841544adf4fac2abde64bd62bc9392e76178797e81f73a13af05f84e6f51ad83aba1320a2af17e910bc3eb35c40ef9ba386f36ebd443ac04acefc10dc0248
-
SSDEEP
24576:57SR7TmAl/bFPmGDsfNy6Z5WiDYsH56g3P0zAk7LZIOayz:57A/bFPmH86Z5WiDYsH56g3P0zAk7LE
Score1/10 -