rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

Freedom.7z
Size

2.1MB
Sample

240627-rbnmqsxaqm
MD5

3484fa587896326fee15d2a316856743
SHA1

31b56645eafdfd0e0dccc639f8d68889fa05b126
SHA256

c8a5706670148888bd448afb81461174e3fce66526bdba523ae56639c15edf0f
SHA512

42a229241538b795c8bad686ab33afa415adc36c25c27464123907ef97a4dfe4fad136575c9d5c976d4c8405b3af28f2ee52c5019f4e536ba42a1bace5ebea59
SSDEEP

49152:TLmNQ09ZffRR6fC2+t9oV7TZgPj4CFKSlcRlUUCULthCaIXzwK3r5JyRH9uv:TLmW0Lf3Q+t9i79gPjFJcXnLCa+n3aHE

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Targets

- Target
  
  Freedom/Freedom.exe
- Size
  
  8KB
- MD5
  
  4fbb04c9e3aa983cbfc4980a7b5b7041
- SHA1
  
  34aeca658462e638521bc384a4935251678a9a78
- SHA256
  
  24f095f4f5796561cc9f9c60f71a2182fee89692f239c92e7447af3461e12731
- SHA512
  
  615534039ad97fea8c881656a53b6b0ead41e3770e0a3f3cd38052585dc5a102ab25b824c59c3142b75f6b62e56ff46ab981e27c889ded28a5cc2884581863bc
- SSDEEP
  
  192:Gh9Lz2jG4pFMYqLDQ1bhxZzzzhGjcJr9emxan6+UqawcTnYPvkVNxdpD:Gh9Liy4kLDQHtGjcJrQmxan6+/xcTnYg
Score

10^/10

rhadamanthys discovery evasion execution persistence stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Freedom/d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  2191e768cc2e19009dad20dc999135a3
- SHA1
  
  f49a46ba0e954e657aaed1c9019a53d194272b6a
- SHA256
  
  7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
- SHA512
  
  5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
- SSDEEP
  
  49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score

1^/10
behavioral2
- Target
  
  Freedom/dxil.dll
- Size
  
  1.4MB
- MD5
  
  cb72bef6ce55aa7c9e3a09bd105dca33
- SHA1
  
  d48336e1c8215ccf71a758f2ff7e5913342ea229
- SHA256
  
  47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893
- SHA512
  
  c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0
- SSDEEP
  
  24576:LCfhbh3v3mtZDiAQeWj26k41ob2nrZ1rqpegQDJqoZtp22GkmgA9u808jQPEdkr1:LCfhbh3v3mtEAQrW41obCraeRhy9ou6r
Score

1^/10
behavioral3
- Target
  
  Freedom/vulkan-1.dll
- Size
  
  933KB
- MD5
  
  e43b12cf3c7a21a5c50d3c7b4f88ab04
- SHA1
  
  79664cf6cfb23c3e78361f817bac1440e6c7fe41
- SHA256
  
  a73ef0a1dc0578cf64e856dc9461ba135bd742f3d5f60713e4d645e17533e9c9
- SHA512
  
  656841544adf4fac2abde64bd62bc9392e76178797e81f73a13af05f84e6f51ad83aba1320a2af17e910bc3eb35c40ef9ba386f36ebd443ac04acefc10dc0248
- SSDEEP
  
  24576:57SR7TmAl/bFPmGDsfNy6Z5WiDYsH56g3P0zAk7LZIOayz:57A/bFPmH86Z5WiDYsH56g3P0zAk7LE
Score

1^/10
behavioral4

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops desktop.ini file(s)

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Power Settings

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4