General
-
Target
Nc-LoaderV.exe
-
Size
53.9MB
-
Sample
240628-dbw28azeln
-
MD5
123f78a5aa5655f88fb3389eaf5bfdb6
-
SHA1
8fc13d78c22452dd869aa27b035cb1a8872211f4
-
SHA256
ad00c7ec62ff3887e056d9021c43d3bdf9281dd308003aeb3640720c6a8101e0
-
SHA512
cfea0d373301c12120ffd9038848b6ba5c4057cc4985ff3641300aaf425d4ff86bf33813224bc7a26652ced75dffe5d3dce5ec7114f25befade827173a05dd15
-
SSDEEP
393216:kMyE1FlK/sL/wqGMt4RTt48XlVseZ08iga+8:kMyE7lc/BTRTt481JViga+8
Static task
static1
Behavioral task
behavioral1
Sample
Nc-LoaderV.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
Nc-LoaderV.exe
-
Size
53.9MB
-
MD5
123f78a5aa5655f88fb3389eaf5bfdb6
-
SHA1
8fc13d78c22452dd869aa27b035cb1a8872211f4
-
SHA256
ad00c7ec62ff3887e056d9021c43d3bdf9281dd308003aeb3640720c6a8101e0
-
SHA512
cfea0d373301c12120ffd9038848b6ba5c4057cc4985ff3641300aaf425d4ff86bf33813224bc7a26652ced75dffe5d3dce5ec7114f25befade827173a05dd15
-
SSDEEP
393216:kMyE1FlK/sL/wqGMt4RTt48XlVseZ08iga+8:kMyE7lc/BTRTt481JViga+8
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Subvert Trust Controls
1Install Root Certificate
1Modify Registry
2