rhadamanthys | f4f4dd8a1fca44d6d7c78da7dc5741b91250eabf8faae79604c786672ea2efb8 | Triage

Submit
Reports

Overview

overview

Static

static

3

__x64___se...up.msi

windows7-x64

6

__x64___se...up.msi

windows10-2004-x64

__x64___se...up.msi

windows11-21h2-x64

Resubmissions

29-06-2024 14:38

240629-rzv2qasepl 10

29-06-2024 14:34

240629-rxnvmazblg 10

Sharing

General

Target

__x64___setup___x32__.zip
Size

35.4MB
Sample

240629-rxnvmazblg
MD5

ff654bc32dcbba43b22e006634fc0ef4
SHA1

354df22ee1aa755a09309684c33426e4da3c8745
SHA256

f4f4dd8a1fca44d6d7c78da7dc5741b91250eabf8faae79604c786672ea2efb8
SHA512

1f558e4e6a2672fd1e5b132685fe7089445e18319769778ea8b778a99c28dc70fecad502c035e102f02989661c8a530973c97af98078a1fe531e65241bbb037c
SSDEEP

786432:rukfK17+84cIE5kS+oofbNtocqM4kwEwwCQgZp3i6HE+8tDWU:rukfK17+8kECSaxWcqMDzgXPQtDWU

Score

10^/10

rhadamanthys execution persistence privilege_escalation stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

__x64___setup___x32__/setup.msi

Resource

win7-20240419-en

persistence privilege_escalation

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

__x64___setup___x32__/setup.msi

Resource

win10v2004-20240508-en

rhadamanthys execution persistence privilege_escalation stealer

windows10-2004-x64

22 signatures

150 seconds

Behavioral task

behavioral3

Sample

__x64___setup___x32__/setup.msi

Resource

win11-20240419-en

rhadamanthys execution persistence privilege_escalation stealer

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://two-root.com/2506s.bs64

Targets

- Target
  
  __x64___setup___x32__/setup.msi
- Size
  
  34.8MB
- MD5
  
  1086315ee22b1c20eb4aa7a57cbb8b6b
- SHA1
  
  1c734fc3f48e355a438cfed270f927b3922ef0ac
- SHA256
  
  d9324c156a90b828e3f110a871b6eca08bb6251fc34dcb8b570c05f48a6b642d
- SHA512
  
  f6fdfd4751e9b717b7acef31973e34219d2c1e49869b956c27f2a675461ad70b4d727fefb8dba5910954ef8012232913e79549acaa75558015e4de24ee804c05
- SSDEEP
  
  786432:wqqRkI57hVSZmlNdonqUuhGMCiEIS/vTis1Mscz:wq+T57jSZmGnqUezSTtqz
Score

10^/10

persistence privilege_escalation rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

persistenceprivilege_escalation

behavioral2

rhadamanthysexecutionpersistenceprivilege_escalationstealer

behavioral3

rhadamanthysexecutionpersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy