rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

ff654bc32dcbba43b22e006634fc0ef4.bin
Size

35.3MB
Sample

240701-ew6mtsyhrm
MD5

5ebec6d6ca28a0f4492b866699cd0855
SHA1

f49572ea016cf7aca7ba388793e4dc3f3c6bc9b9
SHA256

1adf1646b9113fd13d0e6745b83a59fae2160ba93ecade45be63dd210cf6c8a6
SHA512

6cb052f8a74507993f2d3429775c4a9fbcd28c177e3a0ec2300160e55de39da440a0ff48c55eaa63557fa7d66ab78de46cd244ebe524a1747562f3405f0c58b7
SSDEEP

786432:XptkKH/LpFhB2+jnU/FQnxvw8+bYhAf35PDL/q:zHNFv2+jnMFE+cKv5PXq

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://two-root.com/2506s.bs64

Targets

- Target
  
  __x64___setup___x32__/SettingMonitor/SessEnv.dll
- Size
  
  529KB
- MD5
  
  86d26ebd7bfaecb399113aa4032b1654
- SHA1
  
  dafc41bfa8f890df174c0d8fcb86d1df77c0f04c
- SHA256
  
  b0e89ba9ece9afbd08eba6f7dd9779a50a212d9d334f8da5e32a8afb0356cb3e
- SHA512
  
  c5c66200030b24a87ea15c0e287289828d2292044d9405bee0c771531b98bf07b23330a8b59f1fa020e398963552b718445450797f95406f9a6636be57b78289
- SSDEEP
  
  12288:fjddhPmPjMc72g1d02PUsuJ4v0rRgN5USgUCLU:fPhs7z02dv0rRgNKSCLU
Score

1^/10
behavioral1
- Target
  
  __x64___setup___x32__/SettingMonitor/SettingMonitor.dll
- Size
  
  163KB
- MD5
  
  e8cdda28622354adc80aa9b9e7b165ff
- SHA1
  
  c95e8a4abaaee4f96cdc0956ee802c7320eb001b
- SHA256
  
  330a4bf116cfd884df55af3dfd1200702e086a8ed7810e8b41529a78cf05c678
- SHA512
  
  58ba3f16924467b05be0e373f7c52dd0841ec2a10e99fc4c5b019d2bf1a97bc61752d30df3b2d45984c9c41fc8ff89c8a7d1e0e7e8459d515d73328f31b78995
- SSDEEP
  
  3072:0KWTUDuDWEV7pDx9d3h1OsGwuCYamg9j8TPfEjJ30/cVBy:0F4DuDV71TXIwvxufEjJ300VB
Score

1^/10
behavioral2
- Target
  
  __x64___setup___x32__/SettingMonitor/pnrpsvc.dll
- Size
  
  344KB
- MD5
  
  f8ce0b4f1bc5e4fbdd66c1cac4d58314
- SHA1
  
  420146b917efcb1181b711fdcf7423dcd20c18e8
- SHA256
  
  e7dc2fba4cdbb0a35cc58e0fdf37d68891f18a80e449c0aa2c66c43a596ec4a9
- SHA512
  
  ed20c89ce1a22e13f423939d8c38a2d0cfbac58b102d80b5839a0c4bd942df1db65c709e70830856ffe253c4e6af4b61acdd0c47165d1df0475d7c388298b1f3
- SSDEEP
  
  6144:k0U24oAyuNRrY0Q/oOhBKHl9TxJDs1HWLsx6qwDsLKcfpErKYS:7ADN2yOjKF9tJDsQLsx63DTcfp2r
Score

1^/10
behavioral3
- Target
  
  __x64___setup___x32__/SettingMonitor/uudf.dll
- Size
  
  169KB
- MD5
  
  001ef38ce74ecf8417ee0c891434bb43
- SHA1
  
  d7bc48b2fbf27dd6a603c4dfdcd0fec4bcdea0d0
- SHA256
  
  605ed635b23f16ac60e69d3d3c90e74f2d7b8eb7961647d59f918f76f5465125
- SHA512
  
  3314928fe347224feaa4b6ac39784074c5441cc156226bf3cce02fdf8abf923429c37be9445921323b15cbbac5a76a48c247f3ca708b73848b9cc06e3a6dd711
- SSDEEP
  
  3072:7VVOPiAiPibX5wceSGHdUZkQZUiI0jTJ8B1lfGZTzk9kKgCDCiGriZC/AzLct:7VVOPlLbeZHKhZbDfJJzk9kKjF9
Score

1^/10
behavioral4
- Target
  
  __x64___setup___x32__/SettingSync/SettingSync.dll
- Size
  
  696KB
- MD5
  
  dba5942d06d3f0c8e8157549810f98e3
- SHA1
  
  cbf39ba1e24776bd1d8cebfa75a6222da803cb40
- SHA256
  
  2d1883c92c08e406ff2fd77387201a6d9a5b11a0b9c40d17c2164f490ba78bf7
- SHA512
  
  7e626168328514659e0011c4819fa450526dd4811adf423810f7d2080ade86b7dfecde3699327c4dfdb4afc421237cfe028dafa2161a7bfb9c0c69d352c3fe44
- SSDEEP
  
  12288:UMZExH2M0Cl2d/4zvWtRSVzpyt0CrX9LXbzmrdQ2N5QS5b:ZWx0ClPuAEfXe5N5Q0
Score

1^/10
behavioral5
- Target
  
  __x64___setup___x32__/SettingSync/rasmontr.dll
- Size
  
  352KB
- MD5
  
  e7cd615613875ea223ab051b0daa62ae
- SHA1
  
  f8e13ffb3a92a92428585a6448ba0eb45a6714a4
- SHA256
  
  3784cfebd786b6fe061fbbaf62a2ec38e931544a6522ff74a06398f8f7e9f7d6
- SHA512
  
  bcc82736d04a9040fdd38d1d02efd3143004091b05f69a9bfc29e15a9a380d1e3a7cda21d489db5dbb2457eb4055b094a5356f0ea12aaa3805798129f51ace30
- SSDEEP
  
  6144:cyTN+ofnWGvGNzq+K7FMmODKzDS6JVj5XgQUtQ7X:HNp/WuGJq+SFnODKz
Score

1^/10
behavioral6
- Target
  
  __x64___setup___x32__/SettingSync/schannel.dll
- Size
  
  580KB
- MD5
  
  bf34ca8a3c01da7f7fa805f7e717d546
- SHA1
  
  b605919ed9b30f77b4ee486f2ea42d175b37b84b
- SHA256
  
  9a28255454c927b4c95b3cf39c12650bc5c31e2fe70c7fa935e2f9c0767f62a7
- SHA512
  
  afc64003e7ae59f52246b41860fee6201c9cfbb27fa2547cd8da4ab371d4eebf11682d2556c1734ba1962b8c72f4081a08a30fe9774328a056ffdf1551a78d5e
- SSDEEP
  
  12288:Z8ec48WHBEQRTj2eO2i6DqyjpygHI+mG5a:Z8ec2TjFOaDV1ygVH
Score

1^/10
behavioral7
- Target
  
  __x64___setup___x32__/SettingSync/sppcommdlg.dll
- Size
  
  312KB
- MD5
  
  25059cb01909efc95c978a189c24c20b
- SHA1
  
  cbdbfd8cd3c56efd35dc191ec26d4b629c3aaf6c
- SHA256
  
  f4561bd188608d78a65df4c509da5f03169af43b9fa3fcef2274ff766edbeb5e
- SHA512
  
  93556729cbf23656fc62718b99b3dcf6aa6fac5e4e8dda8ca088ac173a4729b50b45aefb43054f5b1e404cff635abe736b1d2376a8a000e34db4346c42e896be
- SSDEEP
  
  6144:JH6nOj2guNJqY/W5R02qO7VKCP1qKkOFaCGVn:J4Oj2RJq3nP1qKUCGVn
Score

1^/10
behavioral8
- Target
  
  __x64___setup___x32__/dab/dab.dll
- Size
  
  110KB
- MD5
  
  53ba03283c3bf93c438caa6f42c09659
- SHA1
  
  96030fd608ef154b358df1a86d90e761b5284f44
- SHA256
  
  a1c7b806e20264dc99f50205e1db95229e69c6dcf5928c9c4a66d8292ab9e1b3
- SHA512
  
  2e4ef7fc71408ec17dfebc71adad3c63f0549ff6de7d7ad6ff89828be6757e3d4f2c6c671653b7ad20cbc2a14f5788af1b29deaff14f2d3110410c6997e27868
- SSDEEP
  
  3072:Xwa1fzlsxiGFNcNDtz+6MQJl+CC7uzB2TY7:Xt1hTW2JQXzCC
Score

1^/10
behavioral9
- Target
  
  __x64___setup___x32__/dab/diagperf.dll
- Size
  
  1.3MB
- MD5
  
  d8a7dfb2d76cc2208449bfb840aecb69
- SHA1
  
  dacb265b5dda7060169b6c9685e30b8733a5ee41
- SHA256
  
  b2aca97ef7443e9516a8e0603b2912fb48d0f95a01920d475cdef2ddec97c716
- SHA512
  
  e51b391478ead5ac4b4a3f411f9f73f6c9bb69dc39245ba53ef4acbe644298b7ff3bbbdca754bcf2e08afc56c0d30a404505bac3be1b9e33ac72bd661f09082b
- SSDEEP
  
  24576:EXc7tg4rRnpxj1XAskVOIfWEHbjCTCD+yulAsiC:EXc7m4rxpxj1XrkVOIFbjC2DbuaB
Score

1^/10
behavioral10
- Target
  
  __x64___setup___x32__/dab/fcon.dll
- Size
  
  259KB
- MD5
  
  570410bf7b872f558841f3ebb7373480
- SHA1
  
  6a7756f03d2df96586ca95919a1a84ff2dabd662
- SHA256
  
  99dcbdb33cb51b1985d2a836992121b1693a17d2ec068ebf28bf1ccc4761e2a9
- SHA512
  
  6c05062cd6ad8949112854923c29ac440f8f66d8b24b0ae867558921358b07e9669e5b29b49fc4b91bf911496d82e6b577d32dc8347dbb9ca1976e2db0ccc574
- SSDEEP
  
  3072:UOA9zlGDwpjwEo+2jS2tYQLxc0I17WkpVXAP2rv09hOm1lPLCzGhbfdwON7Are:UOFcpjwEj25eXZgO2lvnhN7A
Score

1^/10
behavioral11
- Target
  
  __x64___setup___x32__/dab/hal.dll
- Size
  
  17KB
- MD5
  
  01fd720f78d7d72e19ca732a909ae005
- SHA1
  
  e542847f226190042cfda60dd8be6266d5e5d4a4
- SHA256
  
  9c32cef8fb1d4eb0fcec864617b850594eeeac2fe0163de77aa2f947fba4f3be
- SHA512
  
  dada83d0ca3f90d5c1e8facdf8141b7098be241efe2800ae51826c7445cf3c6801f751e9f500400af50a672643439975e85ffac0f9f2f2ed56a3f4729361e959
- SSDEEP
  
  384:MkqP8+N5nC+k6yIwws9sCQZWu7kWXddhMDBRJM1x85zR9zF6Nn:qi+aITsGFTdhM1PM109z2n
Score

1^/10
behavioral12
- Target
  
  __x64___setup___x32__/mscms/NPSM.dll
- Size
  
  197KB
- MD5
  
  02772a5aecc72ee43ce45004fa2a9dcb
- SHA1
  
  364aba6b29398838c20f6367a2623438f4b7488e
- SHA256
  
  7f98b2486edbea70c24f8473b02dceeb9a635e15e89423091cf2e8ad51a6702e
- SHA512
  
  847488bca42d3cc62e640cde5ce9dc2a06624633020463e8731c2e1374ecc4517c19483b57b84877b0c698ff95b5190e32ea7bb32f4442ba178365cbe3e8766a
- SSDEEP
  
  3072:IqWWSoNwRw8KO5bNTqD8cnyOeEkbzieAtm1LNFc+K+EZ1x+qmh3:I7WSsw28KO5bNTDcn2OeAo1MdVm
Score

1^/10
behavioral13
- Target
  
  __x64___setup___x32__/mscms/mscms.dll
- Size
  
  691KB
- MD5
  
  1a933be33a779fd18595af01c3850391
- SHA1
  
  11440a01dee87bc9bfb335a964da01b0e130a261
- SHA256
  
  908b352431cb871f8366c92e064e9193bbc86224cad53ddc047c3ea4f89dc667
- SHA512
  
  ef3c75bca8acd8df292f978a09cbf7dc94c831df144fb8f81e0d94ea6fcf2d754f53879b97629bc03b239861bf91cdb14538237346baeab90fafb470bae52afd
- SSDEEP
  
  12288:6l9/mpmYNRRw/IofftlEdWiV8FJGlQ6Q64BNBD:HmqRRwgofEdJVuGlEBNBD
Score

1^/10
behavioral14
- Target
  
  __x64___setup___x32__/mscms/msvcp120.dll
- Size
  
  644KB
- MD5
  
  c2028ba6c66363b36ea659ca8816265d
- SHA1
  
  5e2bda10ad417466290dc08fd6ee8bc5fcf0ebbd
- SHA256
  
  3b92e964404e3f94531e7d7c4c7419561d9eca6accd98dc3979c9e3596db444c
- SHA512
  
  28e87d7360c4bd2eb30152173da6fdf30340b5ff0186a68f26514088dcc15758851afd01a179e976a91a9a85f9c1ee0cfa40308ed9d42654739acf6f6dd773f4
- SSDEEP
  
  12288:FOB4p+q4N8d4l2ms4cTHN+m+gy/vEPYysExtvsIvXi1ZG2EKZm+GWodEEpvY/p:iAtvsIvL2EKZm+GWodEEpvYh
Score

1^/10
behavioral15 behavioral16
- Target
  
  __x64___setup___x32__/mscms/scrrun.dll
- Size
  
  223KB
- MD5
  
  8a6d4a4e788d30298a8885aaa5ef5e50
- SHA1
  
  33dd8d769e42690b6d12e2deb744ec63d4170429
- SHA256
  
  40c371fab5d3b36a2b15062ccd9deb088ac2aae4a52cd61c48671d3671fe8b23
- SHA512
  
  726f198c2d7477dce478cb16578206fbcbd95b57c67547baab0d8d7f82334f724199bbd2a1546b7b8e29d95d6cd3ad8683e32c08b6c46e3853247e3db1cdcf57
- SSDEEP
  
  3072:RLyWTrOJHy/LyLVCtndbijmQHw/vfQi18eXUMS1049WRjCy24eM68Pm:RLyWTrF+LVmdijy18JJSO54eM
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral17
- Target
  
  __x64___setup___x32__/setup.msi
- Size
  
  34.8MB
- MD5
  
  1086315ee22b1c20eb4aa7a57cbb8b6b
- SHA1
  
  1c734fc3f48e355a438cfed270f927b3922ef0ac
- SHA256
  
  d9324c156a90b828e3f110a871b6eca08bb6251fc34dcb8b570c05f48a6b642d
- SHA512
  
  f6fdfd4751e9b717b7acef31973e34219d2c1e49869b956c27f2a675461ad70b4d727fefb8dba5910954ef8012232913e79549acaa75558015e4de24ee804c05
- SSDEEP
  
  786432:wqqRkI57hVSZmlNdonqUuhGMCiEIS/vTis1Mscz:wq+T57jSZmGnqUezSTtqz
Score

10^/10

persistence privilege_escalation rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral18 behavioral19
- Target
  
  __x64___setup___x32__/vmrdvcore/mssph.dll
- Size
  
  209KB
- MD5
  
  ca07ad5304f7052e25cd4d708e0e21e4
- SHA1
  
  c73cbb881900e76d45957e9884398f5f3a9140e9
- SHA256
  
  fdd8008196ee65685d532869f9e611105eecb9054769a278ffb0985690cc92c7
- SHA512
  
  613fd7ebb45e9ff2086a6804a662146a20d940a77d4a086eddf28e60dfe487d89d31fbe567d948af2492c5e37dbce203a2723450a05becc934d6214c0190f269
- SSDEEP
  
  3072:nM/SaNItlQ9BkSbRzn82ssxRskJCQB+6h1azfTzRNraXCTCvf:MqAIt0tRPssxRskJCQBL0RNraXCTC
Score

1^/10
behavioral20
- Target
  
  __x64___setup___x32__/vmrdvcore/perfctrs.dll
- Size
  
  46KB
- MD5
  
  9d8502eab14478df7cb3b764e8890ed2
- SHA1
  
  77fc6eee247a35b0eb2b1683503cd9ee3fb52793
- SHA256
  
  5a21833091835de5d1d3d40579b0b4ef1d442f9843568a7696da7804f76207cf
- SHA512
  
  c47be028b662596e92baad3bec79eb34a802f762c5695c7a486882a59ff0a3a0341e592f5ff2f506d126bb9593d622dc28a9acba07456a5e2613a0c1152c403a
- SSDEEP
  
  384:p9sm0BwREQtSU0sUI4TDX5KuX4o0Bi+5NaRCIvN9q0p5yNpEGBoQ4f09XGboaVmc:KPU0sXc73+5URCgNygADNcboPkNJzXl
Score

1^/10
behavioral21
- Target
  
  __x64___setup___x32__/vmrdvcore/tapisrv.dll
- Size
  
  309KB
- MD5
  
  20ceaece4ecdebc89c82f1998696d596
- SHA1
  
  c5d390d27b4859bd9cf267b539ad80b04bc78328
- SHA256
  
  439559de34be096824cb70a97524e843ce2802092a9c882167f4cb08fe9664a7
- SHA512
  
  a057dfffa9a7752b4747cbcf3db62c1eb7d54826f56932b21f8c097037a93c8d745151c4a7fbd114826b6a708f17b556d8125d513b407933e736434e6a868222
- SSDEEP
  
  6144:6X4cpoiSX8F/u6/1YbCtgRUSXEF1LLWdYiL6aosUJ4P3yzbsYo:bcpoidFfYbCW7UF1LLWqmZY
Score

1^/10
behavioral22
- Target
  
  __x64___setup___x32__/vmrdvcore/vmrdvcore.dll
- Size
  
  448KB
- MD5
  
  c13f52b8a6dad68ea53449f82656b0ff
- SHA1
  
  8b71c7aeb4e31152c275fa4c1ca392dc87154406
- SHA256
  
  205d81f292a54c6583e4dffc26922690e5771cb9cbcdea8193f3b37a5deb50b0
- SHA512
  
  2a22a55a9dcb94424c07a1209e1daa85532be7a4b30f8ae9848772518ca0ff932ac171661057f73e39a22433f09cec5e8a9be9792b8c25c7d550643ac2d582dc
- SSDEEP
  
  6144:s/QgOQa/pXgnyqe+YP6CJSJ/MWF++WbhT+0WPSn0Eh3qLBp5HVVTClD83FLOsxtw:sHYSYPR6/z+Z5DOBpF//7/Y5
Score

1^/10
behavioral23

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Event Triggered Execution: Component Object Model Hijacking

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23