Overview

overview

10

Static

static

3

R6-Hack-ma...47.dll

windows10-2004-x64

10

R6-Hack-main/r6s.exe

windows7-x64

10

R6-Hack-main/r6s.exe

windows10-2004-x64

10

R6-Hack-ma...ge.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    R6-Hack-main.zip

  • Size

    10.3MB

  • Sample

    240704-alwyesterp

  • MD5

    faba234bc92f7badff696e92958031fc

  • SHA1

    605732ac272cb3496ace7515bf02566f901dd29d

  • SHA256

    553e980d8aef3f48b9b932c6379534ef324e595f9755b9b86001fd87b903ad0b

  • SHA512

    586143e61de38c1b5c691b665417c1f65eaf44ecd9263ec57f25c03a859bfb8675938b6b381b9535103e18338f4d28562cecadb428a8bb26e783e77a2565899e

  • SSDEEP

    196608:LxEfbE1cV/xZscC9D6KoGTFeliYVlnQsRCXlZz4mK/NQ6qJRpG:NgEyVW9D6Id2CVZsH0J+

Score
10/10
redlinerhadamanthysdiscoveryexecutioninfostealerspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Targets

    • Target

      R6-Hack-main/d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    10/10
    redlinerhadamanthysdiscoveryexecutioninfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      R6-Hack-main/r6s.exe

    • Size

      7KB

    • MD5

      b5e479d3926b22b59926050c29c4e761

    • SHA1

      a456cc6993d12abe6c44f2d453d7ae5da2029e24

    • SHA256

      fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

    • SHA512

      09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

    • SSDEEP

      192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

    Score
    10/10
    executionredlinerhadamanthysdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2behavioral3

    • Target

      R6-Hack-main/r6siege.dll

    • Size

      20.8MB

    • MD5

      ab2cc84a98d05ab8b540a9ad3a48ab15

    • SHA1

      d59736cefc5bb2d6fc429a5027bbb5b69039b555

    • SHA256

      3e41929571bd1307e71bc851dfe7a37c8657bb16a8387217e09660c46e8b57b3

    • SHA512

      84bc192b9232dbc427c2fb7d98727960f6f57fe769e097cfe8581feb778b54df8a6aaa8faac5cc060a2c137e10208e47a5529551aacde345a8fb2152796ebc47

    • SSDEEP

      393216:AUWnI3LyrngF82KMV+mQvB0WK0j6DWu016PN:srnFj6DWuo6l

    Score
    1/10
    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks