General

  • Target

    file.exe

  • Size

    5.0MB

  • Sample

    230130-kep7eahg35

  • MD5

    d384b4d1d761853f01257a96d02e8300

  • SHA1

    d33265591eedddf7d7af5a932bc8e4e4a2229e6c

  • SHA256

    ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317

  • SHA512

    7b6be8dbcb0875f6c16f28a8594cdfe895902b09252b4631c4181baedaa4bf9159920f045f254f4c51be34aa9ad70e6a2c3630cd4d0e4dd6a046998b67e108bb

  • SSDEEP

    98304:adFwHQR3l8sa3HlTKPGmrI2TpY8g26sTYlt4b8nXE:arR7a3lTKualK8g2/Tm4z

Malware Config

Targets

    • Target

      file.exe

    • Size

      5.0MB

    • MD5

      d384b4d1d761853f01257a96d02e8300

    • SHA1

      d33265591eedddf7d7af5a932bc8e4e4a2229e6c

    • SHA256

      ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317

    • SHA512

      7b6be8dbcb0875f6c16f28a8594cdfe895902b09252b4631c4181baedaa4bf9159920f045f254f4c51be34aa9ad70e6a2c3630cd4d0e4dd6a046998b67e108bb

    • SSDEEP

      98304:adFwHQR3l8sa3HlTKPGmrI2TpY8g26sTYlt4b8nXE:arR7a3lTKualK8g2/Tm4z

    • Detect rhadamanthys stealer shellcode

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks