General
-
Target
DHL Original Documents.exe
-
Size
1.6MB
-
Sample
230202-l175sahf6y
-
MD5
d5f655c18e77f7d4dc38b04bf81f10df
-
SHA1
c7bc5dfdec5077713bc6e5fc8b45f20db32a3d9e
-
SHA256
7d65d55e566e6833b59107fe3cdfc837a922a1f83ec41f009365b18645427f26
-
SHA512
14e21567e2c049979d63384218e42330bf2d123cd9ff76d40d32a7ae394268060f2ccda08839e1c27c192961a7cab8c8a0778c147bea798a29ac8165cb0ece05
-
SSDEEP
49152:dxYtuXBU56+dt4s57ICyvxrSlI3Hm7zp7T54:gtuqrdKsB0SS36p76
Malware Config
Targets
-
-
Target
DHL Original Documents.exe
-
Size
1.6MB
-
MD5
d5f655c18e77f7d4dc38b04bf81f10df
-
SHA1
c7bc5dfdec5077713bc6e5fc8b45f20db32a3d9e
-
SHA256
7d65d55e566e6833b59107fe3cdfc837a922a1f83ec41f009365b18645427f26
-
SHA512
14e21567e2c049979d63384218e42330bf2d123cd9ff76d40d32a7ae394268060f2ccda08839e1c27c192961a7cab8c8a0778c147bea798a29ac8165cb0ece05
-
SSDEEP
49152:dxYtuXBU56+dt4s57ICyvxrSlI3Hm7zp7T54:gtuqrdKsB0SS36p76
Score10/10-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-