Extracted

• • Target

    ef96ea9d761ec459eb56e90de234f02b97319608fd1630ff86d845c37df5db61

  • Size

    120.2MB

  • MD5

    9dc6bdec4dbf3cb37b292ab45a37ab8d

  • SHA1

    f9d264eae0c4d8680fa3eaa84dd19aaa443c4b58

  • SHA256

    ef96ea9d761ec459eb56e90de234f02b97319608fd1630ff86d845c37df5db61

  • SHA512

    2c8c0d9533dd14479c24aa7bb4066efb56e61d8e70f84dc476ab19b2ab67e5e3c777b4ea5074495fa04751da0704ad7edd08be8afcd0cf121506cf256fa402df

  • SSDEEP

    3072:T1AM3sFr0520YzR03tJYzgzEcyZ1arl+pHSu1CYLbwSzXsGqVF2CsS0P1:TlcFC2jO3tJ0WEckC+cu1CYLoTdq

  Score

  10^/10

  rhadamanthysxmrigevasionminerstealerupx

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Enumerates VirtualBox registry keys

    evasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • XMRig Miner payload

    miner

  • Downloads MZ/PE file

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2