General
-
Target
PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
-
Size
1.6MB
-
Sample
230327-yldc3sha51
-
MD5
0fdfe42750d9a51d9f3007ae5153fac6
-
SHA1
74ecf809721f871ec47187716a55101ca2c7e51a
-
SHA256
b80c6077ed4c9814a995b866297e0e522c9d23917370767ff05e951ca9412e93
-
SHA512
fe24ea45c03c97752930d8892fc1f83e197b6d5fc1026b717220cf4fd088b69a5079d1e2d3780d8c6691e251cb097675f9554e548fc4c0fd8ed8bf8c9ca32689
-
SSDEEP
49152:KksJ9boYkPQjKjfJQlunr1aJim51hdEDer/W9eBgA:k98AKbfr1aJP1EarxBg
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
vidar
3.1
ba1fc89d9f7df84dadf34886aabb246c
https://t.me/owned001
http://65.109.236.2:80
https://t.me/tabootalks
https://steamcommunity.com/profiles/76561199472266392
http://135.181.26.183:80
-
profile_id_v2
ba1fc89d9f7df84dadf34886aabb246c
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79
Targets
-
-
Target
PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
-
Size
1.6MB
-
MD5
0fdfe42750d9a51d9f3007ae5153fac6
-
SHA1
74ecf809721f871ec47187716a55101ca2c7e51a
-
SHA256
b80c6077ed4c9814a995b866297e0e522c9d23917370767ff05e951ca9412e93
-
SHA512
fe24ea45c03c97752930d8892fc1f83e197b6d5fc1026b717220cf4fd088b69a5079d1e2d3780d8c6691e251cb097675f9554e548fc4c0fd8ed8bf8c9ca32689
-
SSDEEP
49152:KksJ9boYkPQjKjfJQlunr1aJim51hdEDer/W9eBgA:k98AKbfr1aJP1EarxBg
-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-