rhadamanthys | b80c6077ed4c9814a995b866297e0e522c9d23917370767ff05e951ca9412e93 | Triage

Submit
Reports

Overview

overview

Static

static

1

PROFORMA 1...in.exe

windows7-x64

1

PROFORMA 1...in.exe

windows10-2004-x64

Sharing

General

Target

PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
Size

1.6MB
Sample

230327-yldc3sha51
MD5

0fdfe42750d9a51d9f3007ae5153fac6
SHA1

74ecf809721f871ec47187716a55101ca2c7e51a
SHA256

b80c6077ed4c9814a995b866297e0e522c9d23917370767ff05e951ca9412e93
SHA512

fe24ea45c03c97752930d8892fc1f83e197b6d5fc1026b717220cf4fd088b69a5079d1e2d3780d8c6691e251cb097675f9554e548fc4c0fd8ed8bf8c9ca32689
SSDEEP

49152:KksJ9boYkPQjKjfJQlunr1aJim51hdEDer/W9eBgA:k98AKbfr1aJP1EarxBg

Score

10^/10

rhadamanthys vidar ba1fc89d9f7df84dadf34886aabb246c collection spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe

Resource

win7-20230220-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe

Resource

win10v2004-20230220-en

rhadamanthys vidar ba1fc89d9f7df84dadf34886aabb246c collection spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80

Attributes

profile_id_v2
ba1fc89d9f7df84dadf34886aabb246c
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Targets

- Target
  
  PROFORMA 18.exe_0x2ae6000-0x19b000.bin.exe
- Size
  
  1.6MB
- MD5
  
  0fdfe42750d9a51d9f3007ae5153fac6
- SHA1
  
  74ecf809721f871ec47187716a55101ca2c7e51a
- SHA256
  
  b80c6077ed4c9814a995b866297e0e522c9d23917370767ff05e951ca9412e93
- SHA512
  
  fe24ea45c03c97752930d8892fc1f83e197b6d5fc1026b717220cf4fd088b69a5079d1e2d3780d8c6691e251cb097675f9554e548fc4c0fd8ed8bf8c9ca32689
- SSDEEP
  
  49152:KksJ9boYkPQjKjfJQlunr1aJim51hdEDer/W9eBgA:k98AKbfr1aJP1EarxBg
Score

10^/10

rhadamanthys vidar ba1fc89d9f7df84dadf34886aabb246c collection spyware stealer
- Detect rhadamanthys stealer shellcode
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

rhadamanthysvidarba1fc89d9f7df84dadf34886aabb246ccollectionspywarestealer

© 2018-2024

Terms | Privacy