General

  • Target

    10FpDvByrqvHWUgFegBMjMmEkh.bat

  • Size

    189KB

  • Sample

    230419-tknefabg49

  • MD5

    98b57df374d3888660dca7b8707aa9e5

  • SHA1

    4afb4626817228104bd752ba38650cef356e9afc

  • SHA256

    23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1

  • SHA512

    a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931

  • SSDEEP

    3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW

Malware Config

Extracted

Family

rhadamanthys

C2

http://185.224.129.51:8080/modlib/o6u3ke.661c

Targets

    • Target

      10FpDvByrqvHWUgFegBMjMmEkh.bat

    • Size

      189KB

    • MD5

      98b57df374d3888660dca7b8707aa9e5

    • SHA1

      4afb4626817228104bd752ba38650cef356e9afc

    • SHA256

      23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1

    • SHA512

      a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931

    • SSDEEP

      3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks