General
-
Target
10FpDvByrqvHWUgFegBMjMmEkh.bat
-
Size
189KB
-
Sample
230419-tknefabg49
-
MD5
98b57df374d3888660dca7b8707aa9e5
-
SHA1
4afb4626817228104bd752ba38650cef356e9afc
-
SHA256
23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
-
SHA512
a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931
-
SSDEEP
3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW
Static task
static1
Behavioral task
behavioral1
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
10FpDvByrqvHWUgFegBMjMmEkh.bat
Resource
win10v2004-20230220-en
Malware Config
Extracted
rhadamanthys
http://185.224.129.51:8080/modlib/o6u3ke.661c
Targets
-
-
Target
10FpDvByrqvHWUgFegBMjMmEkh.bat
-
Size
189KB
-
MD5
98b57df374d3888660dca7b8707aa9e5
-
SHA1
4afb4626817228104bd752ba38650cef356e9afc
-
SHA256
23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
-
SHA512
a21e4b1af9ddc7731356109bc1f2f75615db963e34666216c46e7b14bf28ac7f7c8432c060a2b67335111cf434cefa90de0e79e9b7c54a996c38d1fc79f26931
-
SSDEEP
3072:jJ6sy+qsWPFiC5x1ElXP6RxLVYJdq7GOngOIxKtQPula2Mjr/L7pcTDlXMW5aOcT:hYs21xCIjLquDlIx91n/LCTDlXXHW
Score10/10-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-