General
-
Target
ad1c52735563cbaa8c4a3d0edcc4d9c7.bin
-
Size
1.2MB
-
Sample
230420-b68cmaeg58
-
MD5
6b17894ea8895e2b6231c2fb74823307
-
SHA1
61d736ae25002abc1b0546512274e96bb9b80fcb
-
SHA256
6d7d9a05a714f322699699516e1ee6ecb4f3a1358c2eab9a008b726a3b67d033
-
SHA512
1004f484be3b363a6866c786652b96a11439d99107f02a2306fa6aeda700a948d1ca8d1566d16e7c84519f916ba2991e9b234259d6b6748e564ac0fd5cecb932
-
SSDEEP
24576:wvOH9kXbuqfLXb2P/kPy9tOMfbqTaRxuzoU6pb5BkX53MGBhnPcno:wvy9kXbHfLr2/kPbSqWyMU6pb5C6GBh9
Static task
static1
Behavioral task
behavioral1
Sample
2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Targets
-
-
Target
2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f.exe
-
Size
1.2MB
-
MD5
ad1c52735563cbaa8c4a3d0edcc4d9c7
-
SHA1
4df0834857c2bd58db0f61a9f423f9d7da853c8f
-
SHA256
2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f
-
SHA512
78be898eb27f72ea6d9647001a7f111a6209ada02dfe1f6a7ffdaa45c3e4126e7b11c654c871d5a6dd132e5f0e1b08ffe341a7aaa4ede835af71054886e456b5
-
SSDEEP
24576:2ytjNnRWhcjbQZ4VY58BroyjKlZQdiXxJA5gsuOKJ7z3HFuBpQXCbzrVNXk:FtfWhw+yjK7+iXxJbaKJfHFuDSgnXX
-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-