rhadamanthys | hxxps://playit[.]gg | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://playit.gg

windows10-2004-x64

Resubmissions

17-07-2023 10:06

230717-l5ap3sbh9s 8

16-07-2023 21:42

230716-1kr6ysgg98 10

16-07-2023 21:17

230716-z49dxahf31 10

Sharing

General

Target

https://playit.gg
Sample

230716-1kr6ysgg98

Score

10^/10

rhadamanthys evasion persistence stealer

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://playit.gg

Resource

win10v2004-20230703-en

rhadamanthys evasion persistence stealer

windows10-2004-x64

22 signatures

1800 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/zaCgrR02

Targets

- Target
  
  https://playit.gg
Score

10^/10

rhadamanthys evasion persistence stealer
- Detect rhadamanthys stealer shellcode
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

urlscan1

behavioral1

rhadamanthysevasionpersistencestealer

© 2018-2025

Terms | Privacy