General
-
Target
S500 RAT.zip
-
Size
39.8MB
-
Sample
230719-kd4y6sae2y
-
MD5
c5b6064eeaad1512e41bec876edb841a
-
SHA1
6c0130fac50c817d66984eee85fcb716809a011d
-
SHA256
252f05ddd2c8c287399c0b414783eb7702e02e80979c974cde40bedee2c8f851
-
SHA512
8723e05c9581776e8fce43ef4ede497738f350dfd7d1bffdb8e69cd52d38037b1c8af2cfd78697c0d2b251e80af8ed6f176f252fd617f18c276bc54b03a7114e
-
SSDEEP
786432:BJ6WYMZgUwYUWJhZ1REBG0y5sxulIUHHYihQD33zWUfVJxfbiv7Oe:BJe/WhfR15sYlXhhQDq0Bbo7Oe
Behavioral task
behavioral1
Sample
S500 RAT/S500RAT.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
S500 RAT/S500RAT.exe
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
S500 RAT/S500RAT.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
https://pastebin.com/raw/p2s7tDSd
Targets
-
-
Target
S500 RAT/S500RAT.exe
-
Size
17.8MB
-
MD5
e5f9792d0889af4fb6c295c5e0d74cee
-
SHA1
1aabebd0923a3e4e1772b48294c7b0fc86973e71
-
SHA256
c5f99ca677d1b5aade06ab17adfa2a5c064c89e2f52875aefbca071ae2189f7f
-
SHA512
4290a88de6fb0e6f851beff8577467760d1fa6afeda0d8a0afd50f6f7ad77d3960c0742260bdc87154c828a67f5807680dc8093386bbcd0ab97ccf8091b1b288
-
SSDEEP
196608:mrT0y2MuVNz+K4rG0y2MuVNz+Kk0y2MuVNz+KN0y2MuVNz+KLiAB7Z0/slzLIWAJ:STdQVN4GdQVNAdQVNRdQVNfBd+2LzM9
Score10/10-
Detect rhadamanthys stealer shellcode
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-