General

  • Target

    S500 RAT.zip

  • Size

    39.8MB

  • Sample

    230719-kd4y6sae2y

  • MD5

    c5b6064eeaad1512e41bec876edb841a

  • SHA1

    6c0130fac50c817d66984eee85fcb716809a011d

  • SHA256

    252f05ddd2c8c287399c0b414783eb7702e02e80979c974cde40bedee2c8f851

  • SHA512

    8723e05c9581776e8fce43ef4ede497738f350dfd7d1bffdb8e69cd52d38037b1c8af2cfd78697c0d2b251e80af8ed6f176f252fd617f18c276bc54b03a7114e

  • SSDEEP

    786432:BJ6WYMZgUwYUWJhZ1REBG0y5sxulIUHHYihQD33zWUfVJxfbiv7Oe:BJe/WhfR15sYlXhhQDq0Bbo7Oe

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://pastebin.com/raw/p2s7tDSd

Targets

    • Target

      S500 RAT/S500RAT.exe

    • Size

      17.8MB

    • MD5

      e5f9792d0889af4fb6c295c5e0d74cee

    • SHA1

      1aabebd0923a3e4e1772b48294c7b0fc86973e71

    • SHA256

      c5f99ca677d1b5aade06ab17adfa2a5c064c89e2f52875aefbca071ae2189f7f

    • SHA512

      4290a88de6fb0e6f851beff8577467760d1fa6afeda0d8a0afd50f6f7ad77d3960c0742260bdc87154c828a67f5807680dc8093386bbcd0ab97ccf8091b1b288

    • SSDEEP

      196608:mrT0y2MuVNz+K4rG0y2MuVNz+Kk0y2MuVNz+KN0y2MuVNz+KLiAB7Z0/slzLIWAJ:STdQVN4GdQVNAdQVNRdQVNfBd+2LzM9

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks