rhadamanthys | empire loader[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

empire loader.exe
Size

10.0MB
MD5

0c8450739101fdeeab312e02614d9801
SHA1

cfac800c9117836998e9a6f14eb4e2435a636f43
SHA256

d1025185063899c8af7f7914e333020c43fdcd13bb9c1b130f89cea8334a6de3
SHA512

22488d9a8e973022a569e4699b6efed6132c2280f3521a6e2ae2d3e8aec754a3a08cfa9e61c69c0cc46dc6d08dc168e14e3de65a567d41530513ea90fef0d745
SSDEEP

6144:UC1N40Fnr0602TzhldWqIk6jKSxPMkPOR0D:UC1VFng60OCHNMNKD

Score

10^/10

rhadamanthys

Malware Config

Extracted

Family

rhadamanthys

http://91.202.5.208/blob/yqpm75.kqll

Signatures

Rhadamanthys family
rhadamanthys

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
empire loader.exe

Files

empire loader.exe
.exe windows:4 windows x86

e382229cbe1cfe84b080e0a3eda013fc

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateIoCompletionPort
CloseHandle
GetLastError
GetQueuedCompletionStatus
IsBadReadPtr
VirtualQuery
GetSystemInfo
IsBadStringPtrA
IsBadCodePtr
HeapCreate
InterlockedIncrement
GetProcessHeap
HeapDestroy
ExitProcess
GetTickCount
lstrlenA
HeapFree
HeapReAlloc
GetModuleHandleA
HeapAlloc
LoadLibraryA
VirtualAlloc
GetOEMCP
GetACP
GetCPInfo
LCMapStringW
LCMapStringA
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetStartupInfoA
GetCommandLineA
GetVersion
InterlockedDecrement
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
GetProcAddress
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
VirtualFree
RtlUnwind
WriteFile

user32

PeekMessageW
CreateDialogParamW
DrawTextW
IsDialogMessageW
ShowWindow
TranslateMessage
DispatchMessageW

gdi32

DeleteObject
CreateBitmap
CreatePen
CreateCompatibleBitmap
CreateCompatibleDC
CreateRectRgn
DeleteDC
BitBlt

ole32

CoTaskMemFree
CoUninitialize
CoTaskMemAlloc
CreateStreamOnHGlobal
CoInitializeEx

shell32

DragQueryFileW
DragAcceptFiles
DragFinish
CommandLineToArgvW

winmm

timeEndPeriod
timeGetTime
timeBeginPeriod

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

e382229cbe1cfe84b080e0a3eda013fc

Headers

File Characteristics

Imports

kernel32

user32

gdi32

ole32

shell32

winmm

Sections

.text Size: 36KB - Virtual size: 32KB

.rdata Size: 144KB - Virtual size: 141KB

.data Size: 12KB - Virtual size: 13KB

.reloc Size: 8KB - Virtual size: 4KB

.text
Size: 36KB - Virtual size: 32KB

.rdata
Size: 144KB - Virtual size: 141KB

.data
Size: 12KB - Virtual size: 13KB

.reloc
Size: 8KB - Virtual size: 4KB