General

  • Target

    S500 RAT (3).zip

  • Size

    43.3MB

  • Sample

    231102-v8b7radb8z

  • MD5

    345a37c6bcd0ce82aa0eb4b339a99ecc

  • SHA1

    3056b6855d0f359485c037de1673786f000c78c9

  • SHA256

    eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d

  • SHA512

    1741db005d19d23cdfba33952eb4d44d460ab540ef4151b4ffd17a8c72c37a729d0d01e94985a5f295b92865d90037c03d09bb65cedb80423cfe4cc4de319239

  • SSDEEP

    786432:StSrIAPWJhZ1SYMZgUxXxPfB4X0U7hQ0bbJLl8VNevlP3y5sxC4f:SwrVWhfYxP54h7hQILl8VuY5sYo

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://pastebin.com/raw/p2s7tDSd

Targets

    • Target

      S500 RAT (3).zip

    • Size

      43.3MB

    • MD5

      345a37c6bcd0ce82aa0eb4b339a99ecc

    • SHA1

      3056b6855d0f359485c037de1673786f000c78c9

    • SHA256

      eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d

    • SHA512

      1741db005d19d23cdfba33952eb4d44d460ab540ef4151b4ffd17a8c72c37a729d0d01e94985a5f295b92865d90037c03d09bb65cedb80423cfe4cc4de319239

    • SSDEEP

      786432:StSrIAPWJhZ1SYMZgUxXxPfB4X0U7hQ0bbJLl8VNevlP3y5sxC4f:SwrVWhfYxP54h7hQILl8VuY5sYo

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks